What is static analysis?
When it comes to computer software development, testing your software to ensure it is free of defects and vulnerabilities is a key part of the software lifecycle. One of the common options in the software developers toolbox is static analysis. It’s a method of debugging your code without having to execute your program. Static analysis allows you to find crash causing and unpredictable behaviour bugs, security vulnerabilities and ensure that software adheres to industry standards such as MISRA and its use is often mandated as a key part of meeting many safety standards.
In theory code analysis can be conducted by visual analysis as part of a manual code review, but is more often approached with support of an automated tool. There are many tools on the market ranging from relatively simple tools to check adherence to coding standards to more advanced tools that can detect defects and vulnerabilities in source code, libraries and binaries. Most advanced tools perform a build or compile of the software and then an analysis which produces a set of candidate defects for the developer to triage.
Why use static analysis?
So, now you know what static analysis is in basic terms, why should you be using it to assess your software?
Static analysis reveals errors early in the development process, so your development teams can fix them while the code is still fresh in their mind and well before the defects and vulnerabilities are uncovered during testing or worse still when deployed in the field. Where defects are not uncovered early there are significant extra costs in terms of increased testing costs, longer release cycles and worse still potential liabilities, increased services costs and damaged brand reputation. Static analysis gives you an opportunity to review the code and highlight any potential errors or mistakes that have been made before they escalate.
Static Analysis sets the foundation for better quality code. With a dedicated step in the development process that allows developers to carefully analyse the code they’re producing, it sets the basis for better quality work in the future. Developers that are used to quickly analysing their own and other’s work with the support of a static analysis tool are more productive.
Static analysis saves time and money. While static analysis might seem like an added step in the software development process, it’s a valuable one. When you look over the long-term and at the alternatives, it can substantially save you in both time and money by shortening release cycles, minimising recalls and support costs and delighting customers.
The process allows you to simplify the code. When you’re in the development phase it’s easy for code to become overcomplicated, static analysis allows you to focus in on areas where it can be simplified. It’s a step that can make additions and updates in the future easier to implement.
What to look for in a static analysis tool
All static analysis tool vendors have to trade off three conflicting goals in building their software. These are Performance, Precision and Recall. Typically you can optimise for two of the three at the expense of the remaining objective. The trade-offs for each are summarised below.
Perhaps obvious, you want a performant tool, but time waits for no-one. It’s great to have fantastic precision and recall, but if the analysis tool takes days to run the build and analysis no-one is going to wait for the results. This often confines tools which promote this characteristic to small code bases.
A focus on precision allows a tool to report real defects on the code, often referred to as True Positives, without reporting large numbers of candidate defects which turn out not to be real once they have been analysed. These are often referred to as False Positives. So good precision means less time triaging reported defects.
Static analysis tools with good recall are focussed on finding as many real defects as possible to minimise the chance of missing real problems in the code often referred to as false negatives. It’s worth remembering one of the main the reasons static analysis is utilised is to find defects and vulnerabilities in your code, so this should arguably be one of the primary design goals of any static analysis tool.