Static code analysis helps you find bugs faster.
June 27, 2019

What Is Static Code Analysis?

Static Analysis
Security & Compliance

Development teams are under pressure. Quality releases needed to be delivered on time. Coding and compliance standards need to be met. And mistakes are not an option.

That’s why development teams are using static analysis tools.

What Is Static Analysis?

Static analysis is best described as a method of debugging by automatically examining source code before a program is run.

And What Is Static Code Analysis?

Static code analysis is a method of debugging by examining source code before a program is run. It’s done by analyzing a set of code against a set (or multiple sets) of coding rules.

Static code analysis and static analysis are often used interchangeably, along with source code analysis. 

This type of analysis addresses weaknesses in source code that might lead to vulnerabilities. Of course, this may also be achieved through manual code reviews. But using automated tools is much more effective.

Static analysis is commonly used to comply with coding guidelines — such as MISRA. And it’s often used for complying with industry standards — such as ISO 26262.

Static Code Analysis Is Performed In Which Stage?

Static code analysis is performed early in development, before software testing begins. For organizations practicing DevOps, static code analysis takes place during the “Create” phase.

Static code analysis also supports DevOps by creating an automated feedback loop. Developers will know early on if there are any problems in their code. And it will be easier to fix those problems.

Static Analysis vs. Dynamic Analysis

So, what’s the difference between static analysis and dynamic analysis?

Both types of analysis detect defects. The big difference is where they find defects in the development lifecycle.

Static analysis identifies defects before you run a program (e.g., between coding and unit testing).

Dynamic analysis identifies defects after you run a program (e.g., during unit testing). However, some coding errors might not surface during unit testing. So, there are defects that dynamic testing might miss that static code analysis can find.

See how static code analysis works >>

Limitations of Static Analysis

Static code analysis is used for a specific purpose in a specific phase of development. But there are some limitations of static analysis.

No Understanding of Developer Intent

 

int calculateArea(int length, int width)
{
    return (length + width);
}

 

A static analysis tool may detect a possible overflow in this calculation. But it can’t determine that function fundamentally does not do what is expected!

Rules That Aren’t Statically Enforceable

Some coding rules depend on external documentation. Or they are open to subjective interpretation.

For example:

 

CERT-C MSC04:

Use comments consistently and in a readable fashion.

 

Possible Defects Lead to False Positives and False Negatives

In some situations, a tool can only report that there is a possible defect.

 

int divide(void)
{
    int x;
    if(foo())
    {
        x = 0;
    }
    else
    {
        x = 5;
    }
    return (10/x);
}

 

If we know nothing about foo(), we do not know what value x will have.

The result is undecidable. That means that tools may report defects that do not actually exist (false positives). Or they may fail to report real defects (false negatives). 

Benefits of the Best Static Code Analysis Tools

There are several benefits of static code analysis — especially if you need to comply with an industry standard.

The best static code analysis tools offer speed, depth, and accuracy. 

Speed

It takes time for developers to do manual code reviews. Automated tools are much faster.

Static code checking addresses problems early on. And it pinpoints exactly where the error is in the code. So, you’ll be able to fix those errors faster. Plus, coding errors found earlier are less costly to fix.

Depth

Testing can’t cover every possible code execution path. But a static code analyzer can.

It checks the code as you work on your build. You’ll get an in-depth analysis of where there might be potential problems in your code, based on the rules you’ve applied.

Here's an example of in-depth code analysis in Helix QAC

An example of code analysis in Helix QAC.
An example of code analysis in Helix QAC.

Accuracy

Manual code reviews are prone to human error. Automated tools are not.

They scan every line of code to identify potential problems. This helps you ensure the highest-quality code is in place — before testing begins. After all, when you’re complying with a coding standard, quality is critical.  

Choosing a Static Analyzer

Here are a few things to consider when deciding which tool is right for you.

Programming Language

Analyzers are designed for many different programming languages. So, it’s important to choose a tool that supports your language.

Standards

One the primary uses of static analyzers is to comply with standards. So, if you’re in a regulated industry that requires a coding standard, you’ll want to make sure your tool supports that standard.

Tips for Choosing a Tool

Interested in more tips for selecting a tool? "Static Code Analysis Tools Comparison: A Buyer's Guide" covers:

  • Benefits and challenges of static code analysis.
  • Best practices for using it.
  • 6 requirements for choosing the right tool.

Compare static analyzers >>

Why Perforce Static Analyzers?

Perforce offers static code analysis solutions for C, C++, C#, and Java programming languages — Helix QAC and KlocworkThese tools are certified to comply with coding standards and compliance mandates. And they deliver fewer false positives and false negatives.

Learn more about Perforce's static analysis solutions.

EXPLORE STATIC ANALYZERS