What is static analysis?
June 27, 2018

What Is Static Code Analysis?

Static Analysis
Security & Compliance

Development teams are under pressure. Quality releases needed to be delivered on time. Coding and compliance standards need to be met. And mistakes are not an option.

That’s why development teams are using static analysis.

What Is Static Analysis?

Static analysis is a method of debugging by automatically examining code before a program is run.

And What Is Static Code Analysis?

Static code analysis is interchangeable with static analysis.

So, it’s a method of debugging by examining code before a program is run. It’s done by analyzing a set of code against a set (or multiple sets) of coding rules. This is usually done in early stages of development.

For organizations practicing DevOps, static code analysis takes place during the “Create” phase. Static code analysis also supports DevOps by creating an automated feedback loop. Developers will know early on if there are any problems in their code. And it will be easier to fix those problems.

This type of analysis addresses weaknesses in code that might lead to vulnerabilities. Of course, this may also be achieved through manual code reviews. But using automated tools is much more effective.

Static analysis is commonly used to comply with coding guidelines — such as MISRA. And it’s often used for complying with industry standards — such as ISO 26262.

Static Analysis vs. Dynamic Analysis

So, what’s the difference between static analysis and dynamic analysis?

Both types of analysis detect defects. The big difference is where they find defects in the development lifecycle.

Static analysis identifies defects before you run a program (e.g., between coding and unit testing).

Dynamic analysis identifies defects after you run a program (e.g., during unit testing). However, some coding errors might not surface during unit testing. So, there are defects that dynamic testing might miss that static code analysis can find.

Limitations of Static Analysis

Static code analysis is used for a specific purpose in a specific phase of development. But there are some limitations.

No Understanding of Developer Intent

 

int calculateArea(int length, int width)
{
    return (length + width);
}

 

A static analysis tool may detect a possible overflow in this calculation. But it can’t determine that function fundamentally does not do what is expected!

Rules That Aren’t Statically Enforceable

Some coding rules depend on external documentation. Or they are open to subjective interpretation.

For example:

 

CERT-C MSC04:

Use comments consistently and in a readable fashion.

 

Possible Defects Lead to False Positives and False Negatives

In some situations, a tool can only report that there is a possible defect.

 

int divide(void)
{
    int x;
    if(foo())
    {
        x = 0;
    }
    else
    {
        x = 5;
    }
    return (10/x);
}

 

If we know nothing about foo(), we do not know what value x will have.

The result is undecidable. That means that tools may report defects that do not actually exist (false positives). Or they may fail to report real defects (false negatives). 

Advantages of Static Analysis Tools

There are several advantages to using static analysis tools — especially if you need to comply with an industry standard.

Speed

It takes time for developers to do manual code reviews. Automated tools are much faster.

Static code checking addresses problems early on. And it pinpoints exactly where the error is in the code. So, you’ll be able to fix those errors faster. Plus, coding errors found earlier are less costly to fix.

Depth

Testing can’t cover every possible code execution path. But a static code analyzer can.

It checks the code as you work on your build. You’ll get an in-depth analysis of where there might be potential problems in your code, based on the rules you’ve applied.

Accuracy

Manual code reviews are prone to human error. Automated tools are not.

They scan every line of code to identify potential problems. This helps you ensure the highest-quality code is in place — before testing begins. After all, when you’re complying with a coding standard, quality is critical.  

How to Select a Static Code Analyzer

Here are a few things to consider when deciding which static code analyzer is right for you.

Programming Language

Analyzers are designed for many different programming languages. So, it’s important to choose a tool that supports your language.

Standards

One the primary uses of static analyzers is to comply with standards. So, if you’re in a regulated industry that requires a coding standard, you’ll want to make sure your tool supports that standard.

Get Tips for Choosing a Tool

Interested in more tips for selecting a static code analyzer? “Static Source Code Analysis: A Buyer’s Guide” covers:

  • Benefits and challenges of static code analysis.
  • Best practices for using it.
  • 6 requirements for choosing the right tool.

Get My Buyer’s Guide >

Static Code Analyzers From Perforce

Perforce offers static code analysis solutions for C and C++ languages. These tools are certified to comply with coding standards and compliance mandates. And they deliver fewer false positives and false negatives.

Explore Static Analysis  Try Static Code Analyzers