Lynn

Welcome everyone and thank you for joining us today for our webinar entitled, "Introducing Klocwork Insight 9.5". I'm Lynn Gayowski from Klocwork and shortly you'll hear from today's presenters, Todd Landry, Senior Product Manager, and Alen Zukich, Director of Product Management.

Before they get started I want to quickly review a few housekeeping items. First, you have the option to join by VoIP or by phone today. To join by VoIP just plug in a headset or turn up your speakers. To join by phone click the "event info tab" at the top of your WebEx window and you'll see the teleconference number to use.

The info tab will be there throughout the webinar if you need the number at any point. If you don't see a toll-free number local to you listed please send a chat message or question to the panel with your country and we'll check if a number is available. All attendee lines are automatically muted to ensure everyone watching gets the best audio possible.

Next, everyone is of course welcome to use the chat window but if you'd like to ask a question please do so using the Q&A tool within the WebEx which is located in the bottom right hand corner of your screen. Just type your question in to the window and send to all panelists to submit your question.

We'll address as many of these questions as possible at the end of the webinar and if we don't get to your question, we'll follow up with you after the event. Finally, we are recording today and we'll send a link to the recording of this content to everyone in a few days. So, with that, I will now hand things over to Todd.

Todd

All right Lynn, thank you very much and thank you everybody for joining us today, so good morning or good afternoon. Today we've got an awful lot to cover here in the next hour or so. Basically our agenda is what you see on the screen.

The first thing we want to talk about is our value. By that we really are talking about creating better code with every keystroke. There's really three capabilities that go into this value proposition.

The first one is what we call "on-the-fly source code analysis." Really this is about making source code analysis easy for developers. Secondly is security and reliability issue detection, which is really the foundation of our technology; where we have our rock solid source code analysis engine that we believe is the best on the planet.

Thirdly, collaborative code review, making sure that the code review which is sometimes a very painful process a lot easier and more efficient. The majority of the session is going to be about the product itself as we deep dive into the product and how it fits into your development organization system.

So, some of the things we're going to talk about and you're going to actually see are what we call, again, "on-the-fly analysis," "on-the-fly reporting" and "on-the-fly impact analysis." Again, Alen Zukich will be doing a fantastic demo walking you through some of the key features of this product. Finally, after Alen's done his demo I'm going to come back on and just give you the top five reasons why you should be partnering with Klocwork for your source code analysis needs.

Before we get into things, just a really quick intro into what Klocwork is all about and a couple of quick data points I really want to highlight here. The first one is that over the years we've won numerous awards, for example, the SD Times Top 100 six years running on that one as well as the other ones that you can see on the screen. Secondly, we've had many technology innovations and a tremendous track record of industry firsts. We had what we call "the connected desktop" back in 2008 and now we have the first "on-the-fly analysis" in 2012.

Both of these things are really all about making source code analysis a developer tool not an audit tool where it's only used on occasion. It's really meant to be used by the developers as they develop code and you'll see how it works in just a few moments.

Thirdly, as a company we've had tremendous growth both from a business perspective and from a customer base, even in the last few years which have been fairly difficult. We have over 950 customers worldwide. Speaking of customers, it's fair to say we have a blue chip customer base from a variety of different industries; mostly in the embedded software space and those users that are developing in languages such as C, C++, C# and Java, but we also hit other industries, such as communications equipment, military, aerospace, medical devices, mobile devices and so on.

All of these industries are invested heavily in source code analysis in general and many have selected Klocwork as their tool of choice. Now, just to kind of talk a little bit about the value. We have a couple of examples where Motorola was able to reduce the number of issues found at system test by 50%. Lawrence Livermore National Laboratory, which basically manages nuclear safety in the US saved $200,000 on a 365,000 line of code project. Johns Hopkins had a project around a prosthetic arm. They saved over 900 person hours in a very short time that they were working with. You can see the quote from Johns Hopkins talking about the tight schedule they had and how they were able to use Klocwork to meet their time lines and also all of their objectives. I'm not going to go though all the customers below, but you can see we have a very, very good customer base.

That's a start to the introduction to Klocwork. I just wanted to give you a feel for our track record, and what we've been up to in this space.

Let's get into the product a little bit and talk a little bit more in detail on things. First off, analysis on-the-fly. What do I mean by on-the-fly? Really what it means is making source code analysis a part of the developer's natural work flow. We've been bringing source code analysis to developers' desktops for years now. Now we have extended it with what we call instant spell check analysis.

When you're working in a Word document, and you spell something incorrectly, it lets you know immediately that you've spelled the word incorrectly. We've done the exact same thing from a static analysis perspective, so a developer working away in their IDE, if they introduce a defect into their code, we're going to let them know right away. As we say here, the analysis is . . . so they know you're not waiting for another build to happen. You're not waiting a couple of minutes. The analysis is measured in milliseconds, so the developer knows immediately that they have an issue that they might have to deal with.

