Static Code Analysis Jakub Papcun Jan Svoboda ‹#› HONEYWELL Static Code Analysis Content •Honeywell • • •Static Code Analysis • • •Use of SCA in Honeywell • • •Defect Tracking Integration • • •Manual Code Review Integration • • • • • ‹#› HONEYWELL Static Code Analysis Honeywell •4 Strategic Business Groups (SBGs) -Aero -Automation and Control Solutions (ACS) -Performance Materials and Technologies (PMT) -Transportation Systems (TS) - •130 000 employees worldwide • •ACS Centre of Technologies (ACT) -Software Excellence Group -Implements Best Practices for software development -Implements tools necessary for fulfilling Best Practices requirements • - ‹#› HONEYWELL Static Code Analysis Static Code Analysis •Analysis of the code without executing the program itself • •Various types of SCA -Type checking wchecks for correct assignment of types of objects -Style checking wchecks the style of the code and its formatting -Program Understanding whelps user make sense of large codebase and may include refactoring capabilities -Program verification and property checking wattempts to prove that the code correctly implements the specification of the program -Security review wuses dataflow analysis for detection of possible code injection -Bug finding wlooks for places in the code where program may behave in a different way from the way intended by developer • ‹#› HONEYWELL Static Code Analysis Static Code Analysis - Limitations •SCA identifies only “shallow” errors and does not look for problems in design or functionality • •3 types of results -True positives wreal issues which are code errors and should be fixed before releasing -False positives wissues identified by the analysis but not real threats due to for example architecture of the software -False negatives wreal issues which Static Code Analysis did not identify and are still hidden from the knowledge of the developers w •Possibility to adjust the Static Code Analysis rules to the context w • • types of static code analysis examples of static code analysis (would be nice to have it interactive … give them examples to find) ‹#› HONEYWELL Static Code Analysis Example 1 ‹#› HONEYWELL Static Code Analysis Example 1 Can return null A NullPointerException is thrown in case of an attempt to dereference a null value. ‹#› HONEYWELL Static Code Analysis Example 2 example2.PNG ‹#› HONEYWELL Static Code Analysis Example 2 example2.PNG Statement always true 1.Statement is always false and never enters the block ‹#› HONEYWELL Static Code Analysis Example 2 example2.PNG Statement always true 1.Statement is always false and never enters the block 2.s variable may be null and NullPointerException may be thrown s may be null ‹#› HONEYWELL Static Code Analysis Example 3 example3.PNG ‹#› HONEYWELL Static Code Analysis Example 3 example3.PNG & or && Questionable use of bit operation ‘&’ in expression. Did you mean ‘&&’? ‹#› HONEYWELL Static Code Analysis Example 4 example4.PNG ‹#› HONEYWELL Static Code Analysis Example 4 example4.PNG j is never used 1.j variable is never used and thus redundant ‹#› HONEYWELL Static Code Analysis Example 4 example4.PNG j is never used 1.j variable is never used and thus redundant 2.k variable is never initialized and thus unusable k not initialized ‹#› HONEYWELL Static Code Analysis Example 5 example5.PNG ‹#› HONEYWELL Static Code Analysis Example 5 REST may fail and return null example5.PNG may return null ‹#› HONEYWELL Static Code Analysis Static Code Analysis - Tools •Klocwork • •SonarQube • •Findbugs • •Kiuwan • •Others -Compilers -IDEs wIntelliJ Idea wEclipse • • types of static code analysis examples of static code analysis (would be nice to have it interactive … give them examples to find) ‹#› HONEYWELL Static Code Analysis Capability Maturity Model Integration (CMMI) •A set of rules defining the maturity of the company • •5 levels • •Honeywell achieving level 5 -continuous improvement of the processes and evaluation of the results across all the software development disciplines according to collected measurements and metrics - •ACS Software Development Process (ASDP) -Process used for Software Development across ACS -Aims to be compliant with CMMI level 5 -Static Code Analysis is one of the steps in the Implementation discipline - ‹#› HONEYWELL Static Code Analysis Klocwork •Static Code Analysis tool • •Supported languages are C/C++, C#, Java - •Identifies code vulnerabilities -Logical errors -Security vulnerabilities -Coding standards violations - •Klocwork calculates software metrics such as lines