STATIC CODE ANALYSIS and MANUAL CODE REVIEW Jakub Papcun Jan Svoboda HELLO! Jakub Papcun • FI MUNI graduate • SW Developer since 2011 • DevOps since 2018 Jan Svoboda • FI MUNI graduate • SW Developer since 2011 How Developers See Quality CODE QUALITY Code Quality Bug Free Secure Readable Documented THERE IS NO PERFECT CODE WHAT IS STATIC CODE ANALYSIS Analysis of computer software performed without executing the software. ADVANTAGES ▪ No program execution ▪ Automated process ▪ Possibility to run as part of Continuous Integration TYPES OF STATIC CODE ANALYSIS • checks correct assignment of types of objectsType Checking • checks style of the code and its formattingStyle Checking • helps user make sense of large codebase and may include refactoring capabilities Program Understanding • uses dataflow analysis for detection of possible code injectionSecurity review • looks for places in the code where program may behave in a different way from the way intended by developerBug Finding WHY USE STATIC CODE ANALYSIS Higher Code Quality Readability No Input Cheaper defect fixing Education Coding Guidelines Compliance Repeatability DRAWBACKS Only STATIC analysis False sense of security Possible overhead PITFALLS OF STATIC CODE ANALYSIS Is a problem Is NOT a problem Was found True Positive False Positive Was NOT found False Negative HELLO WORLD LEARN ABOUT YOURSELF LEARN ABOUT YOUR CODE ▪ Lines of Code (LOC) ▪ Comments Quality ▪ Code Duplication ▪ Technical Debt ▪ Cyclomatic Complexity ▪ Cognitive Complexity ▪ Dependency Cycle Detection RULES A checker defining possible issues in the code Unused local variable Memory leaks SQL injection Call of function on null TYPES – Bug ▪ Reliability issues ▪ May crash at runtime ▪ May cause extremely unpredictable behavior ▪ Null pointer dereference ▪ Memory leaks ▪ Buffer overflow TYPES – Bug TYPES – Vulnerability ▪ Security issues ▪ Crash or corrupt the system ▪ Open space for attack ▪ Harcoding credentials ▪ Data/SQL Injection ▪ Not securing “cookies” TYPES – Vulnerability TYPES – Code Smell ▪ Maintainability issues ▪ Decrease readibility, architecture quality etc. ▪ Unused private method ▪ Switch statement that do not end with “default” clause ▪ Classes with too many fields TYPES – Code Smell TYPES – Code Smell EXCERSISE Can return null A NullPointerException is thrown in case of an attempt to dereference a null value. EXCERSISE Statement always false 1. Statement is always false and never enters the block s is always null 2. s variable is always null and NullPointerException may be thrown EXCERSISE & or && Questionable use of bit operation ‘&’ in expression. Did you mean ‘&&’? EXCERSISE j is never used 1. j variable is never used and thus redundant k not initialized 2. k variable is never initialized and thus unusable EXCERSISE REST may fail and return null may return null HOW DO I EVEN START? IT ALL BEGINS WITH THE FIRST LINE STOP WITH REGRESSION PERFECTION IS IMPOSSIBLE DO IT “ON-THE-FLY” THANKS! Any questions? MANUAL CODE REVIEW Systematic examination of the source code WHY? Early Defect Detection MCR IN DEVELOPMENT CYCLE Software Dev. Cycle Architecture Design ImplementationTesting Deployment Implementation COST OF DEFECT FIX COST OF DEFECT FIX ADVANTAGES ▪ Different point of view ▪ Product evolution awareness ▪ Education WHAT MAKES GOOD CODE REVIEW? ▪ Goal ▪ People ▪ Technical knowledge TYPES OF MCR ▪ Formal ▪ Informal ▪ Tool-assisted FORMAL CODE REVIEW ▪ Typically, face-to-face meeting ▪ Roles (moderator, observer, reviewer) ▪ Participants go through the source code to fulfill goal of review • Well documented • Process orientedPros • Time consuming • Effort required does not correspond to value gained • Human Factor Cons INFORMAL CODE REVIEW ▪ Typically, two developers (author and reviewer) conducting ad-hoc review ▪ Over-the-shoulder review ▪ Extreme programming • Simple • Most effective type of MCRPros • Not documented • Not process oriented • Consumes time of two developers Cons TOOL-ASSISTED CODE REVIEW ▪ A tool is used for the review ▪ Designed to mitigate drawbacks of other approaches • Documented • Enforcing process • Time efficient • Reviewer has all the time required Pros • Cost of the tool • It is easier for reviewer to cheatCons CODE REVIEW TOOL FEATURES Automated File Gathering Combined Display Automated Metrics Collection Process Enforcement GIT WORKFLOW DEMO Make Code review natural part of development process RELATION TO STATIC CODE ANALYSIS? Run SCA Review Code Fix Code HUMAN FACTOR The only factor that ruins manual code review LET’S SUM UP! Effective Code Review Do it Don‘t be affraid to have face-to- face Be honest Use proper and polite language Never be personal THANKS! Any questions?