BackPrint versionPrint versionSend recommendationSend recommendation

Parasoft

Arthur Hicken | Andrea Gillhuber,

Error-free code, safe application

Static analysis enables software developers to maintain high code quality right from the start. The early and frequent checking for errors and their elimination reduces the workload and helps to avoid software vulnerabilities.

Parasoft - Error-free code, safe applicationImages
© Gorodenkoff / stock.adobe.com

It is tempting to fall into the usual trap when developing software: You usually just end up testing quality into the software project instead of developing better software from the start. This approach to quality control relies on unit or functional testing. It is important to resist the temptation to proceed in this way. Built-in quality can also be part of the software from the start. The simplest and most effective measure here is the use of static analysis: it helps software engineers to avoid errors, harden the code and speed up application delivery at the same time.

What is static code analysis?

Static code analysis, or simply static analysis, is a software testing activity in software development. It involves examining the source code for constructs that are known to be associated with software bugs or security vulnerabilities. If a high-risk construct is discovered, the static analysis tool reports a violation that the developer can report and fix.

There are a few main types of static analysis - each with their own strengths and weaknesses:

  • Pattern-based static analysis: in its simplest form, a static analysis tool scans the source code and checks it against one or more sets of rules. For example, engineers sometimes make the mistake of using the string "\0" when what is actually meant is the null character '\0'. This error can lead to memory corruption, cause the program to crash or cause similarly serious problems. A static analysis tool searches for these patterns in the code and reports them as possible errors. This type of static analysis is called pattern-based static analysis. Some patterns are simple syntax checks, similar to a spell check when typing. Others can be much more sophisticated and analyze and detect complete patterns with subtle problems. This static analysis almost never produces false positives. Modern software development standards such as MISRA (Motor Industry Software Reliability Association) and JSF (Joint Strike Fighter) are based on the idea that certain constructs in safety-critical code should be avoided because the code can cause problems in such systems.
  • Flow analysis: Flow analysis, sometimes called control flow or data flow analysis, takes a slightly different approach by checking problematic constructs against a set of rules. It simulates decision paths to dig deeper into the application and find hard-to-find errors. These errors can include null pointer dereferences, buffer overflows and security flaws such as tampered data. Flow analysis can find real errors, but includes a certain number of false positives.
  • Additional types of analysis: Other types of static analysis each have different goals. For example, metrics analysis tools measure code characteristics such as lines of code and complexity. Coverage analysis tools perform unit and application tests to better understand the nature of the test. Using these analyses together as part of an automated development testing process provides important insight into the security and reliability of the application.

Risks of not performing static analysis

Advertisement
Parasoft - Error-free code, safe application

Imbalance between security risk and security expenditure.

© Parasoft

The scope of software is becoming increasingly complex. For example, an average car today can contain over 1,000 code-executing MCUs and up to 100 million lines of code. Such a large electronic surface, especially in safety-critical applications such as automotive, medical devices or aerospace, requires a rigorous technical approach to maintaining error-free code.

Organizations such as OWASP, CERT and MITRE are dedicated to researching and publishing programming best practices. In this way, they support software engineers in the successful implementation of their software projects. In addition, there are industry-specific standardization organizations that publish best practices that are required by many regulatory authorities. For example, MISRA, which specializes in software systems for the automotive industry. The best practices can be codified into static analysis tools as rules and then incorporated as part of the company guidelines that developers must follow.

Using a static analysis tool that can implement these programming standards while being integrated into the development process is important. Those who do not check their work with at least one static analysis tool significantly increase the economic risk when releasing or deploying the applications. Errors can lead to vulnerable code that can be used by malicious hackers to crash the system or expose sensitive data, for example. For security-critical software, the consequences of software vulnerabilities can be even more serious.

Advantages of automated static analysis

Relative cost of error correction, based on the time of discovery

Relative cost of error correction, based on the time of discovery

© National Institute of Science and Technology

Running static analysis on the desktop has several advantages and is suitable for small teams or projects. Large organizations, on the other hand, should also automate static analysis as part of nightly builds and continuous integration. As an integral part of the development process, static analysis of code provides a number of benefits, including the following:

Shorter development cycles: when static analysis is consistently performed in the early stages of a project, it allows systemic bugs to be found and fixed when the cost of fixing them is lowest. This process can initially take more time than the rapid development of software without analysis. However, as the development cycle progresses, the efficiency gains increase exponentially. The elimination of some errors later on is only possible to a limited extent - this makes early detection crucial.

