Shameless commercial plug here... I'm the CTO of Klocwork (www.klocwork.com), a vendor of source code analysis tools. We provide security vulnerability and implementation defect checking for C, C++ and Java. In addition, as others on this thread have stated, you're going to want to look at refactoring, architectural analysis, rule tuning, metrics, trends, all the usual stuff and all of which we supply as part of our enterprise suite of products. Check your supplier list carefully as all of the companies in this space offer different subsets of the whole.
There's a decent page on Wikipedia on static analysis that mentions the prevalent tools in this space, including our major competitors.
Last point: be careful to try before you buy (whether "buy" involves money or not), as all tools are not created equal.
What about large-scale systemic problems that can't easily be gathered for a "round-the-table" walk through. Security vulnerabilities are the obvious candidates there -- some level of review is obviously tractable (the "hey, you're slapping that user-supplied string straight into a SQL statement there, bad lad!" kind of thing), but the more pernicious and less obvious candidates (e.g. malformed tracer packets being propagated through system services), I would say, require the formalism that a static analysis tool brings to bear.
Re:Static Analyzer Run != Code Review
on
PMD Applied
·
· Score: 1
I think perhaps you missed my other point: Code review is not a substitute for running a static analyzer.
Static analysis is a Good Thing.
Peer review is Good Thing.
Nice summary. Static analysis tools have a firm place in a well-planned development cycle, and that place is on the developer's desktop, while they're coding. Applying static analysis as a "last thing before ship" stage is a recipe for failure.
So, apply static analysis while coding and get all the advantages that it brings in terms of defect and vulnerability location. Then apply code review as a "bigger picture" walk through of logic, semantics and overall purpose. Stops the code review turning into a long whine session on "why do I have to tell you people not to do 'x' every time we meet?" and gets it to focus on what it's actually for.
(disclaimer: I work for a static analysis company, although am not involved with PMD).
Slashdot Mirror
Shameless commercial plug here... I'm the CTO of Klocwork (www.klocwork.com), a vendor of source code analysis tools. We provide security vulnerability and implementation defect checking for C, C++ and Java. In addition, as others on this thread have stated, you're going to want to look at refactoring, architectural analysis, rule tuning, metrics, trends, all the usual stuff and all of which we supply as part of our enterprise suite of products. Check your supplier list carefully as all of the companies in this space offer different subsets of the whole. There's a decent page on Wikipedia on static analysis that mentions the prevalent tools in this space, including our major competitors. Last point: be careful to try before you buy (whether "buy" involves money or not), as all tools are not created equal.
What about large-scale systemic problems that can't easily be gathered for a "round-the-table" walk through. Security vulnerabilities are the obvious candidates there -- some level of review is obviously tractable (the "hey, you're slapping that user-supplied string straight into a SQL statement there, bad lad!" kind of thing), but the more pernicious and less obvious candidates (e.g. malformed tracer packets being propagated through system services), I would say, require the formalism that a static analysis tool brings to bear.
So, apply static analysis while coding and get all the advantages that it brings in terms of defect and vulnerability location. Then apply code review as a "bigger picture" walk through of logic, semantics and overall purpose. Stops the code review turning into a long whine session on "why do I have to tell you people not to do 'x' every time we meet?" and gets it to focus on what it's actually for. (disclaimer: I work for a static analysis company, although am not involved with PMD).