How Does Static Analysis Prevent Defects & Accelerate Delivery?

When engineering any kind of system, checking for defects and fixing errors early (and often) pays dividends. It enables teams to significantly reduce the amount of downstream work added to the project.

Instead of engineering better software in the first place, it’s tempting to fall into a common mousetrap of software development and try to test quality into the software project at the end of the life cycle. This approach proves tempting for many, but it’s important to avoid the trap of relying heavily on unit or functional testing for product quality.

Employing static code analysis early during software implementation assists the developer in taking control and building code quality into the application from the beginning. It really is the simplest and most effective activity that software engineers can perform to prevent defects and harden code while accelerating application delivery.

Some common static analysis questions are:

• What is static code analysis in software?
• What are the uses of static analysis in software engineering?
• Can static code analysis be automated?
• What is automated static analysis?

Let’s address those questions head-on and see how Parasoft solutions facilitate success for developers across programming languages and security vulnerabilities.

What Is Static Code Analysis?

Static code analysis (or static analysis) is a software testing activity in software development where source code is analyzed for constructs known to be associated with software errors or security vulnerabilities. When a high-risk construct is detected, the static analysis tool reports a violation for the developer to view and remediate.

Before we review some of the main benefits of static analysis, let’s review the different types of static analysis and the differences between them.

There are a few main types of static analysis, each with its own strengths and weaknesses. The terms for each are below.

Pattern-Based Static Analysis

In its simplest form, a static analysis tool scans the source code and checks it against one or more sets of rules. For example, engineers sometimes make the mistake of using the string ‘\0’ when the null character ‘\0’ is actually intended. This mistake can result in memory corruption and cause the program to crash or do other nasty things.

A static analysis tool looks for these patterns in the code and reports them as possible errors. This kind of static analysis is known as pattern-based static analysis.

Some patterns are simple syntax checkers—akin to a spell-checker when writing. Other patterns can be much more sophisticated—analyzing and detecting complete patterns associated with subtle problems. A big plus: this kind of static analysis almost never suffers from false positives. When working on software that is safety critical or especially software that must not fail, this kind of static analysis comes particularly in handy.

By providing “safer” alternatives to “unsafe” facilities, known problems with low-level features are avoided. In essence, programs are written in a “safer” subset of a superset.

—From Joint Strike Fighter Air Vehicle C++ Coding Standards – Introduction

Modern software engineering standards like Motor Industry Software Reliability Association (MISRA) and Joint Strike Fighter (JSF) are based on the idea that certain constructs should be avoided in code that is safety-critical, because of the possibility for code in such systems to have problems. Pattern-based static analysis is a great tool for projects that must satisfy these standards.

Flow Analysis

Flow analysis, sometimes called control-flow or data-flow analysis, is somewhat different. This type of code analysis checks for problematic constructions against a set of rules while simulating decision paths and data values to dig deeper into the application.

This enables the process to root out hard-to-find defects like the following.

• Null pointer dereferences
• Buffer overflows
• Security defects such as tainted data

Flow analysis is great in that it can find real bugs in the code logic, but a certain number of false positives are a known inevitability of this method.

Additional Analysis Types

There are other types of static analysis that achieve different types of goals, as well. For example, metrics analysis tools measure code characteristics, like lines of code and complexity. Coverage analysis tools track code execution through unit and application tests to enable a better understanding of how well the code is tested.

When used together as part of an automated development testing process, these types of analyses provide significant visibility into the safety, security, and reliability of an application.

Static Analysis: When Should It Be Performed?

Parasoft’s motto is “test early and test often” in order to capture the most issues earlier to cut down development time and cost. In keeping with this approach, continuous testing throughout the development process is key, but no more so than in the early stages of development.

Static code analysis can be performed during implementation, while the code is being written. Simply invoke it from within your IDE and fix any identified violations as you code.

However, in complex projects with numerous software engineers, best practice recommends an Agile approach. Automate static analysis into the build process, so that as each developer commits their code, their code is built, and static analysis is performed on it. If violations are identified, the developer must fix the issue before the code is successfully integrated into the main branch.