Secondly is reporting on-the-fly. Any time you run source code analysis on large projects, there's a lot of data there. Often times it can be tricky to slice and dice that data into meaningful information. What Klocwork has done with reporting on-the-fly, is to be able to provide instant answers to complex questions about the health of your code. To be able to find what you need very, very quickly. We introduced what we call drag and drop pivot charts that allow you to create new reports. Really, again, it's all allowing the users the ability to customize how they see the wealth of data they are collecting.

Thirdly, the impact on-the-fly. It's important that developers know whether the issue that they found in one code base, code branch or project exists anywhere else in their code string. We provide that as well.

The foundation is under the features that we've added. The real foundation for what we do is around what we call Klocwork Truepath. This is our static analysis engine that has been around since the company has been around. It has literally analyzed billions of lines of code. It scales to hundreds of millions lines of code systems. It uses a combination of technologies to give a very, very accurate code analysis that we're able to do. As I mentioned earlier, C, C++, Java, and C# are the languages that it works for.

You can see below some of the areas we look at. Security is obviously a very important part for many of our customers, so we have a number of different checks that we're able to do there. Reliability and quality, obviously a number of things there. For coding standards as well. So, whether you're a MISRA or some of the other security guidelines, such as CWE and CERT, if you're looking for things such as dead code or unreachable code, we've got all kinds of ways that our engine is able to find these things. We're so confident in our engine, we believe it's the best on the planet. We'd like for you to find that out as well.

So, where does Klocwork fit? For us, the line in the sand is really around code check in. We advocate doing as much as possible before you check in your code. The first thing we have here is what we call on-the-fly desktop. Making it part of the developer's natural work flow. Don't make them do two or three or ten different steps to get this analysis. Let them do their job the way they do it today, and start providing this information to them. We do that with this spell check, as well as what we call re-factoring. You can actually see that in a few moments where you're able to use re-factoring to make your code more maintainable in just a matter of a couple of mouse clicks.

The second pre-checking capability that we have is around code reviews and the offering we have is Klocwork Inspect. It is basically a lighter weight process for doing something that can be very painful, and that is the code review. Again, it's process agnostic, so it integrates with whatever code review process you're using today. What's really nice is it also integrates static analysis into your code review. As you're doing the code review, you don't actually have to look for memory leaks or what have you, because the source code analysis engine will already have found those.

Once you check in your code, you're going to want to use some of these other tools at well. This one is what we call Klocwork Review, which is our trending and metrics. It's a reporting tool so you can start trending key metrics and start fixing different things. Very quick in terms of creating reports. Very, very quick searching for data that you need to slice and dice. You're going to see a very good walk through with Klocwork Review in just a few moments.

Finally, Klocwork Architect. That's typically a tool that's used by a team lead or an architect. It's used to stay on top of the code architecture and reduce the complexity of your software. Often times, you can provide a lot of "what if" scenarios to see, what if I do this to my code, is it going to make it any better? It's a really good tool to help you optimize your code and stay on top of your code.

I'm going to turn this over to Alen, and then I'll come back in a few moments to give you five reasons why you should be partnering with Klocwork. Alen, I'm going to pass this over to you for the demo.

Alen

Thanks very much, Todd. The focus I want do here, is to build up on what Todd just talked about and where Klocwork fits. Certainly we're going to go through an open sys project, it's called Notepad++. Some of you may use it as your text editor. We'll be analyzing Notepad++ in many different forms. You can pick many different versions of Notepad++. We'll analyze it on the build integration side. And then I'm also taking look at the pre-check in part that Todd was talking about and where Klocwork fits.

Where we'll start with first is as a developer tool. Providing the developer the tools they need to identify defects, to drive the productivity tools to them, is all integrated inside their favorite environment. In this case I'm using Visual Studio. The idea is being able to have the file you're working on and be able to identify any defects you have in your system.

In this case for example, I have a bug marker on the left identifying that there could be an issue with this one particular segment of code. It's called an NPD, which is Klocwork's code for null-pointer dereference. Then you have the description. Then these is the bug markers are on the right. You can see that there are four of them that identify four different bugs. I also have my issues list to see all the issues that are available.

One thing I should point out, and I'll talk about it in a second is what is system versus local. Right now at I'm looking at system issues. This is the value you're getting at Klocwork, bringing in these high value checkers right to the desktop. Essentially what we're doing is connecting with a full blown integration of this Notepad++ project. Getting additional information about what each and every method or function is doing in the system, so that we can give you this active level of analysis.

You're presented with a number of tools. One is the trace back. So, if I'm looking at this null pointer dereference, I can search stepping through the trace back here and you can see where the value starts getting interesting or more inter-procedurally here, I'm spanning into another function, and it's telling me where it's actually being deferenced. So, it's just a matter of understanding, "Okay, we have an issue here. Let's fix it."

