Static Code Analysis
- 3 minutes read - 492 wordsIn this series of posts we will cover what is static code analysis and how the same can be incorporated in the software development lifecycle.
What is Static Code Analysis?
Static code analysis is a method of computer program debugging that is done by examining the code without executing the program. Static code analysis is used by the development teams during development and continuous integration to improve the overall quality of the source code. Static code analysis help
- to adhere to coding guidelines
- to highlight complexity metrics
- to detect duplicate code
- to detect unused code
- to detect vulnerabilities in the open source libraries
- to detect security vulnerabilities
Static code analysis helps identify the bugs and vulnerabilities very early in the development lifecycle and hence in saving of time and money.
Difference between Static and Dynamic code analysis?
Static code analysis is performed before the program is run - basically during development. The same can be incorporated during the code review process to ensure that the code created by developers is made to go through the review before the same is merged to the main code base. This helps to ensure that the code adheres to the pre defined quality standards before its merged to the main product code base.
Dynamic code analysis is performed after the program is run - generally during unit testing.
Why automate Static Code Analysis?
Some of the above aspects of the static code analysis can be performed manually but, its impossible to perform hundreds of checks manually in a consistent and repeatable manner. Hence its important to run the static code analysis using the tools in an automated way. The tools can be integrated within the IDE or in the continuous integration build pipelines. The tools are capable of performing hundreds of checks at a very fast speed giving early feedbacks to ensure the code meets the pre defined quality standards.
The value of static code analysis compounds massively in multiple/big team environments. With big teams and moving developers it becomes extremly hard to have consistent and quality code base as different developers will introduce different development guidelines based on their past experiences. It becomes extremely hard to have consistent and quality code base without automating the quality checks.
Over period of time the tools have extended to cover hundreds of checks to cover vulnerabilities including but not limited to:
- Coding convention violations
- Duplicate code
- Code complexity
- Security vulnerabilities
- Scanning code base for hard coded passwords
- Scanning the vulnerabilities with the open source packages.
- Scanning for OWASP top 10 security threats.
- Unreachable code, Null pointer exceptions etc.
Tools that we will look into this series of posts
In this series of posts we will create a .Net Framework and .Net Core Api and integrate the static code analysis for both of them.
- Resharper
- Resharper Visual Studio IDE extension
- Resharper command line tools to integrate in Azure CI pipeline.
- InspectCode
- DupFinder
- Sonar
- SonarQube
- SonarCloud
- NDepend
- Whitesource Bolt extension