Every revision control or source code management system uses branching. Branching refers to the duplication of files under version control so that two (or more) copies of those files may develop at different times or in different ways. Okay, we all know this. With branching, you get a lot of duplicated code. In some branched projects, the majority of the code is the same. So how does this impact your source code analysis or static analysis strategy? Well, it is a big problem. What if you spend your time analyzing a defect and come to
Read More »
Everyone knows this chart, right? The later bugs are introduced, the more they cost. Of course, common sense. But it also happens to be true. As the chart shows, very little bug detection is happening before testing, while a developer is coding. So, if you find more bugs when the cost of repair is least expensive and risky, you’re obviously going to get a big payoff. Ok, so far you haven’t heard anything that every software development professional doesn’t already know. What everyone doesn’t know is that source code analysis can deliver this payoff. We
Read More »
Time and time again I get asked, how does static analysis fit into my existing bug tracking system? ”I need an integration with my system (i.e. Bugzilla) because that is what we use everyday. Every time I find a bug I need to track this through my system.” This is where I take a deep breath as I scream on the inside. Taking every bug and putting that into your bug tracking system is just wrong. Horribly wrong. The best way I can describe this is through the compiler analogy. Every time you add a feature or bug fix,
Read More »
As any static analysis or source code analysis vendor will tell you, false positives are a way of life. As any user will tell you, false positives suck! So what do you do about them? Make the tools better at finding the real issues and provide automated filtering capabilities. But I’m not here to talk about false positives where the tool is utterly wrong. What I want to talk about today is what I call “perceptual false positives”. I’ve had discussions with customers where they tell me 80% of all their defects are false. Odd,
Read More »
Static analysis captures the current state of your code base and helps you answer key questions about the quality, security and maintainability of your software project. Think Magic 8 Ball with build omniscience and powerful reporting tools. OK, maybe Magic 8 Ball isn’t a good analogy. Answers to what questions, you ask? One we often hear from customers is: Where do I start? A good place to start is a report that captures the distribution of defect types from your current build. For example, we recommend that our customers glance over the Top 10 Issues
Read More »
In my previous post, It’s time to create a custom checker…, we looked at the considerations involved in deciding which checker to create–AST or path? In this post, we’re going to use a custom checker to enforce an internal coding standard that extends the default set of checkers in our source code analysis tool. To do this, I’ve called upon Steve Howard, our head of Partner Support in Europe, to get us started with an AST checker to accomplish our goal. Steve has coached many customers through the checker creation process. In his experience, the
Read More »
We have blogged before about software security guidelines, but there is one we haven’t discussed. Several years ago Microsoft published the “Security Development Lifecycle (SDL) Banned Function Calls” list. These banned functions can be a good way to remove a significant number of potential code vulnerabilities from C and C++ code. They provide recommendations on better or safer functions to use with the caveat that even these “safer” function should be used with care. You can use the banned.h file to identify and obtain deprecation warnings or, even better, use this as part of your
Read More »
My first 2 posts looked at 2 different eras of Static Code Analysis, the Early Years and the Early 21st Century. The SCA solutions of these times were revolutionary, and helped software development teams a great deal. But they had their warts. In the final post in this series, I’m going to introduce you to the present day Static Code Analysis technology and how it is impacting developers. The Present Day I’m a huge fan of Reece’s Peanut Butter Cups. I love them. I keep active so I don’t feel guilty eating them. In a
Read More »The Code Integrity folks have developed a lot of best practices on deploying static analysis and have compiled many of them in a solid whitepaper. They include a Top 10 list of what they call “The Well Traveled Path to Success”. Below is their (somewhat paraphrased in spots) list. 1. Determine who cares. Who has a vested interest that bugs actually get fixed. How much do they care? 2. Get an expert to tune the solution for your codebase. Static analysis tuning will maximize defect finding while minimizing false positives. 3. If possible, pilot with
Read More »
In my last post, I took us back in time to an era of bad fashion, questionable music, legendary television shows, and source code analysis tools that were made specifically for software developers. It was the 1970s. In this post, I fast forward to just after the turn of the century to discuss the next evolution of static analysis tools. The Early 21st Century Not long after we first viewed hairy-footed Hobbits on the silver screen, and the sham that was affectionately known as Y2K, a new generation of source code analysis tools emerged to
Read More »
