Static Analysis: A bringup, overview and additions that you will actually use
Increase your code quality and reduce your time to ship
Want to increase your code quality, avoid common pitfalls and deliver a more reliable product?
Don’t we all!
Static Analysis is a key tool for increasing the code quality, sometimes drastically by identifying well-known faults in a variety of ways. In this article, we will dive into Static Analysis, what it is, what is available and how to best make use of it.
Static Analysis Basics
Static Analysis is another method of looking at the code which is separate from Code Reviews, Unit Tests and Functional Tests. It implements pattern recognition and code path tracing to uncover known issues and common faults in a codebase.
This is completed with an arbitrary set of rules which is interpreted by a tool that analyses the whole project to highlight issues. While Static Analysis will not catch everything and some of what it detects will be some false positives; the issues highlighted can be seen as low hanging fruit to easily resolve and improve the codebase.
Static Analysis Options Available
There are a number of different Static Analysis tools that are available, all of which have different areas of speciality and will identify different issues. The tricky thing is to try to pick and choose the best combination of tools to cover as much as possible without much overlap.
There are two main branchlines to start this decision process: Open-source where the tool is free and could possibly be tricky to set up, or commercial tools which can cost a vast amount, especially in industries such as automotive and medical devices where MISRA (https://www.misra.org.uk/) is usually applied. By prioritising the open-source tooling here at Magnopus, we can prove the concept before spending money on tooling.
Therefore, we started by evaluating a number of open-source tools such as: CppCheck, Clang-Tidy, Infer, FlawFinder, VisualCodeGrepper and Lint. Of these tools, we elected to choose to prioritise Clang-Tidy and VisualCodeGrepper.
Clang-Tidy
Clang-Tidy was selected because of the integration with the LLVM suite of tools, the Clang Compiler which could build the project, the Clang Formatter which can make the code all look the same to easily and quickly be interpreted both during development and during review. The advantage of Clang-Tidy is that it has a compiler frontend which drastically improves the reliability of the analysis provided.
Clang-Tidy and Clang-Format are both single file configurations that simplify the implementation drastically. Just create the config at the root of your project and then Clang can descend down and apply the Static Analysis and Format to all of the files you choose. It can also integrate into almost any IDE, from Visual Studio and VSCode to Eclipse, even if your IDE does not natively support there are usually plugins available to run and interpret the results, highlighting in IDE.
In terms of what Clang-Tidy can detect, there are lots of C/C++ best practices, security issues, memory leak and flow issues. So it’s fairly widespread and not really diving deep into anything in particular; this is the main advantage in applying this on its own for the first stage of Static Analysis to get a measuring stick on code quality.
Visual Code Grepper
Visual Code Grepper is again an open-source analysis tool that specialises in reviewing the look of the codebase and the ability to detect OWASP top 10 security issues.
This is valuable in finding potential vulnerabilities in the codebase and getting a bigger picture view of where the vulnerabilities and issues are. It is simplistic in its application but extremely useful for area of interest identification. We currently use this as a metric in Software Of Unknown Provenance (SOUP) analysis, which we follow for third party library verification before including in the projects we work on. This helps us understand what is in a library and to what standard it is being developed.
SonarQube
Up until now all of the Static Analysis has either been in IDE or command line, which is all well and good but getting the overall picture is harder. Finding problem areas is much harder too, as is tracking who is addressing what.
This is where the open-source SonarQube server comes into its own, it runs within a dockerized container too, which works extremely well for our Studio’s emphasis on using Docker where possible.
Simply run your Static Analysis tool of choice, pipe the results into a text file and run the SonarQube Runner (also in a Docker container 😁) on your codebase, pointing it to all of the results files that are relevant. The SonarQube server will gather these results, correlate them to a source file and produce a summary report which can be explored via a web interface.
This web interface provides all of the task tracking, issue tracking and exploring of the project code and where the issues are most prevalent. Also, the web interface provides a quality gate that can exclude code if it’s not up to scratch, alongside highlighting unit test gaps as you explore the code. SonarQube very much highlights when there is feature development and when there is a remediation effort through the gradual creeping in of issues and the resolution of those issues. For those managers out there, the ability to assign a subset of issues to specific people in the team is incredibly useful for those remediation efforts.
Next Steps
The next step for us as an organisation is to implement more open source tools and integrate them with the SonarQube front end. This will help us to resolve more issues and ensure that we get to a better product.
Following this, commercial tools will be evaluated and integrated into the same front end of SonarQube. These commercial tools would likely bring a better analysis of issues and the option of extending the tools to incorporate more issues that we come across during development.
In conclusion, if you take your code quality seriously, implement a Static Analysis tool as the first step to better quality code. The more development effort which involves Static Analysis the less costly it is to resolve the bugs later on in development and the less remediation is needed, especially adding Static Analysis as a gating step to contributing to the codebase.
At Magnopus, the Static Analysis is only a small part of the quality process we are bringing up. We are actively bringing up Unit Tests, improving Functional Tests and changing our workflow to improve our code quality. So stay tuned for those posts coming soon!
