image-blog-qac-how-sca-works
November 28, 2018

Static Code Analysis Explained

Static Analysis

Knowing how static code analysis works helps you to more easily improve quality and comply with coding standards — without sacrificing speed. Here we explain how static code analysis works.

Read along or jump ahead to the section that interests you the most:

➡️ Start Your Free Static Code Analysis Trial

Back to top

Static Analysis in Software Testing

Static analysis plays a key role before software testing begins. It makes sure the code that you pass on to testing is the highest quality possible. And, if you choose the right static analyzer, it speeds up the development process.

What Static Analysis Can Find

Static analysis finds potential quality issues in your code before you run your program.

This includes:

  • Programming errors
  • Coding standard violations
  • Security weaknesses

Static analyzers are particularly good at finding coding issues, such as buffer overflow, memory leaks, and null pointers.

And static analysis educates developers on best coding practices, which helps you improve quality over the long-term.

What Cannot Be Identified in Static Analysis

There are things that static analysis can’t identify. For instance, static analysis can’t detect whether software requirements have been fulfilled or how a function will execute. You’ll need dynamic testing for that.

That’s why static analysis and dynamic testing are complementary. Static analysis detects bugs in code early on. This ensures a higher-quality product reaches the testing phase. And it accelerates development, by ensuring that testing processes are more efficient.

Back to top

Static Code Analysis Explained

Here’s how static code analysis works.

1. Write the Code

Your first step is to write the code.

2. Run a Static Code Analyzer

Next, run a static code analyzer over your code. It will check your code against predefined coding rules. These might be from a coding standard. Or they might be in-house coding rules that your team has developed.

3. Review the Results

The static code analyzer will identify code that doesn’t comply with the coding rules. You can then review the results. There may be false positives to dismiss. And there will be some issues that are more important to fix than others. Some tools, such as Helix QAC and Klocwork, will prioritize the violations for you.

4. Fix What Needs to Be Fixed

Next, you fix the issues that need to be fixed. Start with the most critical fixes. And go down the list from there.

5. Move On to Testing

Once you’ve resolved issues in the code, it can move on to the next phase of development. And you can begin the process over again.

Back to top

Static Analysis Examples

For their ability to deliver the most accurate and precise results across a variety of industries, Helix QAC and Klocwork have been trusted static code analysis tools for over 30 years. It helps you find defects in your code with greater accuracy than other tools. You can analyze and fix your code on-demand throughout your day. And using Helix QAC or Klocwork is the best way to ensure your code complies with ISO standards.

Here’s an example of static analysis.

Select a Coding Standard (If Applicable)

You can add a compliance module to either Helix QAC or Klocwork to easily comply with a coding standard. Some popular examples are MISRA, AUTOSAR, and CERT. Or you might use your own in-house coding rules.

📕 Related Resource: Guide to Coding Standards>>>

Create Your Project

Before you can run an analysis, you’ll need to create a new project. This is where you’ll select a programming language (C, C++, C#, Java, or JavaScript).

You’ll then:

  1. Configure your project settings to match the settings of your compiler. This ensures that your analysis can run smoothly and accurately. Helix QAC and Klocwork can optimize for different compilers, too.
  2. Synchronize your project. This tells the static analyzer which source and header files to analyze.
     

Analyze Your Project

You can begin analyzing your project as you build it — or afterward. And it can be done with a script, command, or click of a button.

Helix QAC and Klocwork also integrates with Microsoft Visual Studio and Eclipse. So, you can analyze your files without leaving your IDE.

Review Violations

You’ll see files and folders associated with your project. When you select a file, you’ll see the analysis. If a line of code has a bubble next to it, it means that line of code has a diagnostic on it. You can click the bubble to see what the violation is.

You can also use a diagnostic window to filter the results. Simply click a diagnostic to see where the violation occurs in your code.

Filter by Severity

Depending on the nature of your code, you might get hundreds or even thousands of diagnostics. You can use a severity filter to prioritize the issues you need to work on. The severity levels are customizable to your team.

You can also filter the diagnostics by rule. This is helpful if you have a rule (or rules) that are more critical to your product.

Suppress Violations You Won’t Fix

If you find a diagnostic or type of diagnostic that you’re not going to fix, you can suppress it. You can configure the scope of a suppression to fit your needs. You can also add deviation tags. These are used to document why you’re suppressing that diagnostic. This is important for compliance.

It’s difficult to fully comply without suppressing some rules or diagnostics. Everyone usually needs to suppress some rules, especially when it comes to legacy code.

Edit Your Code

You can choose to edit your code right in the static analyzer or in your IDE. Simply fix the code, save the file, and then re-analyze your file. If the diagnostics go away, the issues have been fixed.

Review Code Metrics

You can also use the web dashboard for either Helix QAC or Klocwork to examine code metrics. For instance, you can look at the metric history for cyclomatic complexity. This will tell you how the complexity of your code has changed over time. Overly complex code is difficult to maintain.

▶️ watch the Helix QAC Demo         ▶️ watch the Klocwork Demo

Back to top

Try Helix QAC or Klocwork for Static Code Analysis

See for yourself why Helix QAC and Klocwork have been trusted for over 30 years. Request a trial to see how Helix QAC and Klocwork will help you analyze your code.

➡️ start your free trial

Back to top