Whitepaper: Getting Started With Static Analysis

Static analysis is the #1 method for improving software quality, plus finding bugs and security vulnerabilities early in the software development process.

Find out why static analysis is the best way to harden software and identify potential issues at the earliest possible stage in software development.

Getting Started with Static Analysis_Getting Started with Static Analysis

Download the whitepaper to learn how to systematically introduce and integrate an advanced static analysis tool into your project.

Key takeaways:
  • Understanding static analysis
  • How to introduce static analysis into your project
  • The importance of starting with the end goal in mind
  • Static analysis at every stage of product maturity
  • How to manage early static analysis results
  • …and much more.

Static analysis is the process of examining source and binary code without execution, usually for the purposes of finding bugs or evaluating quality. Unlike dynamic analysis (such as *-Parasoft Insure++) which requires a running program to work, static analysis can be run on source without the need for an executable, before the application is even finished.

  • Static code analyzers use a compiler-like front-end to build a syntactic and semantic model of the software.
  • The model is then analyzed against a set of rules or “checkers” to see if the code is in violation. These checkers use pattern-matching algorithms to detect errors such as poor use of language constructs, use of insecure functions, and violations of coding guidelines as well as techniques like data flow analysis, control-flow analysis, and abstract syntax trees.
  • The specific set of checkers used is configurable by the user.
  • Pre-set configurations are provided for convenience, for instance for coding standards such as MISRA C.

Static analysis is used most often in two ways:

  1. At the developer desktop integrated into their development environment
  2. On a server via the command line, as part of a build, or continuous integration process

Static analysis tools can be introduced and used at any stage of a project, even when it’s incomplete and partially coded. The main challenge is in scenarios where large amounts of legacy code produce many warnings. Remember to focus on getting the team productive quickly and minimizing overwhelm because of static analysis warnings. They’re important, but first you need to integrate the tools into daily process based on severity and risk.

To make the most of your static analysis tools, you need to understand the end goal. If it’s better security, for instance, this affects the focus of analysis and remediation. Know the end goal as soon as you adopt static analysis. As the team becomes more proficient, incorporate secondary goals like improving overall quality and enforcing coding standards. As static analysis becomes second nature, developers will be able to analyze results quickly and fix bugs more efficiently. Then secondary goals will be achieved more effectively rather than simply being overwhelming.

It’s also important to think about the maturity of the product under development because it impacts the method for static analysis.

  1. Existing project: in current development

Static analysis is most commonly rolled out in the midst of current projects. Each project can adopt the tools at the beginning of a sprint or major feature update.

Recommended approach: a line in the sand – improving new code as it’s developed while deferring less severe warnings as technical debt.

  1. Existing project: product on the market in maintenance

This is a product that is in the elder years of the software development lifecycle, in which little new code is being written – only to fix lingering bugs and security vulnerabilities.

Recommended approach: acknowledge and defer – Since little new code is being developed, all discovered bugs and security vulnerabilities are added to existing technical debt.

  1. Greenfield project

Although it’s not often that software teams get to have a fresh start, a new product and project is the ideal point to integrate new tools and techniques into the development process. In these projects, little existing code specific to the project exists, but it still may rely on third-party and open-source software.

Standard approach: greenfield – Developers can integrate static analysis in their development environments from the start, ensuring a high standard of quality as code is being written. This allows for the adoption of coding standards and ensuring critical static analysis warnings are dealt with as they arise, thus adding less bugs and vulnerabilities.

One of the main differences between open source or lightweight static analysis tools and commercial advanced static analysis tools are the abilities to configure which set of checkers are enabled for the analysis, and filter out reported results based on warning category, file name, severity, risk, and other attributes.

There is an important difference between configuring checkers and filtering results. Although initially it might seem better to limit the number of checkers in the global configuration, filtering should often be used instead, to limit the scope of reporting rather than eliminate the checker entirely.

  • How to integrate static analysis into everyday workflows

The key to making static analysis a success in a project is to make sure the tools are easy to use and accessible by developers, so the tool must provide useful, actionable information upfront without overwhelming users with information.

  • Integration into build systems and continuous integration pipelines

The main integration point for static analysis tools and build systems is through a command line interface. Static analysis used in this fashion acts somewhat like a compiler would in the build structure. Files are processed in the same manner, although the output isn’t an executable but rather results that are stored in a repository, indexed by file and build number.

  • Dealing with the backlog of warnings and technical debt

In the case of a product under maintenance or in development, there is likely a sizeable backlog of warnings to deal with. In the case of a greenfield project, there is less backlog, although recommendations remain the same for each stage of maturity. The best starting point for dealing with a backlog of warnings is to prioritize and filter the results based on the desired outcome.

  • Optimizing static analysis

When a software team has integrated static analysis into their day-to-day activities, they’ll want to customize the tools to better fit their project. Optimizing static analysis means adapting the checkers and the way violations are reported to improve the efficiency and ROI for the organization.


About Parasoft

Parasoft helps organizations continuously deliver quality software with its market-proven, integrated suite of automated software testing tools. Supporting the embedded, enterprise, and IoT markets, Parasoft’s technologies reduce the time, effort, and cost of delivering secure, reliable, and compliant software by integrating everything from deep code analysis and unit testing to web UI and API testing, plus service virtualization and complete code coverage, into the delivery pipeline. Bringing all this together, Parasoft’s award winning reporting and analytics dashboard delivers a centralized view of quality enabling organizations to deliver with confidence and succeed in today’s most strategic ecosystems and development initiatives — security, safety-critical, Agile, DevOps, and continuous testing.