SoylentNews is people
SoylentNews
O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:
"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."
When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.
What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)
(Score: 2) by mth on Wednesday May 10 2017, @11:06AM
Back when I did a lot of Java work, PMD [github.io] was a tool I used a lot. It's open source, found about as many issues as commercial tools did, didn't flag too many false positives, and was easy to include in automated builds. And you can even specify your own patterns, if you have project-specific issues you want to scan for.
Bundled with PMD but a separate tool is CPD, the copy-paste-detector. It doesn't only find literal copy-pasted code, but also code that's is mostly the same with small changes; you can configure how fuzzy the matching should be. This tool is particularly useful if you've inherited a code base and are trying to improve it. It supports many other languages besides Java.
For Python, I use Pylint [pylint.org]. Since Python is a very dynamic language (no static typing or static anything, really), static analysis is difficult, but Pylint does a reasonable job at finding issues beyond style violations. It does require configuration and annotations (special formatted comments) to make it useful. Besides a full project check, you can also run it on a single module at a time, which is useful if you want to do a quick sanity check of new code before you start a test run.
For C/C++, enabling more than the default compiler warnings and compiling with multiple compilers will catch a lot of issues. I've also used clang-analyze and cppcheck, and while they are useful additions, they didn't catch as many issues as I hoped they would.