Software quality management solutions use automated tests and static analysis to generate software quality metrics.
With the ability to parse code in almost every commonly used programming language, static analysis is useful in assessing five key software quality indicators: software system security, code reliability, code memory usage and efficiency, maintainability, and portability.
These indicators represent the most significant aspects of high-quality code, and developers and investors should monitor the metrics generated by static analyses to ensure they are producing secure, reliable, maintainable, portable, and scalable code.
Static analysis looks for security vulnerabilities in source code by referencing the OWASP Top 10.
The parser can monitor code for data injection vulnerabilities by analyzing any queries or command statements that accept user input. It ensures that every user input is properly prepared to prevent data injection. The parser will report a vulnerability if the code does not adequately separate user input from data structures.
A static analysis engine examines authentication vulnerabilities by verifying that the code protects user credentials by hashing or encrypting the stored authentication information. It looks for weak account management functions, such as password recovery processes, that lead to simple password overwriting vulnerabilities. It verifies that the source code hides URL authentication information via URL rewriting algorithms and examines session timeout procedures that often lead to session fixation vulnerabilities.
When scanning for security vulnerabilities, the static analysis algorithm tags structures that contain sensitive data and verifies that all direct references to these objects require authentication before data is passed to the caller. Similarly, the parser looks at indirect references to sensitive data objects and the data mapping process to ensure that the call requires user authentication. When the parser locates an instance of a potential vulnerability, it tags and reports the instance, including it in a security metrics report. After scanning for the most common software vulnerabilities, it will generate a report listing all potential vulnerabilities it has identified.
Static analysis is especially well-suited to assessing the reliability of all software modules and methods.
The source of code’s reliability is its ability to produce a predictable outcome given wildly varying inputs. In static analysis, the parser identifies and isolates specific methods, emulating their behavior when ported into other software modules. Once isolated, the algorithm generates arguments and reads method outputs, expecting them to contain specific information and a specific format. It raises flags for any anomalies in a method.
The algorithm will then aggregate anomalies and generate a report identifying specific methods that compromise reliability.
Code efficiency is primarily determined by memory usage and data flow.
When performing static analysis, a program’s memory usage is not explicitly readable. By definition, static analysis is performed on code without instantiating an interpreter; thus, the parser must infer memory usage from the code and data structures.
A common source of code inefficiency is the need to store entire data sets in active memory. This is especially common in legacy code and systems initially developed for small data sets. The static analysis algorithm looks for any such explicit calls to store data sets in memory and reports them. It will also look for cases of lingering data stored in active memory—any call to store data in active memory will prompt a search for a call to drop that data from memory after working and updating a database.
The report will suggest an iterative alternative approach to a memory-intensive task, but a knowledgeable developer needs to review such reports. Some explicit calls to store data sets in memory are necessary and entirely manageable if, for example, the data set is known to be small (such as metadata).
Static analysis procedures will also identify duplicate code and multiple calls to simultaneously commit the same data to memory.
In most cases, the static analysis of source code will reveal and report important sources of software inefficiencies. It’s especially illuminating when working with extensive legacy code and data structures that weren’t initially designed to be scalable.
Code maintainability is closely related to its complexity. If the source code is overly complex, it can be difficult to quickly make changes and incorporate new functions and modules.
Thus, the static analysis protocol looks for sources of code complexity to generate metrics that quantify code maintainability.
A source of program complexity that a parser can identify is duplicate code in sibling classes. If two classes share a parent and explicitly defined methods, the code is overly complicated—the two classes could inherit their shared methods from a parent class. A parser can easily identify such cases by looking for duplicate methods.
Another source of complexity, method side effects, is easy for static analyzers to examine. By parsing arguments, output, instances, and method code, the algorithm can identify methods that introduce complications by implicitly affecting data flow.
By quantifying program complexity, a static analysis report helps developers look at the maintainability of their code and improve it by pointing to specific sources of complexity.
A static analysis report gives insight into the portability of source code by isolating and testing methods. Deprived of their native environments, the parser can predict how well methods would perform if ported.
Much as reliability and maintainability do, code’s portability lies in its complexity. The complexity metrics generated by a static analysis help developers quantify their code’s portability.
Understanding the role of static analysis in automated software quality testing is important. It’s a wonderful tool, but developers should also understand its strengths and limitations.