If I looked a little bit further, I can see that there are some conventions that are used to actually check for null. This seems to be a convention that Notepad++ does. If I just paste in that code, what you see immediately happens just by pasting in that code, or just typing in anything, this is where Klocwork fits in the typing loop. That issue is gone, just as quick as that. Hopefully you caught that because it is absolutely lightning fast. It is like your spell checker. It is immediate as you're typing. I'll show you more of that.

Here is for example is another type of issue. It's called uninitialized variable. It says "closingTag might be used uninitialized in this function". Again, step through the trace back, this gives you the clues to understand what are the conditions and assignments that are happening that makes this issue exist. In fact, I can clearly see that it never was initialized. Let me initialize that to "false" and then what happens? That bug marker goes away. Again, it's that quick, it's right in your typing loop. It's there. You'll be able to fix these issues as you're coding. Now what I've been doing is I've fixed a system issue, which was found previously in the system versus what could be a local issue and we'll get to that in a second.

Here I have one more issue. It's called unreachable code. It's simply unreachable at this point. I may want to fix this in this particular case if it seems like a serious issue, or maybe not. What is available to the developer is simply that you either fix it or you don't. If you don't fix it, simply ignore and now it's gone. It's as simple as that. Keep this as simple as possible for the developers to be able to have this tool that fits in as you're typing and gives you the immediate value that you need.

To show you an example of a local issue, a local issue essentially means that this is something I just created. It didn't exist before. It must have been something I've just added. I introduced this error. As you can see, a serious mistake, I didn't check for NULL in this particular case. It's as simple as that. It's just a matter of fixing it.

To understand how this is in your typing loop, let me show you what happens if I actually start writing some code. Let me initialize a variable, whatever that might be. I'll define "int" and what immediately popped up? An error saying that "A" is never used. Whether you turn that particular error on or not is up to you. In this case I expect that since I haven't done anything with "A".

So, I'll create an if statement, where if "A" is less than zero, now we're going to run this. As soon as I've done that, what has happened is the unused variable "A" is gone. Now it has moved to I have a "comparison of unsigned value against 0," which you can't do. As you can see, it's right in your typing. It can even identify unreachable code, because I haven't even finished the if statement here. You can see it's immediate and right inside your loop as you're typing, it can show you these issues. This is really where it's going to help the developer become more productive in their environment and be able to find and fix them immediately, because they're immediately visible as they type.

That's one level, fixing issues or other issues as system level, through the full analysis or a local issue as they are typing so that they can fix them. But, what about providing tools that developers use on a daily basis? For example, I have this code here. I obviously do this quite a bit, where I say "if ( document )" and then set a particular error. What if I want to create a re-usable component of this or a usable method associated with this? Why not use the Klocwork built in re-factoring? You have choices such as this common one which lets you rename a local variable or parameter, being able to extract a function, which we're going to do in this case. There are a number of others, introduce a variable, inline a function or optimize your headers.

In this case, let's extract this function. First it's going to ask us if this file was not saved, because we've been working in here this whole time without saving the file. So, we're going to save the file. Because I want to extract the function, it's asking us for the name of the function, what we want to call it. I'm going to call this "docError" for now. Remember I said there were some other places where I said it would do the same thing, it's detected that. It's done some clone detection to identify that there are other areas that I need to replace.

So why don't I replace them all? You can see what immediately happens. It's created that function call for us, immediately, just by the click of a button. It's also created the actual method for us, choosing the correct class type. That's all immediately done for us on-the-fly. It even goes into corresponding header file and places the function prototype.

As you can see, this process that developers are doing every day to say, "well I need to extract this and make this more re-usable." Have it do that. Why don't you do that with just a click of the button? It's that easy. That's the value that Klocwork is providing. As you type, find your issues. With a button click you're able to re-factor your code to make it more re-usable and less complex.

Ultimately, at this point now that I've addressed all the issues, I've done the re-factoring that I need to do, I can check in my code, and I know I have clean code at this point. Or alternatively, I probably have in process or may have process to actually create a code review. So Klocwork has command lines tools so you can launch a code review based on the analysis that you just done here and when it opens up it creates a code review and a web-based tool here called Klocwork Inspect. Inspect is providing as Todd was explaining is just a really lightweight process of doing code reviews.

So what you're looking at here is your main feed page. And we really modeled this after a social media aspect. Think of this like your Facebook wall or Twitter feed. Interestingly enough we called this your feed window. What you're looking at is all the feeds and changes that have happened according to what you care about.

For example, the first thing you want to do when you're in Klocwork Inspect is create a feed, add particular users I care about so for example I'm going to add Todd as one of the users I want to see all of his code reviews that he's created. Then I can even add associated components I care about as well. Anytime anybody changes on any code that I have ownership for, I'll get notified for about that.

