SoylentNews is people
SoylentNews
O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:
"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."
When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.
What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)
(Score: 2) by bzipitidoo on Wednesday May 10 2017, @05:30PM
I made a simple C/C++ parser that checks for things such as balanced parentheses, and gives some statistics about the code. It doesn't handle #ifdef and relatives, so it is easily fooled by abuses such as 'for (;;i++) { #ifdef DEBUG printf("%d ",i) } #else } #endif' which has 1 opening brace and 2 closing braces. It found an error in the Firefox source code that the compiler missed thanks to not even looking at the code those preprocessing directives told it to skip over.
If anyone is interested, I plan to release it in a month. Yes, it'll be free.