Integrating Static Analysis into Continuous Integration/Continuous DeploymentJuly 3, 2018 Tweet
Continuous integration (CI) and continuous delivery (CD) are gaining traction in software development as teams try to streamline their development processes to avoid the “big bang” integration and test phase that caused so many problems in past projects. Continuous integration is the practice of merging code changes in to the main branch of a project as soon as possible then building and testing the main branch on a regular basis. Continuous deployment extends the practices of CI by passing newly integrated software through the complete production pipeline used to deliver a product to customers. There’s overlap with the tenets of agile development which were discussed in an another post.
The benefits of CI/CD include a reduction in integration issues that plague projects that leave full system integration to the last minute. Shifting integration, testing and deployment much earlier in the software development lifecycle pays off by finding defects and security issues earlier. Sound familiar?
However, in order for CI/CD to be a reality, automation is necessary to help streamline the development processes involved. For example, test automation is key to help make testing each new build faster and easier than manual techniques. Static analysis tools play a key role as well and that’s the topic of this post.
Benefits of static analysis
Static analysis helps by decreasing the backlog of defects by either finding them in existing code, in newly developed code or during build and integration cycles. In addition, static analysis can find security vulnerabilities and other bugs that are often missed or too complex to find with unit testing. Here’s some examples of the benefits that static analysis brings to continuous integration:
- Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration; however, where it really shines is after an initial code quality and security baseline is established. As each new feature is written, the new code can be scanned by the static analysis tools and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system.
- Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability. Code injection and data leakage are possible outcomes of these attacks which can have serious consequences.
- Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party, including open source. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech's CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar's binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code.
- Coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C and Microsoft's Secure Coding Guidelines or MISRA C and C++.
How static analysis fits in CI/CD
Static analysis fits well into agile, iterative and continuous processes. Providing additional and critical error detection prevents bugs from slowing down the process. An error detected as early as possible is not just cheaper to fix, the removal of these bugs has a positive effect on downstream processes such as testing. The following phases of the cycle, as illustrated in Figure 1, benefit the most from static analysis:
- Develop: Static analysis provides instant feedback to developers as soon as code as written in a similar fashion as compiler warnings appear. Detection of bugs right at the desktop and the enforcement of project coding standards great reduces the amount of bad code reaching source code control. In fact, code commits can be contingent on good static analysis results. Code reviews can use static analysis results to improve efficiency.
- Test: The test phases allows time for deep analysis of the complete code base. This analysis is better for finding more complex errors such as concurrency problems and tainted data attacks.
- Review: Static analysis supports code reviews by supplementing error detection and enforcing coding rules while allowing the development team to focus on design issues. We covered this in another post.
Figure 1: The roles of static analysis in a continuous integration process.
The added benefit of binary analysis
GrammaTech CodeSonar has the unique ability to perform advanced static analysis on binary code. This provides added benefits to the continuous integration process, especially when incorporating third party binaries or legacy libraries. If source code is not readily available, this does not preclude the ability to detect bugs and security vulnerabilities. In addition, binary analysis can be used by security teams to perform “black box” analysis of product deliverables.
Figure 2: The added benefit of binary analysis in a continuous integration process.
Continuous integration and deployment are beneficial for software teams attempting to streamline their software production. However, buggy software can impede the success of agile and continuous processes. Static analysis helps prevent bugs early in the cycle but also helps detect existing bugs in the code bases. GrammaTech CodeSonar binary analysis capability takes this further by detecting bugs and security vulnerabilities in third party and legacy binaries.