So it's really about creating your own customized feed and getting notifications. Notifications can come through an RSS feed so you either look at them through your RSS reader or set up the RSS to come right into your Outlook mailbox or however you want to set it up so you can see it via email, or whichever way it works for you.

And then you get notifications about any of these code reviews. Then you can invite reviewers. I invited a couple of individuals, Todd and another individual to come and look at a particular code review. It has all the information right here so our reviewer can just lock in and start reviewing that actual code review. One is a process it's only a matter of clicking on the changes to any files and you see what's happening in the corresponding "diff" window, the "diff" window that you would expect to see when we're doing any code review. Remember we were fixing that "if" statement detecting for "NULL" so certainly something that you can use to review. As part of a review you can either add a comment, whether it's a positive or negative comment, that's really up to you. Or alternately, I can add an "action". An action is really a way of identifying a to-do item or potentially if there's a bug, whatever it may be, it's assigning an action to somebody.

So whatever that action is, you assign the appropriate person so I can assign to Todd or I can assign it to myself so you can see it's going to create an action for myself and identify what that is. Every time I add a comment or action, you will always see that in the main feed window and you see here is the latest "to you" comments or actions. Again, you get notified of any changes that anybody has made to that particular code review you created and it just works in this asynchronous process so that wherever you are in the world that you can all communicate with each other and perform these code reviews.

With it of course you have the reporting available. You have the extra value of bringing in static analysis defects into the code review as well. Yes as Todd was talking about earlier, not only can we look at some of the critical issues that you have in your system. In fact you'll probably fix those critical issues, but a great value would be able to review some of those static analysis issues that are more maintainability type issues, like coding standards. So if you're following certain code each day, you might want to flag those in your code review as a discussion point towards whether you want to fix them or not.

Then there's the simple matter of the process of user reviewers when the log in they can either approve or reject this code review if you so choose. And you rinse and repeat. So that's the value of using light weight process for doing code reviews. Very simple. Now so far we've covered areas in terms of a developer's perspective. What if we move more into a management or team leads' perspective and this is where I want to take you into Klocwork Review. Now what Klocwork Review does is it provides you a snapshot of the entire project or build integration. So in other words, as opposed to the developer view, what you're working on, the set of components or individual files or what have you. It's more focused on the features and functionality you're working on. Whereas what you're doing here now is looking at the big picture.

So here's a number of projects that I have built and you can see here is the trend of the number of my favorite projects that I'm on and see how those are changing over time, in terms of defects. We were specifically looking at a project here called Notepad++, and you can see what it's providing here are the high level details. How many issues are in use since your last build? How many are open, how many were fixed? All of the reported, that's available here.

This provides you with a snapshot to focus on these projects as a whole and to understand and start to provide more actions. What I mean by that is if I click into reports, you get a nice summary of a number of different reports. You have built in reports that are available showing you things such as your citing backlog, what are my top ten issues. It really gives you visibility to say, "Okay. This where I need to focus." One problem in Notepad++, it really predominates, is with uninitialized variables.

Then the just to be able to see overall how that changes such as the complexity trend and you'll see that their complexity is increasing build over build. How are we changing on the state of our issues? So what are new, what are existing?

You can see with Notepad++ as I drill into this graph, it seems to be pretty steady with not too many new issues. But as soon as they went to a new release, which was their 5.1, a great number of new issues appeared. Honestly not being very diligent in their static analysis but you can see that they've got that a little bit more under control in the following release, which was at the point where we saw 5.2.

So it gives you the visibility you need to understand what is the cost of ownership? What are the things we need to do down here to really drill down into the system and make the appropriate decisions? One of the great features of Klocwork is if any of these pre-built reports are not good enough, you can edit them and customize them too your own IQ or create your own new report.

This is what we call our on-the-fly reporting. It's just being able to drill down into any type of report that you want to build. In this case I want to build a trending report.

You're presented with a blank canvas here with a simple drag and drop interface. Think of this like your pivot tables in Excel. I'm dragging the builds across the x-axis, to show me how the builds are changing over time. Then let's overlay and group this by severity.

Now I can see what are the top severity issues across each numbered build in my system. Maybe I want to add some filters, filter by certain owners in the system or maybe by what we call taxonomies, these are the high level categories. I want to filter it by certain types of checkers we use, C, C++, Java, C# or specific coding standards and security guidelines. It's completely customizable for how you want to view these. And it's just a simple matter of saying I'm going to create a graph and call it "My Graphs". I'm going to save this graph and here we go.

How you break down those graphs whether you want to see a side bar, pie chart, it's entirely up to you. The point here is that really customize to your environment, to the graphs you want too see to measure across your organization.