of code, lines of comments, cyclomatic complexity, number of functions/methods • •Web Interface and user instance of Klocwork -poor REST API -various restrictions on the side of Klocwork query language • • • ‹#› HONEYWELL Static Code Analysis Klocwork kwScreen1.PNG ‹#› HONEYWELL Static Code Analysis Klocwork kwScreen2.PNG ‹#› HONEYWELL Static Code Analysis Tools Integrated with Klocwork •JIRA • • •Crucible/FishEye • • •Reasons -Klockwork is not very user friendly -Results of SCA serve as input parameters for processes wThese processes have majority of required data in other tools -Simplifying the processes -Delegation of control over SCA results Defect Tracking Integration ‹#› HONEYWELL Static Code Analysis Issue/Defect Tracking •Honeywell ACS uses JIRA • • •Issue and Project tracking software -tracks time spent on resolving issues, progress of the project and various metrics connected to software development -one of the main tools used across Honeywell ACS - - •Issue •a software bug (defect), a task, a helpdesk ticket, a new feature etc. • • •Easily extensible with wide variety of extensibility options • • •Great integration capabilities with other Atlassian products • ‹#› HONEYWELL Static Code Analysis Source Code Management •Fisheye • • •Web Interface for read only access to SVN • • •Visualization and reporting capabilities regarding source code • • •Searching capabilities according to commits, comments, people etc. • • •Great WEB API for communication between tools • • ‹#› HONEYWELL Static Code Analysis - - Fisheye Klocwork JIRA > > > Use of Klocwork WEB API Data in JSON format Fisheye WEB API JIRA – Klocwork – Fisheye Integration Overview ‹#› HONEYWELL Static Code Analysis Goals •Development cycle time reduction • • •Code quality improvement • • •Build basis for creating new more sophisticated metrics combining defect/issue tracking and static code analysis • • •Set basis for future development of integration and possible defect prediction ‹#› HONEYWELL Static Code Analysis Create JIRA defect from Klocwork •A simple button in Klocwork Finding • • •Creates a JIRA defect with as much information as possible • • •Stores the data about defect resolving in JIRA • • •Not able to get line numbers • • •Not able to get specific faulty code • ‹#› HONEYWELL Static Code Analysis Create a list of Klocwork findings for specific JIRA issue list.png •Integrates data from Fisheye with data from Klocwork and creates a list of Klocwork Findings that were introduced into the code as part of implementation of some Issue •Higher Code Quality •Lower Development Cycle Time •Information about the quality of the feature • ‹#› HONEYWELL Static Code Analysis Report •Indicates whether the code is ready for testing and release •Gives overall status about the code quality written as part of the selected version of the product 4 Manual Code Reviews Integration ‹#› HONEYWELL Static Code Analysis Manual Code Reviews •Systematic examination of the source code •Used to verify the code from various perspectives •Atlassian Crucible • crucible.png ‹#› HONEYWELL Static Code Analysis Testing Readiness •Simple rule: cost of a defect rises with the time it is not discovered -Apply even for defects found during testing activities - •Solution: try to find defects as soon as possible -Apply all available tools/processes -SCA -Manual Code Reviews - •Not popular activity -Need to use two tools for very similar activities -Inspecting more complex code can be confusing -Human Factor -Klocwork User Friendliness - ‹#› HONEYWELL Static Code Analysis How to improve? • crucible.png klocwork.png ‹#› HONEYWELL Static Code Analysis How to improve? • crucible.png klocwork.png ‹#› HONEYWELL Static Code Analysis Integration •Both of the tools looks similar -Why not integrate them? - •Benefits: -Time saving -User Friendliness -Process Enforcement - •Features -Source File View -File Tags -Analysis Overview panel -Hot Spot Review combinac.png ‹#› HONEYWELL Static Code Analysis Source File View •Displays Klocwork findings directly in Crucible source code view • dmmy.png ‹#› HONEYWELL Static Code Analysis File Tags •Differentiate files under review based on the number and severity of Klocwork findings • dmmy.png ‹#› HONEYWELL Static Code Analysis Analysis Overview panel •Displays statistic data about Klocwork findings in the review • dmmy.png ‹#› HONEYWELL Static Code Analysis Hot Spot Review •„Hot Spot“ = parts of the code satisfying some condition • dmmy.png ‹#› HONEYWELL Static Code Analysis Thank You •Q&A www.honeywell.com