SlideShare une entreprise Scribd logo
1  sur  13
Télécharger pour lire hors ligne
Finding Defects in C#
Selecting the Right Solution
Key Considerations
•
•
•
•
•
•

Does it find critical defects?
What is the false positive rate?
Is it actionable?

Is it accurate?
Is it integrated to my workflow?
How do I manage persistency
Varying Levels of Static Analysis Exist
• Compiler warnings: verifies a program is type safe
• Byte code analysis: identifies defects in the intermediate
language and tries to map it back to the source code

• Source code analysis: understanding the meaning and

intention of the program – produces the most accurate
results
Source vs. Byte Code Analysis (Example)
Indentations Don’t Match Boundaries:

if (x == 0)
do_something(x);
x = 1;
• Source code analysis solution can infer the developer’s intent:
“x=1” to happen in the same block as “do_something” call
• Developer is warned because “x==0” block does not actually include
both statements
Coverity and FxCop Case Study
Complementary Solutions
Coverity Makes FxCop Enterprise-Grade
Stand-alone FxCop is good; FxCop + Coverity is better

Analysis

• Find more critical defects
• Improve accuracy of FxCop analysis

Efficiency

• Manage all quality and security issues in
one workflow
• Improved defect management

Governance

• Improve visibility into quality and
security trends over time and across the
supply chain
Case Study
• Analysis of paint.net project (formerly open source)
• Version 3.22
• 100K lines of code

• Analysis done using
• Coverity 7.0
• Microsoft Visual Studio 2013/FxCop 12.0

• Coverity and FxCop look for different things
• Coverity Static Analysis looks for code defects using:
• Bug Pattern Matching, Sophisticated Inter-procedural Dataflow

Analysis, Abstract Interpretation, False Path Pruning, Boolean
Satisfiability, Design Pattern Intelligence, Change Impact Analysis

• FxCop checks conformance to Microsoft’s .NET Framework Design
Guidelines
Different Solutions for Different Things
• Difference in depth vs. breadth
• No issues found by both Coverity and FxCop
• Numbers in orange indicate number of findings

Coverity
Critical
Defects

FxCop
Coding style &
standard issues
Critical Defects vs. Coding Style Defects
Type

Coverity
7.0

FxCop

Shared
defects

Resource leaks

75

0

0

Concurrency problems

20

4

0

Logic errors

4

2

0

Hierarchy problems

5

2

0

Unhandled exceptions (incl.

21

0

0

Critical Defect Subtotal

125

8

0

Coding Standards, Best
Practices, Other

3

970

0

Total Bugs

128

978

0

NULL deref)
The “Big 3” Classes of Defects in C#
1. Null references

2. Resource issues
3. Threading issues
Issues You Can Find via Source Code Analysis
Resource Leaks
• Database connection leaks
• Resource leaks
• Socket & Stream leaks
API usage errors
• Use of freed resources
Concurrent data access violations
• Values not atomically updated
• Data race conditions
Performance inefficiencies
• Unnecessary synchronization
Program hangs
• Thread deadlock
• Infinite loop
Logic Errors
• Dead code
Error handling issues
• Unchecked return value
Code maintainability issues
• Static set in non-static method

Class hierarchy inconsistencies
• Failure to call base.close() or base.dispose()
• Missing call to base class
Control flow issues
• Suspicious extraneous semicolon
• Inconsistent comparison usage
• Comparison of incompatible types
Null pointer dereferences
• Dereference after null check
• Dereference before null check
• Dereference null return value
Suspicious code
• Copy/paste errors
• Significant indentation anomalies
• Swapped arguments
Arithmetic errors
• Incorrect shift operation
• Incorrect expressions
• Overflow while evaluating expression
Conclusion
• Different analysis tools often find different but
complementary issues

• Use the right solution to find the issues that are important
to you
Want to try Coverity on
your code?

