Posts Tagged ‘Source Code Analysis’

  • Dr. Dobb’s Takes a Look At New Version of Klocwork Insight

    on Oct 3, 13 • by Chris Bubinas • with No Comments

    Dr. Dobb’s Takes a Look At New Version of Klocwork Insight

    Klocwork has released version 10 of its source code analysis tool, Insight. Key new features of Insight 10 include additional checker sets and taxonomies for security and compliance standards. Developers also have the ability to create their own taxonomies using the new taxonomy design feature, and apply these to projects where applicable

    Read More »
  • Code branching – common code, common defects

    on May 29, 12 • by Alen Zukich • with No Comments

    Code branching – common code, common defects

    Every revision control or source code management system uses branching. Branching refers to the duplication of files under version control so that two (or more) copies of those files may develop at different times or in different ways. Okay, we all know this. With branching, you get a lot of duplicated code. In some branched projects, the majority of the code is the same. So how does this impact your source code analysis or static analysis strategy? Well, it is a big problem. What if you spend your time analyzing a defect and come to

    Read More »
  • The business case for source code analysis

    on May 15, 12 • by Brendan Harrison • with No Comments

    The business case for source code analysis

    Everyone knows this chart, right? The later bugs are introduced, the more they cost. Of course, common sense. But it also happens to be true. As the chart shows, very little bug detection is happening before testing, while a developer is coding. So, if you find more bugs when the cost of repair is least expensive and risky, you’re obviously going to get a big payoff. Ok, so far you haven’t heard anything that every software development professional doesn’t already know. What everyone doesn’t know is that source code analysis can deliver this payoff. We

    Read More »
  • Static analysis is NOT Bugzilla

    on Apr 24, 12 • by Alen Zukich • with 1 Comment

    Static analysis is NOT Bugzilla

    Time and time again I get asked, how does static analysis fit into my existing bug tracking system? ”I need an integration with my system (i.e. Bugzilla) because that is what we use everyday. Every time I find a bug I need to track this through my system.” This is where I take a deep breath as I scream on the inside. Taking every bug and putting that into your bug tracking system is just wrong. Horribly wrong. The best way I can describe this is through the compiler analogy. Every time you add a feature or bug fix,

    Read More »
  • Perceptual False Positives

    on Mar 13, 12 • by Alen Zukich • with No Comments

    Perceptual False Positives

    As any static analysis or source code analysis vendor will tell you, false positives are a way of life.  As any user will tell you, false positives suck!  So what do you do about them?  Make the tools better at finding the real issues and provide automated filtering capabilities.  But I’m not here to talk about false positives where the tool is utterly wrong.  What I want to talk about today is what I call “perceptual false positives”. I’ve had discussions with customers where they tell me 80% of all their defects are false.  Odd,

    Read More »
  • Answering questions about your code base – Part 1

    on Feb 8, 12 • by Patti Murphy • with 1 Comment

    Answering questions about your code base – Part 1

    Static analysis captures the current state of your code base and helps you answer key questions about the quality, security and maintainability of your software project. Think Magic 8 Ball with build omniscience and powerful reporting tools. OK, maybe Magic 8 Ball isn’t a good analogy. Answers to what questions, you ask? One we often hear from customers is: Where do I start? A good place to start is a report that captures the distribution of defect types from your current build.  For example, we recommend that our customers glance over the Top 10 Issues

    Read More »
  • Golden rules of AST checker development

    on Jan 24, 12 • by Patti Murphy • with No Comments

    Golden rules of AST checker development

    In my previous post, It’s time to create a custom checker…, we looked at the considerations involved in deciding which checker to create–AST or path? In this post, we’re going to use a custom checker to enforce an internal coding standard that extends the default set of checkers in our source code analysis tool. To do this, I’ve called upon Steve Howard, our head of Partner Support in Europe, to get us started with an AST checker to accomplish our goal. Steve has coached many customers through the checker creation process. In his experience, the

    Read More »
  • Microsoft banned function list

    on Sep 27, 11 • by Alen Zukich • with 1 Comment

    Microsoft banned function list

    We have blogged before about software security guidelines, but there is one we haven’t discussed.  Several years ago Microsoft published the “Security Development Lifecycle (SDL) Banned Function Calls” list.  These banned functions can be a good way to remove a significant number of potential code vulnerabilities from C and C++ code.  They provide recommendations on better or safer functions to use with the caveat that even these “safer” function should be used with care. You can use the banned.h file to identify and obtain deprecation warnings or, even better, use this as part of your

    Read More »
  • The Evolution of Static Code Analysis – Part 3: The Present Day

    on Jun 8, 11 • by Todd Landry • with 1 Comment

    The Evolution of Static Code Analysis – Part 3: The Present Day

    My first 2 posts looked at 2 different eras of Static Code Analysis, the Early Years and the Early 21st Century. The SCA solutions of these times were revolutionary, and helped software development teams a great deal. But they had their warts. In the final post in this series, I’m going to introduce you to the present day Static Code Analysis technology and how it is impacting developers. The Present Day I’m a huge fan of Reece’s Peanut Butter Cups. I love them. I keep active so I don’t feel guilty eating them. In a

    Read More »
  • Top 10 List: Well Traveled Path to Source Code Analysis Success

    on May 31, 11 • by Brendan Harrison • with 1 Comment

    The Code Integrity folks have developed a lot of best practices on deploying static analysis and have compiled many of them in a solid whitepaper. They include a Top 10 list of what they call “The Well Traveled Path to Success”. Below is their (somewhat paraphrased in spots) list. 1. Determine who cares. Who has a vested interest that bugs actually get fixed. How much do they care? 2. Get an expert to tune the solution for your codebase. Static analysis tuning will maximize defect finding while minimizing false positives. 3. If possible, pilot with

    Read More »
Scroll to top