So one of the things we were looking at it is from the changes we were doing between system and local and one of the things I want to talk about is the collaboration you get even at the desktop. Remember how I was talking about how there are system issues and there are these local issues. Local is simply the developer is writing some code and he introduced it at that point and simply they just need to be fixed.

System issue means that they were not discovered at the local stage. Either they were not using or didn't run the static analysis at that point and so it's found at system level later. And you can see here I have a graph showing me three more issues in the system so there may have been some previously ignored issues. Remember that code is unreachable issue?

This is that same issue that we're looking at. Remember we were looking at we just ignored this one unreachable code issue and it identifies it that it was ignored and it was ignored at the desktop. If I have a triaging process in place here I may say, "Okay, well, no this actually is something that is a concern for me. I'm here to look at all the ignored issues. I can mark this as fixed, and comment, if you will, and just save the changes. Klocwork will always keep the history of all the changes, when it happened. I can even assign a different owner to the actual defect itself. A lot of granularity to look at any type of issue you have in your system.

This is really the value of looking at any type of issue in the system, is being able to do this collaboration back and forth between the developer and whoever may be looking at the whole build integration analysis here, whether this is a team lead or management that's looking at the history and saying, "Oh no, this is something we need to fix."

Now, in making that change, I run back to my Visual C, you would see that issue comes right back. I can show you that. I jump right back into any changes that I make. What's going to happen is the processing happens. All of a sudden I'm presented with this issue back again. Here's our ignored issue that we initially put in back in the developer's workflow.

It's this back and forth collaboration that really provides the value toward working in different environments. One other thing that's important to talk about is that when we go into a particular project, you're always presented with an issue list. How is that issue list correlated across the rest of the projects I have in my system? In other words, I'm looking at this defect right now, but does that defect belong anywhere else in the rest of my system?

Chances are that you branched code. Chances are that there are projects that stem from other projects and you have common code. If you do that, how do you keep track of that to know that you have a defect in other areas or other projects in the system? Let Klocwork do that for you where identifying, see in another couple of projects with the same ID, the exact same issue is being identified here. Now it gives you an understanding of the impact.

This is what Todd was talking about earlier with the impact on-the-fly. Just really understanding where else do I have to make changes to the system. If I do decide that this is an issue that I want to ignore or defer or what have you, you want to make sure you propagate that to the rest of the project. Klocwork has a built in tool that you can automate as part of your build process that does that for you, so that you're not repeating the work every time you run into this exact same issue across different projects.

There is a lot of value in terms of looking at the impact analysis across different projects. Being able to understand the different types of reports that we're looking at here. They don't just stem from your defect analysis. I've really been looking at, mostly it's been focused on the effect of security and vulnerability detection. There are also other areas and metrics that you can use to really understand the life cycle of your project.

A really great one to understand cost of ownership of your system is the complexity. It's the measurement of McCabe's cyclomatic complexity, how that's trending over time. You can see in Notepad++ it's increasing. That may be something that will throw a red flag and say, "Why is that increasing?" You may be having a lot more complex features, however is there something there that we can get a hold of? Is it something that we can keep constant going forward?

You want to monitor that or look at the details of that. As I drill into, I can understand where the most complex areas are in the system. Here, for example, I was just working on GridProc, that particular method, and that has really high complexity. What can I do about that to really break that down and further understand what we're dealing with?

That's where I want to segue into looking into that GridProc method inside something that we call Klocwork Architect. This is a flow chart view of the actual GridProc method. This would be the higher flow of that one method. Let me enlarge this so you can see it. I have a grid map on the left side. When I enlarge this, this is actually the source code itself inside this GridProc method.

It's breaking it down into a nice control flow for us. Understanding impact, and making any changes to the system really helps us understand the complexity of what we're dealing with here. Really, this system contains if statement after if statement, switch statements, embedded loops, a lot of information. I can drill down anywhere on the external map to quickly see what we're dealing with. So here's a if statement with an embedded loop and this is just adding a lot of complexity to this method. So the idea is to break this down and see there's something you can do to really simplify this.

We have all the information available here just a right click away. So if I say here's this one SendMessage function, where else is it used across the system? Well I can see it is used 555 times exactly across the whole Notepad++ project. So again, everything was just a click away, giving the visibility of the impact of anything that's in the actual source code itself.

Now the flow chart is one thing but the real value you're getting out of Klocwork Architect here is getting the visibility into the entire structure of the system. What we're looking at here is a picture of the source code of Notepad++ and it contains the source component which were in and some subcomponents, you can see miscellaneous, tiny XML. If I click into that I get sub-directories, under that I get actual source files. These source files are header files our C++ files are in green.

If I jump into that a little further, I get into the actual class methods, the classes, the types, the macros etc. Everything is stored here as a block representation so I can understand a number of things. For example, SetError. Let me just expand this out to see what we're looking at here. I can give you some impact analysis just to say, "Well here's that method SetErrror." Some of the impact of making any changes to SetError.

