BY: TIM BIGGIN

Static Code Analysis

Overview

What Static Code Analysis DoesWhy Should You Use It?How is it Used?Types of Static Code AnalysisBenefits of Static Code AnalysisDrawbacks of Static Code AnalysisCoding StandardizationIntegration TipsComparing Tools and Examples

What Static Code Analysis Does

Definition: a method of detecting errors and defects located in the source code of a program without execution.

Tools are used to analyze code and locate issues

Can be used to make code conform to company style such as indents, spaces, tabs, and standards

Produce metrics indicative of code quality (KLoC, file counts, “churn”)

What Static Code Analysis Does

Tools are automated and analyze 100% of source code without compilation, test cases, or execution

Detect errors in boundary conditions, security, logic, and others

Advanced tools can be used to mathematically prove the absence of certain run-time errors

Static analysis tools can be used to automate much of the code review process

Provide a documented list of discovered issues (e.g. description/file/line number) after analysis

Why Should You Use it?

It will increase the likelihood of detecting safety and quality problems earlier

Static code analyzers detect errors early in the coding stage, where they are more cost effective to fix

Useful during maintenance of legacy code, such as locating unchecked NULL pointers

Image retrieved from: http://www.cplusplus.com/articles/9E18T05o/

Why Should You Use it?

Can be more efficient than code reviews or pair programming and consume far less time and resources

Help catch subtle issues such as overflows that may be missed by compilers or programmers, which could result in fatal errors

Points out unclear code that may be confusing to programmers

Can verify all possible execution paths that other methods fail to cover

Why Should You Use it?

Static analysis can be applied directly to incomplete or incorrect code, without the need for compilation

Likewise, it can be implemented long before the development of test cases

As a result of early detection, static analysis can lead to reductions in time and costs and increases in revenue

How is it Used?

EducationPortingLocating Suspicious CodeCode RefactoringDetecting Coding Errors

Education

It can help new employees adjust to company standards and style

Check work done by a novice programmer in an organization

Assist professors when grading multiple students’ work and point out areas that need improving

Porting

Porting software is a major job, especially when it’s not originally planned

Hard to know what issues you will encounter when changing platforms

Static code analyzers can locate dangerous code fragments, telling you what to modify

Locating Suspicious Code

Aids in locating backdoors in outsourced or third party code

Locating these issues can prevent security breaches

Can also help when using open-source libraries by determining which has the fewest bugs and safest to use

Code Refactoring

Helps with code refactoring by pointing out areas that should be rewritten

Locates large functions, overuse of global data, and complicated class hierarchies

Addressing these issues early prevents them from causing structural issues later

Detecting Coding Errors

Can be run after code compilation which alerts programmers of possible issues

Formal methods can be used to prove the absence of certain runtime errors (e.g. memory leaks)

Develop cleaner more stable builds yielding a quality product

Types of Static Analysis

Code Reviews Locating Vulnerabilities Downsides

Automated Tools Common Tools Formal Methods Tools

Code Review

Definition: reviewing source code in teams to reveal defects in other teammates’ code

People are assigned to the positions of moderator, designer, coder and tester

Easier to locate errors in others’ code Offers teams a better understanding of code

after a reviewDetects similar issues as static analysis tools,

such as meeting coding standards

Locating Vulnerabilities

Detects backdoors, locates malicious functions and ensures removal of testing functions

Locates malicious logging of personal data by examining logging functions

Ensures proper methods of cryptography, unlike DES, MD5, or SHA1

Can trace data from source to destination, locating where a vulnerability is likely to occur

Downsides

Teams must be gathered at regular times to perform the review

A checklist must be created prior to the review

Must allow for scheduled breaks to ensure reviewers don’t grow tired and lose focus

A re-review will most likely be required after issues have been corrected

Reviews rely solely on the expertise of the reviewers

Automated Tools

The majority of static code analysis falls under this category

Tools have varying degrees of detection abilities

Common tools allow for probable error detection, as well as meeting style and standards

