The Best Tools for Static Code Analysis
In layman terms, ‘static code analysis is a method of analysing and evaluating source code related issues, without actually executing the program’. Static code analysis falls under the white box testing category, as here we have the entire source code available for the analysis of issues and bugs.
Static code analysis is done on the source code against a set of coding rules, which are defined by standards. Every organisation should define its set of coding standards, which every developer should follow while building applications and programs. Static code analysis is an important part of the quality check for the source code. So these coderelated standards should be set by the development and quality assurance teams together. The focus while creating these standards should be to detect the following types of source code issues for static code analysis:
■ Security related issues
■ Non-reliable coding issues
■ Coding standards violations
■ Maintainability issues
■ Code duplications
Coding guidelines that can be referred to while creating an organisation’s standards are MISRA, OWASP, CWE, CERT, Pitfall, Groovyism, etc, depending on the language used.
Why is static code analysis important?
Static code analysis makes code secure, maintainable and reliable, and saves the time wasted on writing duplicated code.
If static code analysis is not carried out, we will get smelly code, leading to loss of money and loss of time in maintaining and testing the code. Bad quality code can cost billions of dollars and take up 30-35 per cent of the time of developers. So, code quality check (static code analysis) is a mandatory stage in an application’s life cycle to save the money and time of all the stakeholders.
This two-part series covers static code analysis and its importance, along with SonarQube integration with the Jenkins pipeline. The first article in the series discusses the importance of static code analysis and the top five tools that can be used for it.
When do you start static code analysis?
Static code analysis should be started early in the development phase, and at least before the software testing phase. It is also an important part of continuous integration and DevOps practices. It can be integrated with the continuous integration pipeline for execution in an automated manner, so that a developer can discover the issues early and resolve them before they make the code smelly.
Benefits of using static code analysis
There are multiple benefits of using static code analysis, if you maintain and configure standards.
Saves time for manual code review: Can you imagine sitting and reviewing 1000 lines of code? This will consume not only time but your patience too. Hence, it’s best to check your source code automatically by using static code analysis tools. Since these tools can be configured to execute analysis in an inbuilt automation tool or framework, the process of code review speeds up. You will be able to fix issues in less time because the tool will provide you with the exact file and line where the problem is, and give the compliant way to correct the code. This will save lots of time in development.
EARLY PROBLEM identification: If issues are identified early they are much easier and cost-effective to fix. Defects found later are always more expensive to fix.
In-depth problem identification:
Testing cannot identify coding related issues as it cannot cover every possible execution path. But as static code analysis checks your code, it gives you an in-depth report of where the code can cause potential problems. Testing cannot find unreachable code but static code analysis can identify it.
Gives you high quality code:
Use of static code analysis in daily software development will result in high quality code that complies with industry standards. In the long run, the code will be easy to maintain too.
Drawbacks of static code analysis
Static code analysis does have a few drawbacks.
Can report false positives or false negatives: Consider the code given in the example below. Here, func() is not yet executed and we know nothing about it. So, we don’t know what value of number will be returned.
As the value returned by func() in the code is undecided, the static code analysis may report an issue that may not be an issue at all (false positive), or it may not report an issue which should be reported (false negative).
Sometimes rules are not enforced statically: While setting standards there might be some rules which could be referenced from different sources such as standards like CERT, MISRA, and OWASP, which may not necessarily be applicable to all your code.
Developer’s intentions are not understood: As static code analysis works based on rule sets and standards, it is not capable of determining the function’s expectations, which might not match some of the rules defined in the standards. This means it cannot determine that the function fundamentally does not do what is expected as compliant to standards.
Here’s a quick look at the best static code analysis tools available in the market.
Static code analysis tools that support multiple languages
There are many tools available in the market to detect issues related to code. There are tools for analysing multiple languages and also to analyse a single language. But we will focus on the top five tools for static code analysis which analyse multiple languages.
SonarQube
SonarQube is the most widely used open source Web based static analysis tool for continuously inspecting the code quality and security of the entire code, as well as guiding development teams to solve these issues quickly during code reviews. SonarQube finds different types of issues, vulnerabilities, bugs and code smells. It also keeps track of duplications, unit test results and code coverage in a single dashboard. SonarQube is mainly used for automated static code analysis with continuous integration. It can be integrated with multiple tools including different IDEs, Jenkins, Azure DevOps, and many more.
What makes SonarQube different is that it provides quality metrics about the code, which will help the developer to take the right decision. It translates these nondescript values to real business values such as risk, code coverage and technical debt.
