Software quality management solutions function with automated tests that use static analysis processes to generate software quality metrics.
With the ability to parse code in almost every commonly used programming language, static analysis is useful in assessing five key software quality indicators: software system security, code reliability, code memory usage and efficiency, maintainability, and portability.
These indicators represent the most significant aspects of high-quality code, and developers and investors should monitor the metrics generated by static analyses to ensure they are producing secure, reliable, maintainable, portable, and scalable code.
Static analysis looks for security vulnerabilities in source code by referencing the most common vulnerabilities defined by OWASP.
The parser can monitor code for vulnerabilities to data injection by looking at any queries or command statements that take user input. It checks that every user input is prepared correctly to avoid data injection. The parser will report a vulnerability if the code does not adequately separate user input from data structures.
A static analysis engine looks at authentication vulnerabilities by checking that the code protects user credentials by hashing or encrypting the stored authentication information. It looks for weak account management functions, such as password recovery processes, for simple password overwriting vulnerabilities. It verifies that the source code hides URL authentication information via URL rewriting algorithms and looks at session timeout procedures that often produce vulnerabilities to session fixation attacks.
When scanning for security vulnerabilities, the static analysis algorithm tags structures that contain sensitive data and verifies that all direct references to these objects require authentication for data to be passed to the caller. Similarly, the parser looks at indirect references to sensitive data objects and the data mapping process to ensure that the call requires user authentication. When the parser locates an instance of a potential vulnerability, it will tag and report the instance and include it in a security metrics report. After scanning through the most common software vulnerabilities, it will generate a report that references all potential vulnerabilities it has identified.
Static analysis is especially apt at looking at the reliability of all modules and methods of software.
The source of reliability in code is the ability to produce a predictable outcome given wildly varying inputs. In static analysis, the parser identifies and isolates specific methods, emulating their behavior when ported into other software modules. Once isolated, the algorithm generates arguments and reads method outputs, expecting the outputs to contain specific information and formatting. It raises flags for any anomalies in a method.
The algorithm will then aggregate anomalies and generate a report pointing to specific methods compromising reliability.
The efficiency of code is primarily dictated by memory usage and data flow.
When performing static analysis, a program’s memory usage is not explicitly readable. By definition, static analysis is performed on code without instantiating an interpreter; thus, the parser needs to infer memory usage by looking at the code and data structures.
A common source of code inefficiency is calls for entire data sets to be stored in active memory. This is especially common in legacy code and systems initially developed for small data sets. The static analysis algorithm looks for any such explicit calls to store data sets in memory and reports them. It will also look for cases of lingering data stored in active memory—any call for data to be stored in active memory will prompt a search for a call to drop that data from memory after working and updating a database.
The report will suggest an iterative alternative approach to carrying out a memory-intensive task, but a knowledgeable developer needs to look at such reports. Some explicit calls to store data sets in memory are necessary and entirely manageable if, for example, the data set is known to be small (such as metadata).
Static analysis procedures will also identify duplicate code and multiple calls to simultaneously commit the same data to memory.
In most cases, the static analysis of source code will reveal and report important sources of software inefficiencies. It’s especially illuminating when working with extensive legacy code and data structures that weren’t initially designed to be scalable.
Code maintainability is closely related to its complexity. If the source code is overly complex, it can be difficult to quickly make changes and incorporate new functions and modules.
Thus, the static analysis protocol looks for sources of code complexity to generate metrics that quantify code maintainability.
A source of program complexity that a parser can identify is duplicate code in sibling classes. If certain classes share a parent and share explicitly defined methods, the code is overly complicated—the two classes could inherit their shared method from a parent class. A parser can easily identify such cases by looking for duplicate methods.
Another source of complexity, method side effects, is easy for static analyzers to examine. By parsing the arguments, output, instances, and method code, the algorithm can find methods that create complications by implicitly affecting data flow.
By quantifying program complexity, a static analysis report helps developers look at the maintainability of their code and improve it by pointing to specific sources of complexity.
A static analysis report gives insight into the portability of source code by isolating and testing methods. Deprived of their native environments, the parser can predict how well methods would perform if ported.
Much like reliability and maintainability, code’s portability lies in its complexity. The complexity metrics that a static analysis generates help developers quantify their code’s portability.
Understanding the function of static analysis in any automated software quality test is important. It’s a wonderful tool, but developers should also understand its strengths and limitations.