It immediately highlights directly what impacts it and you even see from the environment where it leads outside of this particular file itself and where is the impact. And it highlights that for me directly. Now a bunch of red lines probably aren't very helpful. What would be very helpful is the actual details of that so I could just circle back and say "show me the details".

In here you can find out exactly. Here the method "Parse" and in this particular instance we see the file is calling SetError in "tinyxmlparser". And all of those dependencies are available here. You can take this instant impact analysis report and export it, provide it to a developer and say this is what will happen if you make any changes to SetError. And you could imagine, the more complex the system, the harder it gets to do really do any of this impact analysis. Now impact analysis is one great thing you can do with the system, being able to understand or report any changes you need to make, being able to document the architecture, these are all great advantages to using Architect.

Architect as well, is there to help you really visualize the architecture and see if its designed intent is still there. So you can turn on any types of relationships. As I turn on different types you can see that it changes these dependencies accordingly. These dependencies are any type of relationship that you select to choose. If I turn on all, this really depends on the language that we're looking at here but it can include template relationships, macro, types, etc.

There are literally hundreds of different types that we're looking at here to do the analysis we may need to do. What I mean by that is being able to do what if scenarios. What if I changed around this structure and really play around with some parts of the diagram. So for example, I could be in TinyXml parser component and I could say well, what would happen if I re-structured and cut out this particular file and put it at the top level? This probably doesn't make sense but let's see what happens. Every time you do that Klocwork is going to recalculate those relationships for you and understand what's the impact of doing that type of thing?

You immediately see that impact. So it's really about playing these what if scenarios. You're not changing anything with the structure of your system. You're simply playing that the Klocwork database to see if those changes make sense. The goal here is to clean up the architecture, make it more re-useable, make it more maintainable, and you even have built-in tools that you can use such as clusters, to help you find clusters that are in the system. We have a mash of one here that deals with two or more files where one depends on the other or one component depends on another, which has a dependency right off to another, which comes back right to the original so it has a circular dependency. Less than desirable, especially for maintainability of the system, the complexity going forward, so you can look at these types of anomalies. You'll start doing these edit operations to move things around and see if you can make the architecture more desirable.

Then when you have, start using architectural enforcement rules associated with that. Defining your architecture rule to say, "tinyxml.h" should never be directly called. You can absolutely do that. More practical examples I have deprecated header, make sure that nobody calls that again. Or I have a component. It's a security sensitive component, make sure nobody actually calls that directly or no calls go out from it directly. So there are all sorts of great granularity you can get to the architecture by defining any types of rules.

So again, going back to the full process, it's all about being able to find these defects at the desktop while you're coding. This is really where the great integration that we have with Visual Studio or any of the other IDEs that we have support for, so you can identify these issues as you type. Klocwork provides the productivity tools so that with a click of a button you can refactor your code, then launch a code review on that code you changed and collaborate amongst your peers and make sure everything is further reviewed.

Finally into the managing level of the tool. The trending and the reporting and understanding the cost of ownership of your actual system right down to the architectural layer. Having your architects or your team leads looking at this code and really breaking it down and providing that full loop in terms of making the quality of your software that much better. So with that said, I'm going to pass things back over to Todd.

Todd

All right Alen. Thank you very much. Let's go back to the presentation with the last couple of slides around the top five reasons why you should be looking at partnering with Klocwork.

The first one here and we talked about it a lot is the on-the-fly analysis. Again, this is a market unique capability that really takes source code analysis and puts it right into the developer's natural workflow. There's no one else out there that does this with the speed and accuracy that we do.

Secondly there's the on-the-fly reporting incredibly fast and easy way to get meaningful and relevant information about your code, just a few clicks away.

Thirdly, the on-the-fly impact. Having visibility across the code streams ensuring the developers don't duplicate work. It's so important to understand what's happening to your code when often developers get focused on just small things, when really they need to have a bigger picture. This is the on-the-fly impact that provides that bigger picture.

And then there's also the integrated code review, so again it's a light weight process to basically take the pain out of somewhat painful but usually mandatory process which is the code review. We made that a lot more efficient, a lot easier to do and we also have the benefits of integrating source analysis right into your code review.

And finally, not really a part of the product, but we do have what we call the Klocwork Developer Network, which is just a wealth of information at developer.klocwork.com that you can access. There's online learning, community resources, there's videos to help you get started, videos to help you understand what's going on with the product. Just a wealth of information; a very, very active forum. So I highly recommend you check that out.

So that basically wraps up the presentation part and we're going to start getting into a few questions right now. So let me get into the questions. Here's the first one that talks . . . so Alen I'll be asking you these questions.

