Static Code Analysis

Static Code Analysis was thought to be a low hanging fruit when it came to 1stand 2nd generation tools. With the advent of 3rd generation tools, this is now becoming an integral part of the development cycle and not an after the fact step in determining the quality of code.Some tools like FxCop from Microsoft, CAST from CAST Software arealready integrated into various IDE’s. Most of the 3rd generation tools have addressed/minimized problems associated with NOISE and FALSE POSITIVES that were rampant in the earlier generation of tools.
Let’s also understand the fact that Dynamic Code Analysis augments Static Code Analysis and by no means replaces the same. Static code analysis evaluates all possible execution paths during the analysis and hence is a must have arsenal in the Software Development arena.
In my opinion, one way to include dynamic analysis is to run test automation and code coverage in tandem to observe the code behaviour and issues thereon.
In this blog, I will touch upon a tool called CAST AIP(Application Intelligence Platform) from CAST software, a static code analysis tool which supports 30+ languages and has some very cooldashboards for various user personas not limited to Architects, Vice President, and Technical Project Manager.
Setting up CAST at a high level involves the following:
1) Creating the Knowledge, Central and Management Databases. One needs to be aware that the Knowledge Base is the repository that stores all of the Meta Data about the code that is subjected to analysis. Central Base stores all the Quality Rules/Metrics and is used at run time against the Meta data to report/compute violations and scores thereon
2) Configure the licence key for the databases
3) Once the Analysis of code is completed for a specific technology, the same is subjected to snapshot generation for completing the Health Factors and Metric generation
4) The reports are available from CAST dashboard as a resultant of snapshot generation and can be accessed by various persona in an organization as per their role
Some Key Features:
- Tools to identify dependencies between different objects and impact analysis thereon
- Define a pre/post Jobs for the parent analysis that requires any pre/post processing. This can also be leveraged to analyse unsupported language as a part of Universal Analyser
- Eclipse Plugin available for Java code base
- New .NET Analyser does not need compilation
- Health Factors (Security, Changeability, Transferability, Performance and Robustness) can be drilled down to four levels
- Measure SEI Maintainability Index
- Measure the size of code via Automated IFPUG or Backfired IFPUG. This is very useful during estimations
- Multiple runs of the snapshots stored and dashboard graphically compares the health factors for each run to quickly analyse the metric of concern
- View violations and automatically navigate to the code snippet that is violating any metric
- Configure to skip old violations
- Configure metrics that are more relevant to the project instead of the entire metric base
- Minimize false positives via available tools
- Define an Architecture Model to catch violations caused due to violations across different Architectural layers
- Define the security rules for XSS and SQL injection vulnerabilities
Things to be aware of:
- One needs to understand nuances of Reflection and Dead code metric
- Not gettingoverwhelmed by metrics across health factors-One fix can affect others thereby improving overall quality score
Hope this Primer will let the user explore CAST for their quality needs thereby reducing 98% of costs associated with defects found in Production