What is Static Code Analysis?

Static code analysis is a well-established method for catching possible bugs in software before running it. It traces the code's structure and flags problematic situations. The analysis can catch cases where the developer has neglected to consider all possibilities. It fits well into an automated development and testing cycle. Using it with every code change can avoid unexpected responses, crashes, and security holes.

The tools for static analysis combine several approaches.

Data flow analysis traces the paths which variables can follow when a function runs. It may discover that a variable isn't always initialized or that the code won't act predictably for some values. The code might, for instance, fail to check for the possibility of division by zero.

Taint analysis looks for user inputs which could exploit vulnerabilities. SQL injection is a common example. The analysis will issue a warning if the code fails to sanitize potentially tainted inputs.

Dead code analysis finds portions of the code which can never be reached. They may just be redundant code, or they may reveal a logical error in the design of a function.

Guideline checking. Coding guidelines may require each function to have a structured comment explaining it. They may call for factoring out duplicate or near-duplicate pieces of code into separate functions. Certain programming constructions may be technically correct but not advisable. By catching these situations, the analysis encourages code which is easier to read and maintain.

Using static analysis intelligently

Used indiscriminately, static code analysis can report non-existent problems and annoy programmers with useless messages. The analysis tools may not be able to tell that the broader software structure makes certain inputs impossible. Many languages allow code annotations to avoid spurious warnings. Annotations can indicate that parameters will always follow certain constraints or should be ignored. Programmers need to be careful not to annotate real issues out of existence, but judicious annotation makes the analysis more useful.

Static code analysis is a well-established part of modern software development disciplines such as DevOps. It's valuable for every kind of production code. Used properly, it brings developers closer to the ideal of bug-free code. Lets talk about static code analysis!