Languages supported: 27 programming languages, which are ABAP, Apex, C, C#, C++, CSS,
COBOL, Flex, Go, HTML, Java (Java SE, Java EE, JSP), JavaScript, Kotlin, Objective-C, PHP, PLI, PL/SQL, Python, Ruby, Swift, Scala, TypeScript, TSQL, VB.NET, Visual Basic 6, XML
Features:
■ Multi-language support
■ Security, maintainability and reliability analysis
■ Quality gate checks
■ Dashboards and portfolios for audit purpose
■ Integrates with IDE, continuous integration servers (Jenkins, Azure DevOps, and many more)
■ Good community support
Limitations:
■ Supports only a few IDEs
■ No support for multi-target platform builds
Pricing: Community edition is free and open source. Licensed versions are available.
Codacy
Codacy is a static code analysis tool that allows a programmer to tackle technical debt and improve code quality. It automatically analyses code quality on every commit and pull request. It maintains the code by blocking pull requests, which ultimately saves time in code review. It checks code quality and keeps track of your technical debt for more than 30 programming languages. It can be integrated within your development workflow seamlessly. You can enforce your code quality standards, enforce high-security practices, and save time in code review.
Languages supported: 30+ languages including Elixir, Go, Java (Java EE, Java SE, JSP), JavaScript, JSON, Kotlin, Python, Ruby, Scala, Swift, TypeScript, and more
Features:
■ Code review automation
■ Easy integration with development workflow
■ Tackles technical debt by knowing insights
■ Prevents security related issues
■ Sets up code quality standards
Limitations:
■ No good authentication and authorisation in the server
■ Does not have integration with continuous integration automation tools
■ Not widely used as it is a small community
Pricing: There is a free open source plan available. There is a PRO/selfhosted version available at a price point of US$ 15 per month.
Veracode
Veracode analyses only security issues and is developed on the SaaS model. It uses binary code/bytecode, ensuring 100 per cent test coverage. It is considered one of the best tools if you want to write secure code and avoid any security loopholes or flaws in it.
This tool performs code analysis via mediums like IDE scans, pipeline scans and policy scans. It creates and reports code for quality assessment inspections.
Languages supported: Java (Java SE, Java EE, JSP), .NET (C#, ASP. NET, VB.NET), JavaScript (including AngularJS, Node.js, and jQuery),
Scala, Python, PHP, Ruby on Rails, ColdFusion, Swift, C/C++, COBOL, Visual Basic 6, RPG, and many more
Features:
■ Single platform to manage application security
■ IDE scan, quick results in the pipeline
■ Governance dashboard available for reporting
■ Covers security standards
Limitations:
■ Creation of customised rule set is not possible
■ UI is not so user-friendly
Pricing: Pricing of the licence is based on the size of the project. To get a pricing quote you need to submit the form on the Veracode official website.
DeepScan
DeepScan is a leading-edge static analysis tool which performs semantic code analysis beyond what Lint does. It is used to check feasible runtime errors and quality issues rather than coding conventions. It helps to detect issues like the use of inconsistent null checks, use of implicit type conversion, assignment with the same values, and unreachable code. Integration of DeepScan with your GitHub repositories is possible in order to get a quality insight into your GitHub project. It is very efficient because its analysis speed is very fast (about 7000 lines/sec).
Languages supported: JavaScript, TypeScript, React, and Vue.js
Features:
■ Bug tracking
■ Dashboards available for audit report generation
■ Quality check grades (‘Poor’, ‘Normal’, and ‘Good’)
■ Precise detection of issues (lower false alarm rate)
■ Collaboration
■ Support for continuous integration
Limitations: Limited language support
Pricing: Free for open source projects. Paid plans start from US$ 7-8 per seat/ month.
DeepSource
DeepSource helps to identify and fix bug risks, anti-patterns, performance related issues, and security related flaws on every commit and pull request. It has good integration with GitHub, GitLab and Bitbucket ALM tools.
Languages supported: Supports Python, Go, Ruby, JavaScript, Terraform, Dockerfile, SQL and more
Features:
■ Continuous analysis
■ Team collaboration
■ Single file configuration: Enables DeepSource by adding .deepsource. toml configuration file to your repository
■ Tracks code metrics
■ Blocks pull requests by category of issues
Limitations: No support for PHP
Pricing: Free version available with limited functionality. Paid versions with more functionalities are available for large teams.
In the second article under this two-part series, we will discuss using SonarQube for static code analysis because it is available for multiple languages, is open source, has IDE integration and is available for use with continuous integration (CI) pipeline in Jenkins, Azure DevOps and other CI tools. We will also explore SonarQube integration with the Jenkins pipeline.