What is code static analysis?
Code static analysis refers to the analysis of the semantics, structure, and behavior of software source code without running the application, thereby identifying non-standard, unreasonable, or potentially abnormal code in the program. The most well-known method of code static analysis is “manual code review.” As manual code review has become increasingly complex and labor-intensive, automated code static analysis technology has developed rapidly. Today, the vast majority of code static analysis can be performed by specialized code static analysis tools.
So, what issues can code static analysis address for our software?
• Coding standard checks. The most commonly used code static analysis method. Based on company-defined coding standards or industry-standard coding guidelines, this process identifies non-compliant coding practices in software code to ensure consistent coding style and proactively prevent the emergence of unreasonable code that could pose software quality risks. Coding rules can standardize various aspects of software code development, including coding format, naming conventions, memory and resource management, macro definitions, and dangerous code.
• Software quality defect detection. A more advanced and in-depth code static analysis technique. Detect hidden code defects in software code that may cause runtime exceptions or security issues, such as null pointers, out-of-bounds access, division by zero, deadlocks, and security vulnerabilities, enabling rapid identification and timely resolution of software errors. Compared to coding standard checks, software quality defect detection requires deeper parsing and scanning of the code to locate actual code defects. In addition to identifying problem areas, it often involves tracing the relevant code logic paths. Unlike coding standard violations, the results of software defect detection are not merely potential risks to code quality but are quality issues in themselves. Therefore, for development teams, the results of software defect detection may have a more direct and immediate impact at the outset of implementing code static analysis work.
• Code metric analysis. Code static analysis targeting various metric indicators of software code. Such metrics include complexity, nesting depth, branch structure, and other common dimensions, enabling accurate understanding and optimization of code structure. The approach to code metric checks aligns with the “80/20 principle,” as the majority of bugs are hidden or caused by a small portion of the most complex code. Code metrics are formally used to avoid or optimize these complex code segments, thereby enhancing software code quality and maintainability from a structural perspective.
• Manual code review. This involves checking the reasonableness of the implementation of algorithms and logic in the code. Due to its close relationship with business requirements, this part is currently mostly done through manual code review, which is also the part of code static analysis that most requires human intelligence.
Why perform code static analysis?
In short, the purpose of code static analysis is to detect or prevent code errors earlier and more thoroughly, reduce bugs in later testing, ultimately lower project costs, and improve software reliability.
As illustrated by the widely circulated diagram by Capers Jones showing the distribution of defect introduction rates, defect detection rates, and defect repair costs across various stages of the software development process, in traditional waterfall-style development workflows, the majority of software defects are introduced during the coding phase, with most being discovered during later functional testing and system testing phases. However, the cost of repairing each discovered defect increases significantly as the project progresses, leading to high overall project costs and unpredictable testing timelines.
Code static analysis is precisely about identifying and fixing these code errors at the stage where software defects are most commonly introduced and easiest to fix—that is, at the very beginning of coding—using either manual or automated tools. Code static analysis can bring numerous benefits to software quality, including code reliability, readability, maintainability, and portability.
For high-safety and high-reliability industries such as defense, aerospace, automotive electronics, rail transportation, industrial automation, and medical devices, code static analysis has become a mandatory requirement in the software development process, with the aforementioned objectives as its underlying rationale.
Demands and Challenges
-
It is difficult to decide which coding rules to introduce, as too many or too few can cause problems.
-
The false positive rate of software defect detection is too high. Are there any false negatives?
-
Which is more important: coding rules or defect detection? How should we weigh the two?
-
How can we ensure that the results of code static analysis are fixed in a timely manner?
-
How should the massive amount of detection results in legacy code be handled?
-
How can code static analysis be automated to the greatest extent possible?
-
What is the difference between open source tools and commercial tools?
Solutions
-
QAC offers the industry's most comprehensive and accurate code compliance static analysis solution, built with commonly used authoritative coding rule sets such as MISRA C/C++, AutoSAR C++14, High Integrity C++, and JSF, and supports customization of coding rules.
-
Klocwork provides code static analysis methods that focus on code quality. With its leading data flow analysis technology, it deeply searches for software code defects, quickly supports large software with millions or even tens of millions of lines of code, accurately locates the point of defect occurrence and related trigger paths, and has low false positive and false negative rates.
-
Supports static scanning for security vulnerabilities, detecting code security based on commonly used security development standards such as CERT C/C++, CWE, OWASP, etc.
-
Provides code metric analysis based on dozens of dimensions, offering various metric statistics charts, structure diagrams, and dashboards.
-
Both QAC and Klocwork use modern B/S + C/S deployment methods to intuitively display, distribute, collaborate on, and track code static analysis results, ensuring timely fixes and effective management of code static analysis monitoring results.
-
Supports integration with continuous integration systems, seamlessly connecting to daily R&D processes.
-
Supports multiple development languages such as C/C++, Java, and C#, and supports various development platforms such as Windows and Linux.
-
Fully compliant with the tool qualification and certification requirements of standards such as ISO 26262, ASPICE, EN 50128, IEC 61508, IEC 60880, IEC 62304, DO-178B/C, etc.
Related Products
-
QAC
Industry-leading static analysis solution for the C/C++ language, providing a comprehensive suite of features to help to enforce a wide range of coding standards, and to find bugs in new and legacy code. It has builtin MISRA C/C++, AutoSAR C++14, CERT C/C
Learn More
-
Klocwork
A modern static code quality testing tool for C/C++/Java/C# code, utilizing leading-edge deep data flow analysis technology to identify software code defects or security vulnerabilities across classes and files, and pinpoint the paths where errors occur.
Learn More
RELATED RESOURCES
