Learn how to do static code analysis in 5 steps.
November 28, 2018

How Static Code Analysis Works

Static Analysis

Static code analysis helps development teams improve quality and comply with coding standards — without sacrificing speed.

Static Analysis in Software Testing

Static analysis plays a key role before software testing begins. It makes sure the code that you pass on to testing is the highest quality possible. And, if you choose the right static analyzer, it speeds up the development process.

What Static Analysis Can Find

Static analysis finds potential quality issues in your code before you run your program.

This includes:

  • Programming errors
  • Coding standard violations
  • Security weaknesses

Static analyzers are particularly good at finding coding issues, such as buffer overflow, memory leaks, and null pointers.

And static analysis educates developers on best coding practices, which helps you improve quality over the long-term.

What Cannot Be Identified in Static Analysis

There are things that static analysis can’t identify. For instance, static analysis can’t detect whether software requirements have been fulfilled or how a function will execute. You’ll need dynamic testing for that.

That’s why static analysis and dynamic testing are complementary. Static analysis detects bugs in code early on. This ensures a higher-quality product reaches the testing phase. And it accelerates development, by ensuring that testing processes are more efficient.

How Static Code Analysis Works

Here’s how static code analysis works.

1. Write the Code

Your first step is to write the code.

2. Run a Static Code Analyzer

Next, run a static code analyzer over your code. It will check your code against predefined coding rules. These might be from a coding standard. Or they might be in-house coding rules that your team has developed.

3. Review the Results

The static code analyzer will identify code that doesn’t comply with the coding rules. You can then review the results. There may be false positives to dismiss. And there will be some issues that are more important to fix than others. Some tools, such as Helix QAC, will prioritize the violations for you.

4. Fix What Needs to Be Fixed

Next, you fix the issues that need to be fixed. Start with the most critical fixes. And go down the list from there.

5. Move On to Testing

Once you’ve resolved issues in the code, it can move on to the next phase of development. And you can begin the process over again.

Static Analysis Example in Helix QAC

Helix QAC is the best static code analysis tool for C/C++. It helps you find defects in your code with greater accuracy than other tools. You can analyze and fix your code on-demand throughout your day. And using Helix QAC is the best way to ensure your code complies with ISO standards.

Here’s an example of static analysis in Helix QAC.

Select a Coding Standard (If Applicable)

You can add a compliance module to Helix QAC to easily comply with a coding standard. Some popular examples are MISRA, AUTOSAR, and CERT. Or you might use your own in-house coding rules.

Explore coding standards >>

Create Your Project

Before you can run an analysis, you’ll need to create a new project in Helix QAC. This is where you’ll select a programming language (C or C++).

You’ll then:

  1. Configure your project settings to match the settings of your compiler. This ensures that your analysis can run smoothly and accurately. Helix QAC can optimize for different compilers, too.
  2. Synchronize your project. This tells Helix QAC which source and header files to analyze.
     

Analyze Your Project

You can begin analyzing your project as you build it — or afterward. And it can be done with a script, command, or click of a button.

Helix QAC also integrates with Microsoft Visual Studio and Eclipse. So, you can analyze your files without leaving your IDE.

Review Violations

You’ll see files and folders associated with your project. When you select a file, you’ll see the analysis. If a line of code has a bubble next to it, it means that line of code has a diagnostic on it. You can click the bubble to see what the violation is.

You can also use a diagnostic window to filter the results. Simply click a diagnostic to see where the violation occurs in your code.

Filter by Severity

Depending on the nature of your code, you might get hundreds or even thousands of diagnostics in Helix QAC. You can use a severity filter to prioritize the issues you need to work on. The severity levels are customizable to your team.

You can also filter the diagnostics by rule. This is helpful if you have a rule (or rules) that are more critical to your product.

Suppress Violations You Won’t Fix

If you find a diagnostic or type of diagnostic that you’re not going to fix, you can suppress it. You can configure the scope of a suppression to fit your needs. You can also add deviation tags. These are used to document why you’re suppressing that diagnostic. This is important for compliance.

It’s difficult to fully comply without suppressing some rules or diagnostics. Everyone usually needs to suppress some rules, especially when it comes to legacy code.

Edit Your Code

You can choose to edit your code right in Helix QAC or in your IDE. Simply fix the code, save the file, and then re-analyze your file. If the diagnostics go away, the issues have been fixed.

Review Code Metrics

You can also use the Helix QAC web dashboard to examine code metrics. For instance, you can look at the metric history for cyclomatic complexity. This will tell you how the complexity of your code has changed over time. Overly complex code is difficult to maintain.

See a Demo

Try Helix QAC for Static Code Analysis

See for yourself why Helix QAC is the best static code analyzer. Request a trial to see how Helix QAC will help you analyze your code.

Analyze Code in Helix QAC