Stories
Slash Boxes
Comments

SoylentNews is people

No Static Analysis

posted by martyb on Wednesday May 10 2017, @04:18AM   Printer-friendly
from the better-get-moving dept.

isj writes:

O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:

"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."

When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.

What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)

Original Submission

 
This discussion has been archived. No new comments can be posted.
No Static Analysis | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by TheRaven on Wednesday May 10 2017, @09:18AM (4 children)

    by TheRaven (270) on Wednesday May 10 2017, @09:18AM (#507442) Journal
    -Wextra will let you avoid that. It enables every warning, including the silly ones. You can then explicitly disable the ones that you don't want with -Wno-{whatever}.
    --
    sudo mod me up
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Informative) by mth on Wednesday May 10 2017, @10:22AM (2 children)

    by mth (2848) on Wednesday May 10 2017, @10:22AM (#507454) Homepage

    -Wextra does not enable every warning. The GCC man page reads:

    Note that some warning flags are not implied by -Wall. Some of them warn about constructions that users generally do not consider questionable, but which occasionally you might wish to check for; others warn about constructions that are necessary or hard to avoid in some cases, and there is no simple way to modify the code to suppress the warning. Some of them are enabled by -Wextra but many of them must be enabled individually.

    It does enable a useful set of warnings, in my opinion, so "-Wall -Wextra" is a good starting point for most projects.

    • (Score: 2) by TheRaven on Wednesday May 10 2017, @11:28AM (1 child)

      by TheRaven (270) on Wednesday May 10 2017, @11:28AM (#507467) Journal
      Sorry, -Weverything is the one I was thinking about. Not sure if GCC supports it - I haven't used it for a while.
      --
      sudo mod me up

      • (Score: 0) by Anonymous Coward on Wednesday May 10 2017, @05:05PM

        by Anonymous Coward on Wednesday May 10 2017, @05:05PM (#507638)

        That is clang only and enables all warnings and other things. In fact, it enables so much, that the original idea was that it was only really useful in the development of clang itself; that is, when they run clang against their test suite.

  • (Score: 2) by coolgopher on Wednesday May 10 2017, @12:23PM

    by coolgopher (1157) Subscriber Badge on Wednesday May 10 2017, @12:23PM (#507493)

    Nope, it does not. It enables *some* extra warnings, but not all. See https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html [gnu.org] for details. Things like -Wundef, -Wshadow, -Wfloat-equal and -Wpointer-arith need to be explicitly enabled.