The first question is around a very complementary technology to source code analysis, around unit testing. So the question is do you integrate data from unit testing tools?

Alen

No, we do not. Our focus at this point is using source code analysis or static analysis. It's about identifying these defects early in the cycle. Unit testing integration is not available today.

Todd

The second question is around Java. Are there plans to introduce distributed analysis support for Java?

Alen

It's currently not in our 9.5 release but certainly we do support distributed analysis in the C and C++ world and we definitely want to extend that to our other languages to make that analysis that much faster. It's currently not available but we hope to add that in the future.

Todd

Another question here: "Is there also an option to store comments for a particular code snippet that for example, explains why I decided to ignore or why I decided the coding to be correct?"

Alen

In terms of Visual Studio integration that we have with that, we're trying to keep it very simple. That is two things. You either fix your issue or ignore your issue and there's no additional details you can add to those comments to ignore them. However any of those ignored issues do go to that build integration analysis where you could add the detail if you so choose, but from our experience what we're really moving to is really making it easier for developers to adopt these fast analysis tools because it is a barrier to them when there is an extra process of adding extra capabilities as opposed to just fix it or ignore it. We're really trying to simplify that model.

Todd

There are a couple of questions around platform support. The first one is around Visual Studio 2010 and 2008. So the answer is yes we support both of those. Linux Integrated Development Environments, and Alen you can probably expand on this, but our documentation would highlight all of our platform support and you can access that through: www.klocwork.com/documentation

Alen

Yeah, there's a huge list of platforms supported and a number of distributions that are available as well. As you said, just take a look at our documentation and that will fill in the gaps hopefully.

Todd

Another one around JetBrains IntelliJ, do we support that?

Alen

Yes, absolutely. We have Java analysis inside IntelliJ with direct buttoning.

Todd

Just trying to wrap up these support ones, can Klocwork integrate with CodeWright or SlickEdit?

Alen

We don't have direct plug-ins, although we have a really great integration with the two of them called "Klocwork Desktop". So you can use Klocwork Desktop with those environments. As you're writing code you have this continuous analysis environment so that as you write code it knows when you make a change by saving that file or opening that file to run this analysis inside the Klocwork Desktop tool. It's just something you have in the background; it will give you the pop-ups when an error is detected so you can click on it, it opens the tool and you can see it. Not direct plug-ins but a great integration with Klocwork Desktop that I would recommend.

Todd

Continuing on the theme here, this is around the "on-the-fly" features, the IDEs that are supported. We showed it in Visual Studio, what other IDEs are supported with this "on-the-fly" capability.

Alen

It's a good question because there is a distinction. This is our first introduction of this brand new engine that is obviously blazingly fast to give you those really high value checkers that you didn't get with traditional analysis. Our first introduction with this 9.5 release is with Visual Studio only. So you'll only see on-the-fly analysis with Visual Studio on C and C++ code; however, obviously a big part that we want to continue to build on and what you'll see in our upcoming releases is the same on-the-fly analysis within Eclipse and with our Klocwork Desktop tool. Currently those tools work with what we call continuous analysis; a little bit different, it is still automatic but it works and triggers off a save or an open of a file and analysis is not as fast as the "on-the-fly analysis" but it still gives you the value for defect detection at the desktop.

Todd

We have one last one on platform support or environments that we work in, so which integrated development environment does 9.5 support?

Alen

I'm not sure if that's a platform question or specifically you're concerned about any other development environments that you have. This is the great advantage of source code analysis as a whole, because as long as you have a supported platform that Klocwork works on; these are your typical Linux, Windows, Solaris, AIX, MAC OS, and those types of platforms; and you build on those platforms not just Klocwork but static analysis as whole is easily plugged into these environments. There's not really an issue in terms of support for that but if you want to expand on your question or there is some concern there just let us know.

Todd

So we'll switch gears a little bit here. Is there a way to see a list of the issues you ignored?

Alen

Within Visual Studio the answer is no. We are certainly looking to provide that functionality for you in the short-term. However whenever you ignore an issue and that issue appears in a build integration, so it will show up in the next build, then you will see it's still ignored and you can get that full list by just going into review and searching for those ignored issues.

Todd

This may be a long the same line. After ignoring a local issue will it show up in review after check in?

Alen

Repeat that.

Todd

Sure. After ignoring a local issue, will it show up in review after check in?

Alen

After check in it will only show up in review after you've done the next build integration. So you've run the next system build. What it does is it goes into something we call a sandbox. It's just this extra area that we make and store to see, is it going to come into the next build integration? If it finds it, then it stores it and says, well this one's already been ignored so you get that feedback. If that issue never comes into build integration, meaning it never was checked in, it was never part of the next system build then you won't see it. The short of answer is that it will be there as long as you run the next system build, after check in.

