Software Assurance            Software Hardening            Autonomic Computing

Enhancing Code Reviews with Static Analysis


INTRODUCTION:

Code reviews (or inspections) are an effective way to reduce defects in software projects. In fact, defect removal rate can be as high as 75%, meaning two thirds of all bugs are removed during the development phase of a project. Given the cost of dealing with bugs in fielded products, code inspections are part of good software engineering practice. This post discusses how static analysis tools provide an ideal (and automated) companion to reviews by supporting the process and increasing the defect removal rate.

Related :


Integrating into an Existing Process

GrammaTech has always promoted the fact that CodeSonar is meant to be integrated into an existing development process and augment the tools already in place. Inspections in general, not just of code, are a valuable tool to reduce defects. As with all practices, the earlier they are done in the development process, the bigger the pay-off in reducing downstream costs. Figure 1 shows the rough overlay of inspections (which is a superset of reviews) over the software development lifecycle. It’s important to note that the use of tools and inspection doesn’t stop at deployment but rather the tools are part of whatever maintenance and upgrade process may follow.

Code Review Checklist Code Reviews

Figure 1: The overlay of inspection, static and dynamic analysis tools on the software development process.

Static analysis tools can be quickly integrated into an existing review process in the following manner. Figure 2 shows a modified review process that includes using static analysis before manual review meetings. Presumably reports from the tools are included as part of the inspection and re-review.

Code Review Process

Figure 2: A modified code review process that includes static analysis.

Benefits of Static Analysis to Code Inspections

While everybody agrees that code reviews are extremely beneficial, there is a significant cost in man-hours to them. So any way that we can reduce the amount of time spent on them while enhancing the results, is a sure win-win situation. And this is where static analysis tools come in, they can provide a lot of input and automate some of the review process. This is, of course, true but only scratches the surface of the benefits that automatic static analysis provides. Here are some of the other benefits that static analysis tools bring:

  • Work on large volumes of code: It’s often impractical to review all of the source code usually new code is the top priority for inspection. CodeSonar can review millions of lines of code including binary object code and libraries for defects and security vulnerabilities.
  • Find difficult to see, obfuscated errors: Static analysis tools can detect errors that can allude visual inspection and even functional testing.
  • Errors that span process/file boundaries: Advanced static analysis performs complex code and data path analysis. This analysis can span functions and files that may be outside the scope of a unit under code review. CodeSonar has unique concurrency checkers that detect multithreaded/multitasking issues which are very difficult to determine with inspection.
  • Detection of security vulnerabilities: Testing and reviewing for security defects is difficult and involves a different mindset than testing for correct functionality. Static analysis tools can point out vulnerabilities and insecure coding practices. In addition, tainted data analysis discovers the path of input data to its eventual use within the system and cross references these with discovered defects.
  • Tool integrations: CodeSonar integrates with various Integrated Development Environments (IDE) such as Eclipse, build systems such as Jenkins, versioning systems such as GitHub and defect reporting tools such as JIRA. This brings the power of static analysis directly to the developer and incorporates it into the regular coding, build and test activities.
  • Reduce the review effort: Static analysis tools are automated, fast and effective. By running the tools on code before it’s reviewed, it reduces the amount of defects in the code to be discovered manually. Static analysis tools can also enforce coding standards such as MISRA, removing that aspect of reviews. Reports are available for each analysis providing supporting documentation for the review process.

Why Manual Reviews Are Still Required

Code reviews and other inspections are still something GrammaTech recommends. Our tools are meant to augment an existing process and improve the outcomes. As such, it’s important to highlight why reviews are still required to achieve good quality and security.

  • Find defects that tools miss: The success rate for good inspection processes is high, so reviews are effective. By understanding the intention of what the code is meant to do provides human reviewers with much better starting point to detect bugs. Luckily, automated static analysis and manual reviews complement each other as stated above.
  • Inspection is more than just code: Reviews should be performed on all aspects of the software including requirements, design, test plans and then source. Finding and fixing requirements pays the biggest dividends by far in complex projects. It’s important to realize code reviews are part of a broader inspection process.
  • Provide important context to tool reports: Developers understand the requirements of the system (or should!) and the expected outcomes of its operation. Static analysis and other tools can only reason so much about the intended purpose of code and human-led reviews provide the required context to reviews and associated tools reports used.
  • Validate tool findings: Static analysis tools require interpretation of the errors reported. The code review meetings provide a forum for clearing up any contentious reports.
  • Intangible benefits: Code reviews are very much a human process and as such the process, meetings, reviews and the interactions therein provide important benefits such as mentoring new developers, consistency in design and implementation, team cohesion, and providing management with a rough barometer of progress and quality.

CONCLUSION:

Code reviews are here to stay but are enhanced with static analysis tools. The human-led inspection complements tool automation nicely. Static analysis tools reduce time and costs for reviews while enhancing the outcome of the process.


Interested in learning more? Read our 

4-Step Guide to Security Assurance for IoT Devices.

Read the Guide