Stories
Slash Boxes
Comments

SoylentNews

SoylentNews is people

Sections

SoylentNews

No Static Analysis

posted by martyb on Wednesday May 10 2017, @04:18AM

from the better-get-moving dept.

isj writes:

O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:

"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."

When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.

What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)

Original Submission

This discussion has been archived. No new comments can be posted.

No Static Analysis | Log In/Create an Account | Top | 32 comments | Search Discussion

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Free Open Source Static Code Analysis Free Open Source Static Code Analysis (Score: 0) by Anonymous Coward on Wednesday May 10 2017, @05:25AM (5 children)

by Anonymous Coward on Wednesday May 10 2017, @05:25AM (#507349)

Does anyone have any good free open source static analysis tools for C? I've used static analysis at work for embedded software, but the packages we used were thousands of dollars, and very proprietary.
Re:Free Open Source Static Code Analysis (Score: 2) by TheRaven on Wednesday May 10 2017, @09:23AM

by TheRaven (270) on Wednesday May 10 2017, @09:23AM (#507443) Journal

The clang static analyser is pretty good and is actively developed by a number of companies. The one big problem with it is the lack of a way of consistently tracking reports as the code evolves (Coverity is much better for that, and is free to use for open source projects).
The real problem with any static analysis tool is that it's very hard to adopt later on in the development process, because you'll likely have a hundreds or thousands of warnings and have to go and classify them all. This even applies to new analyses from existing analysers.
I am not surprised by these results at all. I was talking to someone from Google's Android security team a year or so ago and they were very proud of adding support for _FORTIFY_SOURCE to Android. I was surprised, because when I'd looked at adding that to FreeBSD, it had seemed not worth the effort because I hadn't been able to come up with a bug that _FORTIFY_SOURCE would catch at run time and the clang static analyser wouldn't catch at compile time, so I asked if they had some examples. His reply was that they didn't use static analysis at all in their development process. For something security critical, that's completely unacceptable (in contrast, Apple runs it on everything and writes new clang analysers whenever they find a new category of bug in their code).

--
sudo mod me up

Parent
Re:Free Open Source Static Code Analysis (Score: 1) by isj on Wednesday May 10 2017, @05:07PM

by isj (5249) on Wednesday May 10 2017, @05:07PM (#507640) Homepage

I know of:
Open source: clang-analyzer, CppCheck
Free: the 2 above, and Coverity-scan (if your source code is opensource hosted on github etc)
Good: YMMV. It depends on how much time you are willing to invest, what shape the code is currently in, and which types of errors you are looking for.

Parent
Re:Free Open Source Static Code Analysis (Score: 2) by bzipitidoo on Wednesday May 10 2017, @05:30PM

by bzipitidoo (4388) on Wednesday May 10 2017, @05:30PM (#507647) Journal

I made a simple C/C++ parser that checks for things such as balanced parentheses, and gives some statistics about the code. It doesn't handle #ifdef and relatives, so it is easily fooled by abuses such as 'for (;;i++) { #ifdef DEBUG printf("%d ",i) } #else } #endif' which has 1 opening brace and 2 closing braces. It found an error in the Firefox source code that the compiler missed thanks to not even looking at the code those preprocessing directives told it to skip over.
If anyone is interested, I plan to release it in a month. Yes, it'll be free.

Parent
Re:Free Open Source Static Code Analysis Re:Free Open Source Static Code Analysis (Score: 1) by isj on Wednesday May 10 2017, @10:19PM (1 child)

by isj (5249) on Wednesday May 10 2017, @10:19PM (#507781) Homepage

If the cost is the issue then consider pc-lint from Gimpel. It is relatively cheap and can be configured in many ways. But it does take time to configure to your environment, and the latest release doesn't support C++11 but its upcoming version (of which I'm a beta tester) does.

Parent
- Gimpel lint (Score: 2) by hendrikboom on Wednesday May 10 2017, @11:34PM
  
  by hendrikboom (1125) on Wednesday May 10 2017, @11:34PM (#507810) Homepage Journal
  
  I used that on the Amiga long ago. It was useful. It has been around for a while.
  
  Parent

Moderator Help

Life is a serious burden, which no thinking, humane person would wantonly inflict on someone else. -- Clarence Darrow