This approach maintains a clean and constant reliable code base and is commonly referred to as continuous integration (CI). CI is a part of the DevOps methodology in which developers also leverage other test methods like unit testing, regression testing, code coverage, and more. The benefits of DevOps include an incremental verification and validation workflow. Other benefits are captured later in this document.

Differences Between Static Analysis and Dynamic Analysis

Dynamic analysis, sometimes called runtime error detection, tests for code quality, safety, and overall security using test methods like:

• Unit testing
• Integration testing
• System testing

The key difference between these two is that dynamic analysis requires code execution. Static analysis allows developers to run tests without execution. However, to uncover more subtle vulnerabilities and defects in code, dynamic analysis is the better option.

Risks of Failing to Run Static Analysis

The state of software is becoming more and more complex. For example, the average automobile may contain over 1,000 code executing MCUs and as many as 100 million lines of code! That much electronic surface area—especially in safety-critical applications, such as automotive, medical devices, or avionics—demands a rigorous engineering approach to software in order to approach defect-free code.

The good news is that organizations such as OWASP, CERT, and MITRE are committed to researching and publishing programming best practices to help software engineers succeed with their software projects. There are also specific standards organizations that publish best practices often required by regulatory bodies. For example, MISRA focuses on supporting the C and C++ coding languages. These best practices can be codified into static analysis tools as rules that developers choose to implement as part of an organization’s policy for developers to follow.

Using a static analysis tool that can implement these programming standards while integrating with established development processes is critical. From a business perspective, failing to check your work with at least one static analysis tool significantly raises the risk of deploying or releasing your applications.

Defects can lead to exploitable code that malicious hackers can use to crash the system, expose sensitive data, and more. In the case of safety- and security-critical software, the consequences of software vulnerabilities can be far more serious.

Benefits of Automated Static Analysis

Running static analysis on the desktop will provide some benefits and may work for small teams or projects. However, in large organizations, static analysis should also be automated as part of nightly builds and continuous integration. When you implement DevOps as an integral part of the development process, analyzing code with static analysis provides a number of benefits as detailed below.

Faster Development Cycle

While the process may initially take more time than rapidly developing the software with no analysis, the gains in efficiency become exponential over the development life cycle. Consistently running static analysis from the early stages of the project enables you to find and fix systemic defects when the cost of remediation is at its lowest.

Remember that some of the more dangerous errors may be difficult to address late in the cycle, so finding them early is crucial.

Lower Defect Rate

Static analysis helps you find and fix defects early which can prevent the recurrence of systemic defects downstream. A policy of early detection reduces the rate of defects over the development life cycle and into the deployment and maintenance stages of the product life cycle.

Continuous Improvement

The term DevOps is broadly used to include a collection of practices that facilitate the cross-departmental collaboration and communication necessary to help organizations optimize and accelerate their development and delivery processes. By sharing knowledge and tasks across departments, organizations create an efficient process for accelerating the SDLC while improving quality processes.

With that, for DevOps to work, you need the organization and its people to adopt an Agile collaborative workflow. Scrum is a popular Agile methodology and best practice used by teams for incremental development.

Scrum refers to each increment as a sprint and each sprint helps improve team communication, thorough planning, and the team’s execution of the plan. This incremental process facilitates changes in requirements, the ability to address newly identified risks quickly and maintain a constant sense of readiness.

These complementing Agile methodologies include an automated feedback loop that incrementally enables the consistent application of quality policies as requirements progress from creation to production. And each sprint or iteration through the DevOps CI loop generates the data that teams or departments need to access and collaborate effectively.

These iterations ensure code quality, and provide the big data required to improve the development process as well as the machination or tooling in the DevOps workflow.

As a result, static analysis becomes an agent for continuous, automated process improvement. It provides a way for developers to understand and examine an error detected during release, or for QA to determine if there is a way to harden code and eliminate the possibility of these defects occurring in the future.