Good static analysis tools also include clear documentation about the implemented programming standard, which enhances the programming knowledge and professional development of software engineers. Over time, adherence to these standards improves the average quality of the code because the constant feedback improves the performance of the programmers. If the static analysis tool has a broader ecosystem with the ability to prioritize bug fixing tasks, software can be deployed even faster.

  • Lower error rate: Static analysis helps to find and fix errors at an early stage, preventing the recurrence of systemic errors down the line. Those who pursue the strategy of early detection have advantages when it comes to avoiding errors. It also noticeably reduces the error rate over the course of the development cycle.
  • Continuous improvement: The term DevOps describes a collection of practices that facilitate cross-departmental collaboration and communication. This is necessary to help companies optimize and accelerate their development and delivery processes. By sharing expertise and tasks across departments, companies create an efficient process to accelerate the SDLC (Software Development Lifecycle) while improving quality processes.

However, for this method to be effective, an automated feedback loop must be implemented to enable the consistent application of quality guidelines from requirements creation to production.

Automated static analysis is not only the mechanism for the feedback loop. It also generates the data that other departments need to access and collaborate effectively within the DevOps model. Particularly in conjunction with unit and regression testing, static analysis fulfills several functions, including

  • Ensuring code quality,
  • Providing the big data required to improve the development process,
  • facilitating the mechanisms of the automated DevOps feedback loop.

As a result, static analysis becomes a means for continuous, automated process improvement. It helps developers understand and investigate bugs discovered during release. In addition, quality assurance can determine if there is a method to harden the code and it can eliminate the risk of these errors occurring again in the future.

Solution for static analysis

Example of a static code analysis according to the MISRA C++ standard.

Example of a static code analysis according to the MISRA C++ standard.

© Parasoft

Several static analysis tools are available on the market, ranging from open source utilities to full development test suites. Among them, the Parasoft C/C++test software solution provides an integrated platform for automating a wide range of software quality practices for multiple programming languages, as well as providing meaningful and comprehensive reports and, supported by the DTP reporting tool, optional intelligent analysis. For C and C++, it offers a full range of static code analysis features and over 2,200 rules (the highest level of tools on the market, based on implementations of MISRA, MISRA C++, Scott Meyers' Effective C++, Effective STL and other established sources). In addition, this development test solution provides a unified solution for the development process.

In terms of functionality, it generates and implements automated unit tests, enables various types of code coverage, including coverage of lines, statements, blocks, paths, decisions/branches, simple conditions and MC/DC. It includes runtime analysis and a tool qualification kit for compliance with functional safety standards. With Parasoft's static analysis, users can analyze code and integrate it into their automated builds to continuously and automatically prevent errors.

For automated workflows that improve collaboration and efficiency, these static analysis engines integrate with Parasoft DTP, which includes workflows for integrating quality into the SDLC. This allows users to define their development guidelines and then automatically enforce non-functional requirements. For example, static analysis is automatically performed during the build, violations are reported to DTP where they are processed, and the results are sent back to the engineer's IDE to view for remediation.

DTP also performs intelligent analysis that enables these workflows to automatically assess the quality and risk of software development. For example, DTP can look for systemic issues related to the coding process or correlate a serious violation in code produced by a junior engineer with a set of unit tests and coverage information to determine how risky the module is. If the correlation indicates a risk level above a certain threshold, the violation can trigger a special continuous process improvement workflow that includes peer code review and additional analysis in addition to the normal troubleshooting tasks.

Conclusion

Arthur Hicken, Parasoft

The author: Arthur Hicken works in the areas of software security and test automation at Parasoft.

© Parasoft

Static code analysis plays an important role in ensuring that applications work as expected. It not only increases the overall speed of the development team, but also reduces the risks associated with releasing potentially dangerous software.

  • Xing Icon
  • LinkedIn Icon
Advertisement
Advertisement

You might also be interested in

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to our newsletter
BackPrint versionPrint versionSend recommendationSend recommendation
Advertisement
Back to home