The Best of Both Worlds: Aggregating Static Analysis Results from Best of Breed Tools

bestofboth

Many companies are using a mix of languages and are developing different types of software from low-level drivers and firmware, to middleware and applications with elegant user interfaces. These layers of software are typically built usually in separate development teams. Java, C and C++ are the top languages in use today (with Python near the top as well.)

These software teams need sophisticated software development tools to accelerate their development in the programming languages of choice. These tools need to support existing processes and integrate together. Software teams also want development tools to work together, share information and work inside their respective IDEs.  Examples include functional testing, static analysis, code coverage, performance measurement tools and more.  

Each tool has their particular strengths and is developed for a particularly market, often targeted at particular languages, development environments, standards and product verticals. A functional testing tool may be ill suited to testing an event-driven system, a java code coverage tool might not work on a small embedded target. An enterprise static analysis tool will have too many false negatives (missing real bugs) to be attractive for a safety-critical market.

Car analogies are often apt: It is possible to drive to the ski hill in a Bugatti Chiron, but it is unlikely going to be the best choice of transportation for your ski vacation, not even the lego version!

Instead, use the best tool for the job and integrate them together to get the best results for your software development team. A best-of-breed solution with good integration provides better performance and value than all-in-one solutions. The key to successful integration is aggregating the data from various sources to a common location for management, communication, and efficiency. Presenting status and reports in a common location is the key to providing an equivalent experience to all-in-one solutions.

Developers within organizations with varying product families have to deal with different requirements for quality, security and reliability for different applications. Each application has unique requirements be it an embedded device or a web application. Different tools have better capabilities in terms of their approach to improving quality and security, for example.

Juliasoft

GrammaTech has partnered with JuliaSoft, an innovative company specialized in software verification, quality, privacy and security. Like GrammaTech, they aim to help software teams improve their application security and quality, thereby significantly reducing their development and maintenance costs, and eliminate risks related to security vulnerabilities and privacy leaks. Juliasoft complements GrammaTech’s specialization in C and C++ with their particularly deep and accurate analysis of Java, Android and .Net code. They are also specialists in security and privacy for mobile, enterprise and web applications. The Julia Solution Suite is illustrated below.

Juliasoft Solution SuiteThe Julia Solution Suite

Juliasoft provides domain expertise in enterprise security and GDPR that are important to GrammaTech customers. In addition, they broaden the combined language and domain coverage with two best-of-breed solutions. 

Integrating the Julia Solution Suite with CodeSonar

The key integration point between CodeSonar and the Julia Solution Suite is the CodeSonar Hub, the central repository for static analysis results. The hub is designed to work with any external tool and is not limited to CodeSonar. In fact, any tool using the SARIF open standard, can integrate with CodeSonar. The hub provides a central location to persist static analysis results on a per-project, build-by-build basis. With its web interface developers, testers, QA personnel and management can analyze the state of each project.

In the case of Juliasoft and the Julia Solution Suite, it is now possible for GrammaTech customers to benefit from high recall, high precision Java, .NET and Android static analysis and investigate the results within the same UI and tools they are already familiar with. It is common for a project to build a mobile app for Android complementing an embedded IoT device. In addition, any developers needing expertise in enterprise and mobile security or privacy can now leverage Juliasoft’s expertise.

Best of Breed Approach

Although there is an appeal in a “one solution fits all”, there is always a compromise on one or more parts of the solution. There are always individual tools available in the market that do a better job. Or, there are tools that specialize in a particular problem domain critical to your project. GDPR is a great example, if needed, you cannot compromise on this requirement. Getting the best tools is always preferred but software teams don’t want to deal with siloed products that don’t work together or provide vastly different reports and UIs. These problems aren’t limited to static analysis, they extend to build automation, defect tracking, automated testing, coverage metrics and so forth.

Building seamless integrations, using common standards, and storing results and reports in a common repository and a common UI is key to building a best of breed tool set with superior capabilities without the minuses.

Summary

Juliasoft brings key capabilities and language support in the security and privacy in enterprise and mobile software, which complements CodeSonar’s strength in C/C++, embedded, IoT, safety and security-critical systems. There is no need to compromise with best of breed solutions when tool integration are done well, removing the silos between tools.