Advanced tools can be used to prove the absence of run-time errors

Common Tools

Automate much of the code review processThese tools locate potential and actual errors,

but do not guarantee the absence of issuesUse methods of heuristics and statistics to

locate errorsAlthough they find errors, they may introduce

false-positives and false-negativesFalse-positive: reliable code identified as

erroneous

Common Tools

False-negative: erroneous code is missedDecrease the probability of false-negatives

and increase the probability of false-positives

Formal Methods Tools

Usually used in critical systems and medical software development where safety is vital

Use mathematical concepts to find and prove the absence of run-time errors

Tools use what is called abstract interpretation

These rules can be used to prove absence of uninitialized variables, overflows/underflows, divide-by-zero and out-of-bounds pointers

Formal Methods Tools

Locate possible run-time errors and attempt to prove they will fail

Code is classified as proven, failed, unreachable, or unproven for each operation

Example from Polyspace analysis on next slide

Formal Methods Tools

Image retrieved from: http://www.embedded.com/design/other/4374801/Using-formal-methods-for-sophisticated-static-code-analysis?page=2

Formal Methods Tools

Reduces possibility of false-negativesSimplifies debugging process by locating

source of run-time errorsCan be vital for improving the quality of

embedded, high-integrity, or critical systems software

Save time and money by eliminating defects when they are most cost effective

Benefits of Static Code Analysis

Main benefit: reduces cost of fixing defects by detecting them early in the life cycle

Early bug detection cuts time spent in development and maintenance

Allows for the product to come to the market sooner and stay longer

Easily detects effects of the “copy and paste method” saving time from trying to manually locate all copies

Benefits of Static Code Analysis

Tools offer full code coverage testingDiscovers defects in rarely used code other

methods missTools are not dependent on compiler or

project environmentLocates defects in exception handling and

logging

Drawbacks of Static Code Analysis

Added probability of false negatives and positives

False-negatives create a false sense of security and allow bugs into the release

False-positives can delay the release and create unneeded work

Common static analysis tools cannot detect conditional errors

Drawbacks of Static Code Analysis

Integration of tools into development cycleTools change the way people work Must become part of the organization’s

cultureRequire investments in education and time to

learn/use the toolsVery hard to integrate on legacy codeTime and budget restrictions

Coding Standardization

CERT: Computer Emergency Readiness Team Researched internet weaknesses, frequent

programming errors Created coding standards to combat these Accumulated findings into CERT C/C++ Secure Code

StandardMIRSA: Motor Industry Software Reliability

Association Developed guidelines for critical systems Dealt with automotive industry, including aerospace Guidelines cover C and C++

Many tools have upgraded to meet both of these

Integration Tips

Analysis of legacy code can reveal thousands of issues

Have a plan to deal with uncovered issuesMay choose to hide issues form developers

until they can be reviewed and remedied Focus on preventing new issuesDo frequent build analyses to ensure issues

are being handled by developers

Integration Tips

Create subject matter experts (SMEs) Learn and service tools Educate developers Identifying false-positives Assigned to each product Should be experts on their tool Integrate tools into daily work of developers

Comparing Tools

Don’t base decision on number of rules, all may not pertain to your system

Don’t decide based on number of system specific rules

Compare number of errors detected on a set of projects

Features: quality and security checking, standards, cost, licenses, integration process, etc

Single or multiple language tool

Comparing Tools

Usability of toolE.g. Visual Studio vs. PVS-Studio

Duplicate warnings filters Saving results Hide and reveal errors Filtering on keywords Both have equal detection of errors

IntelliJ IDEA IDE Features Finds probable bugs

Locates dead code

Tool Examples

Images retrieved from: http://www.jetbrains.com/idea/documentation/static_code_analysis.html

Tool Examples

Detects performance issues

Improves code structure and maintainability Conforms code to guidelines and standards

Conforms to specifications (EJB, JSP, JSF, etc.)