Case Studies: How Static Analysis Prevents Defects

Just talking about concepts doesn’t provide concrete evidence. It’s best to see tools in action based on the results they provide in real-world scenarios. For example, a Parasoft client in avionics faced challenges with DO-178C compliance and being able to customize a tool to their needs.

The Parasoft solution C/C++test allows for such customization and leverages static analysis of the source code for several benefits.

1. Helps onboard new developers.
2. Automates the code review process.
3. Provides continuous feedback.
4. Preps the software for long life cycles.

The case study further explains how static analysis prevents defects in real-world scenarios.

Build Code Quality with Static Analysis Tools

Good static analysis tools also include descriptive documentation about the programming standard being implemented. This extends software engineers’ programming knowledge and professional development. Over time, compliance with these standards also improves the average quality of the code by improving the programmers through constant feedback.

Want even faster software delivery? Use a static analysis tool that takes advantage of AI and machine learning that automatically prioritizes all identified defects for remediation in order of criticality or importance and reduction in noise

About Parasoft’s Static Analysis Solution

There are several static analysis tools on the market, ranging from open source utilities to full development testing solutions. Parasoft’s software testing solution provides an integrated platform for automating a broad range of software quality practices for multiple coding languages. It also provides meaningful, comprehensive reports and the option for intelligent analytics powered by Parasoft DTP.

For C and C++, in addition to a full range of static code analysis capabilities and more than 2,500 rules, Parasoft C/C++test provides a unified solution for your development testing practices. Pro tip: That’s the most of any tool on the market based on implementations of MISRA C 2023, MISRA C++ 202x, AUTOSAR C++ 14, Scott Meyers’ Effective C++, Effective STL, and other established sources.

How Parasoft C/C++test Works

Parasoft C/C++test executes and generates automated unit tests and enables several types of code coverage including:

• Line
• Statement
• Block
• Path
• Decision (branch)
• Simple condition
• MC/DC coverage

It also provides runtime analysis and comes with a tool qualification kit for complying with functional safety standards.

Additional Parasoft Solutions

Parasoft has full static code analysis support for Java language with Jtest and for the .NET language with dotTEST.

Just like with C and C++, these are fully integrated solutions that provide more than just static analysis, so you get a comprehensive solution to bring efficiency and ease to your software testing. A user can analyze code with Parasoft static analysis on the desktop and also integrate it into your automated builds to enable you to prevent defects continuously and automatically.

How Parasoft Helps You Shift Left

To gain automated workflows that enhance collaboration and efficiency, these static analysis engines integrate with Parasoft DTP which provides workflows for integrating quality into your SDLC. You can define your development policy and then automatically enforce nonfunctional requirements.

For example, static analysis is automatically executed during the build, and violations are reported to DTP. Then, they are processed, and the results are sent back to the engineer’s IDE to view for remediation.

DTP also performs intelligent analytics that enables these workflows to automatically assess the quality and risk of your software development. For instance, DTP can look for systemic issues associated with the programming process. It can also correlate a severe violation of code produced by a junior engineer with a set of unit tests and coverage information to determine how much risk is associated with the module.

If the correlation points to a risk level above a specific threshold, the violation may trigger a specific continuous process improvement workflow that involves peer code review and additional analysis on top of the normal defect remediation tasks.

Conclusion

Static code analysis is an important part of ensuring that applications function as expected. It reduces risks associated with releasing potentially risky software and improves the overall development team velocity. Integrating static analysis into a larger software testing infrastructure maximizes the effectiveness of the practice.

Parasoft offers an enterprise-grade code analysis and testing solution in C/C++test, Jtest, and dotTEST, as well as an advanced analytics and reporting system in DTP. Combining these technologies enables software engineering teams to accelerate software delivery while ensuring that their applications function as expected.

“MISRA”, “MISRA C” and the triangle logo are registered trademarks of The MISRA Consortium Limited. ©The MISRA Consortium Limited, 2021. All rights reserved.