Mark Grice is a pretty unflappable guy, but when you ask him a question about barriers to successful adoption of Source Code Analysis (SCA) technology, he starts to splutter. “There are things I see over and over that make me want to bang my head against a wall,” says the Klocwork Director and Manager of our International Reseller/Partner Network. For the past nine years, Grice has helped companies from around the world to successfully implement SCA. There are many companies that deploy SCA tools and reap their ROI, but there are others that can’t get
Read More »How do you measure your software? There are simple metrics that help with quality, such as keeping track of the number of bugs or security vulnerabilities in your system. Trending these metrics is a no-brainer. When trending is in place, action can be taken because everyone knows 6 security vulnerabilities is worse than 5. But what about other types of software metrics (and there are many)? Have you ever heard of a maintainability metric? Halstead program volume? McCabe cyclomatic complexity? Coupling/Cohesion? The question becomes what do you do with these metrics and are they valuable
Read More »Here’s a short blog review of Klocwork Solo by Jeanne Boyarsky. Klocwork Solo is a downloadable Eclipse plug-in for Java. Aside from a few installation hiccups, it’ s a good review with kudos for the range of checkers we provide in the default configuration. Try it out yourself and let us know what you think
Read More »Don’t get me wrong, I’m a big fan of open source, but why does everything have to be black and white? If it’s closed it must be evil and by association probably not written well, whereas if it’s open, it’s awesome and godly in its unnatural power to cure world hunger? I’m referring, in this particular instance, to the righteous indignation that surfaced as a result of the castigation served up for the manufacturers of that ever-popular device, the breathalyzer. And yes, I’ve been stood at the side of the road looking stupidly at the
Read More »There’s been some recent discussion around using source code analysis (SCA) technology for build clean-up and optimization. I thought it might be useful to try and separate the spin from reality and outline where and how static source code analysis can be used for build optimization. First, every SCA tool worth its salt does build analysis. Automated discovery of a customer’s build system is a required capability for deep static code analysis. Most users of SCA attempt to discover bugs, security vulnerabilities, and other maintainability problems. Some customers will also leverage the build analysis itself
Read More »Here’s Gwyn chatting about general software development challenges, in particular the whole goal of “in-phase defect containment” – i.e. identifying and correcting defects in the same development phase they’re created. Near the end of the video, there’s a short discussion on how this objective fits in an Agile context. With Agile’s focus on the frequent delivery of working software, in-phase containment becomes even more important, even though it’s more often associated with more formal methodologies such as CMMI and Six Sigma. CM Crossroads
Read More »David posted an interesting discussion on the usage of static analysis tools by developers to find security vulnerabilities. As always the discussion with static analysis tools lean towards the false positive and false negative discussion. But also David mentions their results are sometimes difficult to understand. This is one of the reasons Klocwork switched from a bytecode analysis tool for Java to a source code analysis tool. As both have their advantages and disadvantages (and I admit I’m very biased here) we have certainly found that we have been able to reduce our false positive
Read More »It’s kind of bizarre, but in my pre-Klocwork experience of running ISV development groups, from small teams to global enterprises, it never struck me as wrong that we would routinely ship software containing critical bugs. We knew we were doing it. We knew, on some abstract underground never-to-be-admitted layer of our deepest darkest souls, that this was a “bad thing.” But mostly, we knew that when somebody found a bug we could just send them a patch. And what’s more, we knew that customers expected this behavior. We got requests to “send us a patch
Read More »