Images retrieved from: http://www.jetbrains.com/idea/documentation/static_code_analysis.html

Run Example

Visual Studio Static Code Analysis Right-Click on the project in Solution Explorer

Properties Code Analysis Select Microsoft All Rules rule set in the dropdown

box File Save

Run Example

Run Example

To run analysis: Right-click on the project in the Solution Explorer Run Code Analysis, or, Analyze Menu Run Code Analysis for (project)

Violations will be shown as Warnings in the Error List window

Run Example

Configuration Right-click on the project in Solution Explorer

Properties Code Analysis Configuration lists potential configurations including:

Debug, Release and All Configurations Platform lists different platforms which the code can

be compiled on, such as x86 and x64 Each combination can have its own code analysis

configuration. Enable Code Analysis on Build checkbox: analysis will

occur whenever the code is compiled. Suppress results from generated code checkbox

Run Example

Rule Sets dropdown menu After choosing a rule set, Open gives a detailed

description of the rules in the set

Groups or individual rules can be check/unchecked Change Action: Error, Warning, None Create custom rule sets: File Save As. Will be added

to menu

Conclusion

Static analysis can be a valuable tool in error detection in the process of software development

Have various uses within organizationsNumerous types, advantages, and featuresGreat for enforcing code standardsAlthough integration may be challenging,

they provide substantial cost and time savings

Comes down to which tool is the best fit for you

References

[1] Abraham, J. (2012, June 6). Using formal methods for sophisticated static code analysis. Retrieved June 25, 2012, from EE Times: http://eetimes.com/design/ embedded/4374801/Using-formal-methods-for-sophisticated-static-code-analysis

[2] Carmack, J. (2011, December 27). In-Depth: Static Code Analysis. Retrieved June 25, 2012, from Gamasutra: http://www.gamasutra.com/view/news/39328/InDepth _Static_Code_ Analysis.php

[3] Gousset, M. (2010, April 27). Static Code Analysis Configuration. Retrieved June 27, 2012, from Visual Studio Magazine: http://visualstudiomagazine.com/articles/ 2010/04/27/static-code-analysis-configuration.aspx

[4] Gousset, M. (2010, March 25). Static Code Analysis in VS2010. Retrieved June 25, 2012, from Visual Studio Magazine: http://visualstudiomagazine.com/articles/ 2010/03/25/working-with-static-code-analysis.aspx

[5] JetBrains, Inc. (n.d.). Static Code Analysis. Retrieved June 25, 2012, from JetBrains: http://www.jetbrains.com/idea/documentation/static_code_analysis.html

[6] Jones, P., Jetley, R., & Abraham, J. (2010, February 9). A Formal Methods-based verification approach to medical device software analysis. Retrieved June 27, 2012, from EE Times: http://eetimes.com/design/embedded/4008888/A-Formal-Methods-based-verification-approach-to-medical-device-software-analysis

[7] Karpov, A. (2010, December 27). Cases When a Static Code Analyzer may Help You. Retrieved June 25, 2012, from The Code Project: http://www.codeproject.com/ Articles/ 140078/Cases-When-a-Static-Code-Analyzer-may-Help-You

References

[8] Karpov, A. (2012, March 12). Static code analysis. Retrieved June 25, 2012, from CPlusPlus.com: http://www.cplusplus.com/articles/9E18T05o/

[9] Karpov, A., & Ryzhkov, E. (2011, March 31). Difficulties of comparing code analyzers, or don't forget about usability. Retrieved June 28, 20120, from viva65: http://www.viva64.com/ en/a/0071/

[10] Pitchford, M. (2011, March 1). Think static analysis cures all ills? Think again. Retrieved June 25, 2012, from EE Times: http://www.eetimes.com/design/ embedded/4213633 /Think-static-analysis-cures-all-ills--Think-again-

[11] Shetti, V. (2010, August). Why Static Analysis? Retrieved June 25, 2012, from Palizine: http://palizine.plynt.com/issues/2010Aug/why-static-analysis/

[12] Sidner, S. (2010, April 24). When Quality, Security Count. Retrieved June 25, 2012, from Dr. Dobb's: http://www.drdobbs.com/ tools/224600102

[13] Vink, G. (2010). Static Code Analysis (SCA) Standardization Efforts & Integration in the Software Development Flow. Retrieved June 25, 2012, from Tasking: http://www.tasking .com/resources/Static-Code-Analysis-WhitePaper.pdf

[14] Yocum, C. (2011, May 14). An introduction to static code analysis: What, why and how. Retrieved June 25, 2012, from The Register: http://www.theregister.co.uk/2011/05/14/ static_code_analysis_101/