From False Positives to Trust: A Story of Static Code Analysis Adoption
Embedded devices are at the heart of the Internet of Things (IoT). And, Elektrobit is at the heart of embedded software development. The organization has supplied HMI technologies, navigation, electronic control units (ECU), and software for over 70 million vehicles and over 1 billion embedded devices.
With increasing customer demands for openness, connectivity, and integration, Elektrobit needed to reevaluate the safety and security of its embedded software. To ensure that its embedded software was safe, reliable, and compliant, Elektrobit decided that it needed an effective analysis solution to avoid costly recalls for products in the field.
When Elektrobit chose to adopt a new static code analysis tool, it involved a mix of technical evaluation and programmer education to choose the right tool.
Klocwork Helps Elektrobit...
Improve Software Architecture
Get Accurate Results (With Fewer False Positives)
Maintain Quality (In a Large Codebase)
The Benefit of Using Static Code Analysis
For over 25 years, Elektrobit has delivered safe and reliable products that major car manufacturers and suppliers trust. With growing systems complexity and accelerating release cycles, Elektrobit’s software engineering group needed a static code analysis solution that prevented code defects before they reached testing or the customer.
Alexander Much, head of software systems engineering at Elektrobit used his experience as a former programmer to bring static code analysis to the process improvement table. Code improvement and safety was foremost on his mind but he knew that new tools would be a hard sell to programmers.
“Defects and recalls are expensive and we can’t afford to have them. My experience has taught me that if you’re not using static code analysis nowadays, you’re not state-of-the-art. This isn’t the first time we’ve introduced static code analysis at Elektrobit and the most important thing is gaining trust of the programming teams.”
— Alexander Much, Head of Elektrobit Software Systems Engineering
Like Elektrobit’s products, adopting static code analysis in the development process was as much about the technology as it was about establishing the confidence of programmers.
The Ideal Static Code Analysis Tool
With strict software compliance requirements from automotive OEMs and a challenging code base, Elektrobit knew it had to select the right static code analysis tool that met multiple needs.
For example, programming teams had been using less sophisticated tools to identify defects. However, the number of reported issues along with the lack of information made it difficult to distinguish between a real defect and a false positive.
In addition, they also had a very large code base and multiple inputs from internal development teams, suppliers, and even open source code. Mr. Much explains, “Automotive OEMs have a clear idea of what is needed and we have to push those needs on suppliers. In the end, it’s our responsibility to make sure they comply with all the standards. The static code analysis tool simply has to handle that.”
A rigorous tools evaluation process was undertaken to measure performance against different aspects of this challenging environment: A very large code base to start with, integrating large amounts of supplied code, and avoiding past experience with large numbers of false positives. Taking an incremental approach, the evaluation team first ran a set of rules selected by the software architects and, once results were acceptable, moved on to the next set.
After a three-month evaluation, Klocwork was selected as the tool of choice.
“On 2 to 3 million lines of code, we ran Klocwork against multiple competitors. It handled the code base very well and had the ability to deal with C++ templates in a useful way. In comparison, there was also a low rate of false positives.”
— Alexander Much
Other benefits came into play as the adoption of Klocwork grew, owing to the complexities of the environment that are unique to every development team. Elektrobit worked directly with the product managers on critical issues or new features, which helped build the roadmap of Klocwork. This relationship was an important piece of the puzzle, as static code analysis was a critical component in delivering robust products.
“A static code analysis tool is not a simple tool you buy, you get a little married to it. It can only be successful if it has users that provide feedback on how it’s being used and provide ideas for improvement. The tool gets better with the amount of analyzed code bases and vice versa. Our relationship with Klocwork has been successful because we have that trust on all sides.”
— Alexander Much
How Klocwork Has Continued to Help
An unforeseen insight from using Klocwork was how SCA could improve the software architecture.
"The interplay between local and global is very important. Klocwork has a more global view on the source code rather than on the local environment, for example, a line, function, or a class. This can reveal shortcomings in the overall software architecture and provide information that is much more valuable to the overall product. If I could go back and change something, I would suggest getting the global view in the software architecture in a better shape to enable static code analysis tools to provide more precise results on the local level.”
— Alexander Much
Up and down the supplier chain, Elektrobit values trust and confidence in tools, just as their customers expect it of them, and Klocwork was a natural fit.
Develop Safe, Reliable Software
Klocwork helps organizations like Elektrobit to produce safe, reliable software. See for yourself how Klocwork will help you to do the same.