静态代码分析中可能存在的10大错误

1、Top 10 User Mistakes with Static AnalysisSate IVMarch 2012Parasoft Proprietary and ConfidentialAbout ParasoftFounded in 198727+ Patents for automated quality processesBuild quality into the processStatic Analysis tools since 1994What IS Static Analysis?Variety of methodsPeer Review / Manual Code Rev

2、iew / Code InspectionPattern-based code scannersFlow-based code scannersMetrics-based code scannersCompiler / build outputParasoft Proprietary and ConfidentialNumber 10: Developers10) Developers not included in process evolutionDeveloper InsightsRules / Issues drive needWorkflowUsabilityCorrectness

3、/ NoiseWill our engineers really adopt it and use it?Is this a long-term solution?Parasoft Proprietary and ConfidentialCode Analysis Perceptions“Static analysis is a pain”False positives has varying definitionsI dont like itIt was wrongParasoft Proprietary and ConfidentialPattern based false positiv

4、esTrue false positives generally rule deficiencyContextDoes this apply here and now?In-code suppressions to document decisionParasoft Proprietary and ConfidentialFlow Analysis False PositivesFalse positives are inevitableFinds real bugsFlow analysis is not comprehensiveParasoft Proprietary and Confi

5、dentialNumber 9: Expectations9) Wrong expectationsWhy do static analysis?Because its the right thing?Increase quality?Decrease costs?Reduce development time?Flow analysis is enoughWhen will it pay-off?How can I tell its paying off?Parasoft Proprietary and ConfidentialNumber 8: Approach8) Taking an a

6、udit approachRunning SA on all your code (Dont)Its all about the reports (Or is it?)Parasoft Proprietary and ConfidentialNumber 7: Too Much7) Starting with too many rulesStatic Analysis is about processIts incrementalAvoid biting off more than you can chewAvoid any rule you wont stop the build forPa

7、rasoft Proprietary and ConfidentialDont Get Run OverSame set of rules for everyoneSmall set of rulesLess rules that are followed is better than more that are notIf you wouldnt fix it, dont check for itParasoft Proprietary and ConfidentialNumber 6: Workflow6) Workflow integrationHas to work with your

8、 development UISame configuration for desktop and serverMinimize negative impactMinimize time to find / fix violationsParasoft Proprietary and ConfidentialParasoft Proprietary and ConfidentialResults within IDE1Results delivered as uniform view within IDE2Directly access line of code to fix3Check-in

9、Number 5: Training5) Lack of sufficient trainingHow to install the toolHow to configure the toolHow to setup the buildHow to run the toolHow to mitigate violationsHow/when to suppressParasoft Proprietary and ConfidentialNumber 4: Process4) No defined processDevelopers are not necessarily process exp

10、ertsProcess should minimize impact of SAConsistent for teams and projectsVetted in a pilot projectParasoft Proprietary and ConfidentialNumber 3: Automation3) No automated process enforcementReduce effortConsistencyComplianceParasoft Proprietary and ConfidentialNumber 2: Policy2) Lack of a clear poli

11、cyWhat teams need to do SA?What projects require SA?What rules are required?What amount of compliance?When can you suppress?How to handle legacy code?Do you ship with SA violations?Parasoft Proprietary and ConfidentialNumber 1: Management1) Lack of management buy-inRequirementsAllowed timeUnderstand

12、ing of the ROIEnforcementParasoft Proprietary and ConfidentialThe Whole Top 1010) Developers not included in process evolution9) Wrong expectations8) Taking an audit approach7) Starting with too many rules6) Workflow integration5) Lack of sufficient training4) No defined process3) No automated proce

13、ss enforcement2) Lack of a clear policy1) Lack of management buy-inParasoft Proprietary and ConfidentialHonorable Mention: The Wrong StuffWrong ToolWrong ProcessEmail reportsBlockingPainful CI workflowWrong RulesUnimportant rulesToo many rulesWrong CodeLegacy strategyDont test what you wont / cant c

14、hangeParasoft Proprietary and ConfidentialHonorable Mention: Whats LackingLack of management buy-inThe edictAllowed time & budgetLack of development buy-inWillful non-complianceLack of trainingParasoft Proprietary and ConfidentialQ&A / Further ReadingParasoft Proprietary and Confidential Automated Defect Prevention (Huizinga & Kolawa)Principles and processes to improve the software development process. Effective C+ / More Effective C+ (Meye