Todd

Here's one around reporting. Can reports be run against multiple projects and sort of in brackets here, the number of severity one issues for all of my Klocwork projects so as an example.

Alen

So we have the cross project report which is a new report in our 9.5 release and it gives you just a snap shot of the defects across your projects over time. It's currently not customizable so it works only by looking at the projects as a whole but we certainly want to make that report customizable so you can start creating reports to say, okay, show me all my projects with the severity one issues and trend those over time. It's currently not available, but we hope to add that in a future release.

Todd

Along the same theme here with multiple projects. The question here is wondering about propagating an issue fix across multiple projects. So basically when you said we have many projects that share common code, is it possible basically to fix it in one project and update the others automatically?

Alen

Yeah, there is a tool that we call "kwxsync" and it's an absolutely crucial tool that we recommend all of our customers use because everybody has code that they branch, everybody has common code. When you identify an issue and for example you say this is something we need to fix or something that we need to ignore for whatever reason, you want to make sure you're not repeating that work. So there's this tool called "kwxsync" which is a tool that you nominate as part of your build process to make those correlations and move those status and common changes over to the other projects so you're not repeating the work.

Todd

A question about the speed of the Klocwork's network. So how long will it take to process a 100,000 lines of code? C++ code.

Alen

The answer to that question is always "it depends," but as a bench mark we typically use, if your project compilation is anywhere, let's say 10 minutes. What we do is typically estimate one and a half to three times extra time required to run Klocwork. So if you want to run Klocwork now on a 10 minute build, it could take up to 30 minutes. This obviously greatly varies based on the complexity of the code and a number of other factors. That is a general timeline we use.

Todd

We don't typically like getting into competitive type questions, but there is one that's come up around Polyspace. So perhaps Alen, you could take a moment or two to explain some of the differences between us and Polyspace.

Alen

Yeah, it's mostly about scale. So when it comes to Klocwork it's being able to really analyze multiple millions of lines of code in an efficient and speedy manner. It's about really being able to provide the desktop tools that provide you the value upfront while you're typing. It's about the breadth of our analysis, being able to identify 100s of different types of defects. As opposed to a small subset, without focusing on security vulnerabilities, and there's a number of . . . different things so we can certainly contact the individual to give more information on some of those differences.

Todd

Are you up for a few more questions?

Alen

Yes.

Todd

How does the tool integrate with model based development tools like IBM Rhapsody?

Alen

They tend to be separate. There's no direct integration that we have with them. When you look at our architecture, one of the first things some of you may notice is a more of a UML like feel, but it's really just drawing the dependency structure of your system, showing you the dependencies as they exist today. There isn't any kind of UML aspect to it. There isn't any kind of a modeling aspect to it. It's really about keeping and storing what your software looks like today. So, the short answer is we don't have any integrations with these tools. One of our customers that use both our tools in place, but on completely separate levels.

Todd

We have a follow up to the kwxsync question, wondering if kwxsync sync can copy from one project to multiple projects.

Alen

Yes. It does.

Todd

And another follow up to the follow up, if the project shares the same code set, is there a way to reuse this across other projects to reduce scan times?

Alen

Actually, what you should be using, and this is a question I was asked earlier about Java distributed analysis, on the Java side there is incremental analysis. I always strongly recommend that everybody use Klocwork incremental analysis, because we're talking about re-using a lot of information from your existing project to make it much faster. To re-use analysis from another component, that's possible by using. . . for example let's say you have some third party code, and you've got to attach this third party code.

You build it as part of your process, you want to make the process faster. What you can do is, as long as that code never changes, you can run an analysis of that third party code, generate a knowledge base or what we call a JB file. Use that to have all the information of that third party code, import that into your other build ignoring the third party code from Klocwork to increase the scan time. There are some ways, but I think it's all negligible as long as you're using Klocwork incremental analysis, because it easily connects all the analysis. It significantly improves the build time. It's really not a question of needing to reduce scan times by taking this common code.

Todd

A few more here. Can Klocwork integrate with a Jenkins build system?

Alen

Yes, there are documents on the Jenkins site that some of our partners have created, so it's certainly available. Klocwork provides all the command line tools. There's no direct plug-in that's provided and supported out of Klocwork, and I think you will probably see that in each release. However, there are those who have taken the steps to create integration already. So, yes, it's certainly possible.

Todd

We're going to end with one last question. Alen, I know you're not a sales person, but everybody is asking me how much does it cost?

Alen

Certainly what we recommend as part of this, it depends on a number of situations. Whether you need multi-language support or single language support, so I recommend that you contact a Klocwork sales representative, and we're happy to help you through that.

Todd

I think we have to end it at this point, so any of the questions that we haven't addressed here, we will certainly address with an email in a very short time from now. As well, this presentation has been recorded, and the link will be available in a few days. At this point, we would really like to thank everybody for their time today, and we wish you all a great day.