Why Static Code Analysis is Important?

From last few years, Software code quality and security has went from being a “nice to have” to a necessity, and many organizations, including investment banks are making it mandatory to pass static code analysis test, penetration testing and security testing before you deploy your code in production. Static analysis tools like findbugs and fortify are getting popular every passing day and more and more companies are making fortify scan mandatory for all new development.  For those unaware of what static code analysis is, static code analysis is about analysing your source code without executing them to find potential vulnerabilities, bugs and security threats.

Static code analyser looks for patterns, defined to them as rules, which can cause those security vulnerability or other code quality problems, necessary for production quality code. But like every other technology, static analysis has it’s set of advantages and disadvantages, which is also best way to judge any technology.

Static code analyser are not a new thing, and they are here from long time, but as a senior Java developer or Team lead, you have responsibility to set-up process like automated code analysis, continuous integration, automation testing to keep your project in healthy state and promote best development practices in your team.

In my opinion, unit testing, code review and static code analysis makes a nice combo, along with continuous integration. In this article, we will learn some pros and cons of static code analysis, to let you decide, whether static analysis is important or not.

I am already convinced with pros, and we are using fortify scanning in all our projects, and have seen benefits of that, but its not all good, its also time consuming.

When your tool alert you with false positive, you start taking them lightly and then it become habit to treat everything as false positive, which eventually take away all benefits of static code analysis. You need to be discipline enough, not to fall on that trap.

Why Static Analysis is Good

There are many good reasons to use static code analysis in your project, one of them is thorough analysis of your code, without executing them. Static analysis scans ALL code. If there are vulnerabilities in the distant corners of your application, which are not even used, then also static analysis has a higher probability of finding those vulnerabilities.

Second benefit of using static code analysis is you can define your project specific rules, and they will be ensured to follow without any manual intervention. If any team member forget to follow those rules, they will be highlighted by static code analyser like fortify or findbugs.

Third major benefit of static code analysis is they can find the bug early in development cycle, which means less cost to fix them. All these advantage of static code analyser can be best utilized only if they are part of build process.

On the other hand tools like manual testing or penetration testing can only provide you limited amount of false positive than a static code analyser. Though both this and pen testing is seen as alternative of each other, they are not, instead they complement each other.

Pen testing is actually more realistic than static code analysis, because test cases are provided by user and they are more close to real world use case scenario, while static code analysis, only look for patterns, which can cause bugs.

If their is no pattern, it doesn't mean no bugs, so ideally you need to do both pen testing and static code analysis to push your application in production.

Why Static Code Analysis is good, pros and cons

Why Static Analysis is Bad

Though Static code analysis is useful, it also has few disadvantages. The biggest problem of static analysis is that they produces too many false positives. Those are warnings, which are sometime safe to ignore and not really an issue. This creates a lot of work for developers, which then taking them as low priority and eventually stop fixing them. One way to minimize false positives are tune rules they used for scanning and analysing your code. After the initial triage, you suppress false positives and create custom rules to make the scan more context specific. If you’re using HP Fortify tool, you can write a custom rule to eliminate those false positives in the future. This is actually true for any tool, you need to little bit customize it to suit your environment. Static analysis shouldn't be a one shot scan, it should be used continually throughout development and testing. Another problem with static code analysers is that they take too long to run and after some time developers never bother to run them. You can minimize this problem by making static code analysis part of your build process, and not an optional, good to do alternative. Second thing, you must review and write custom rules, so that it won't take too long to execute. Given build process need to do too many things these days e.g. clean, compile, package, static analysis, unit testing and deployment, even small time added in each step, eventually increases total build time.

That's all about Why static code analysis is important and Why should your project use a static code analyser as part of build process. Projects where security is ultimate requirement must employ static code analysis, as it's very good to find potential vulnerabilities early. Modern day static code analyser like findbugs and fortify are really good in looking source code to find coding errors and programmers mistake. Findbugs also has a eclipse plugin, so if your project is not using static analysis, you can at-least do that at your level, this will help you to write better code and become better programmer. Code quality is also improved by using this tool, but it doesn't make penetration or security testing optional. In the end, you need both static and dynamic analysis to make your project production ready.

Further Learning
SOLID Principles of Object Oriented Design
Java Fundamentals: The Java Language
Clean Code: Writing Code for Humans


Vinod Kumar Kashyap said...


SonarQube is also a great tool for code analysis


javin paul said...

@Vinod, indeed, thanks for suggesting SonarQube. Have you used it in your project?

Anonymous said...

static code analysis benefits are:
1.can get warned of anti-patterns in the code.
2. information about the source code.
3. helpful in call-graphs, and class diagrams.

Ajay Paul said...

Fortify and static is quite different. Fortify takes care of security vulnerabilities. Static analysis is more refactoring the code to be more readable both from design and scalable perspective.

Post a Comment