Stories
Slash Boxes
Comments

SoylentNews is people

No Static Analysis

posted by martyb on Wednesday May 10 2017, @04:18AM   Printer-friendly
from the better-get-moving dept.

isj writes:

O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:

"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."

When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.

What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)

Original Submission

 
This discussion has been archived. No new comments can be posted.
No Static Analysis | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 10 2017, @05:21PM (3 children)

    by Anonymous Coward on Wednesday May 10 2017, @05:21PM (#507645)

    I think most people don't realize they are doing different jobs. Static analyzers are specifically designed to find errors or maybe-errors. Compilers are designed to turn one language into another. Why should my compiler complain about the construct (if A || B || A) or when the then and else clause do the same thing? Those are both examples of perfectly valid code. While it is true that the examples both stink to high heaven, they aren't necessarily bad. However, errors like "comparison between signed and unsigned integer expressions" or "'InsertNameHere' undeclared (first use this function)" can, and should, be caught by the compiler. In fact, I firmly believe that some errors shouldn't be detected by static analysis at all and only be spit out by the compiler.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 2) by hendrikboom on Wednesday May 10 2017, @11:39PM (1 child)

    by hendrikboom (1125) on Wednesday May 10 2017, @11:39PM (#507811) Homepage Journal

    Said code that stinks to high heaven could very well be generated by any kind of automated code synthesis,

    • (Score: 2) by Pino P on Thursday May 11 2017, @11:58AM

      by Pino P (4721) on Thursday May 11 2017, @11:58AM (#508039) Journal

      Then the source code is the input to the code synthesis, not its output.

  • (Score: 0) by Anonymous Coward on Thursday May 11 2017, @06:32AM

    by Anonymous Coward on Thursday May 11 2017, @06:32AM (#507958)

    I firmly believe that some errors shouldn't be detected by static analysis at all and only be spit out by the compiler.

    I firmly believe there are also interpreted languages!

    /snipe