For a free trial visit:
www.coverity.com

Contenu connexe

Tendances

Concurrency Errors in Java
Concurrency Errors in JavaConcurrency Errors in Java
Concurrency Errors in JavaCoverity
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best PracticesTrisha Gee
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelinesLalit Kale
 
Code Review
Code ReviewCode Review
Code ReviewDivante
 
Improving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeImproving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeJohan Carlin
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Sung Kim
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Sung Kim
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviewsJavaDayUA
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy CodeExcella
 
Automated Unit Testing and TDD
Automated Unit Testing and TDDAutomated Unit Testing and TDD
Automated Unit Testing and TDDGreg Sohl
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and MannersTrisha Gee
 
Code Review
Code ReviewCode Review
Code Reviewrantav
 
Clean code - Getting your R&D on board
Clean code - Getting your R&D on boardClean code - Getting your R&D on board
Clean code - Getting your R&D on boardRuth Sperer
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 

Tendances (20)

Concurrency Errors in Java
Concurrency Errors in JavaConcurrency Errors in Java
Concurrency Errors in Java
 
Code review
Code reviewCode review
Code review
 
Code Review for iOS
Code Review for iOSCode Review for iOS
Code Review for iOS
 
Code Review
Code ReviewCode Review
Code Review
 
Code Review Best Practices
Code Review Best PracticesCode Review Best Practices
Code Review Best Practices
 
Code review guidelines
Code review guidelinesCode review guidelines
Code review guidelines
 
Code Review
Code ReviewCode Review
Code Review
 
Improving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis codeImproving the accuracy and reliability of data analysis code
Improving the accuracy and reliability of data analysis code
 
Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)Crowd debugging (FSE 2015)
Crowd debugging (FSE 2015)
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
 
Code Review
Code ReviewCode Review
Code Review
 
How to get the most out of code reviews
How to get the most out of code reviewsHow to get the most out of code reviews
How to get the most out of code reviews
 
Working Effectively With Legacy Code
Working Effectively With Legacy CodeWorking Effectively With Legacy Code
Working Effectively With Legacy Code
 
Automated Unit Testing and TDD
Automated Unit Testing and TDDAutomated Unit Testing and TDD
Automated Unit Testing and TDD
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
TDD Workshop UTN 2012
TDD Workshop UTN 2012TDD Workshop UTN 2012
TDD Workshop UTN 2012
 
Code Review Matters and Manners
Code Review Matters and MannersCode Review Matters and Manners
Code Review Matters and Manners
 
Code Review
Code ReviewCode Review
Code Review
 
Clean code - Getting your R&D on board
Clean code - Getting your R&D on boardClean code - Getting your R&D on board
Clean code - Getting your R&D on board
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 

En vedette

Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
LISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSLISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSguest0dbad523
 
03 cv mil_probability_distributions
03 cv mil_probability_distributions03 cv mil_probability_distributions
03 cv mil_probability_distributionszukun
 
Animales en peligro de extincion
Animales en peligro de extincionAnimales en peligro de extincion
Animales en peligro de extincionlosdonkey
 
Paradigmas tecnoeconomicos
Paradigmas tecnoeconomicosParadigmas tecnoeconomicos
Paradigmas tecnoeconomicosMARIELIPALENCIA
 
Presentacion de economica politica
Presentacion de economica politicaPresentacion de economica politica
Presentacion de economica politicaabelardoac
 
Ahead Week 1 Key Slides
Ahead Week 1 Key SlidesAhead Week 1 Key Slides
Ahead Week 1 Key Slidesaltonbaird
 
ExcelCertificate18122014
ExcelCertificate18122014ExcelCertificate18122014
ExcelCertificate18122014Peter Garces
 
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!Aitor BV
 
Republic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorRepublic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorMining On Top
 
Ss for b,ed
Ss for b,edSs for b,ed
Ss for b,edanoop kp
 

En vedette (17)

Code Coverage
Code CoverageCode Coverage
Code Coverage
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
LISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOSLISTADO OPOSICION + MERITOS
LISTADO OPOSICION + MERITOS
 
03 cv mil_probability_distributions
03 cv mil_probability_distributions03 cv mil_probability_distributions
03 cv mil_probability_distributions
 
Cloud Computing - Gina Franco
Cloud Computing - Gina FrancoCloud Computing - Gina Franco
Cloud Computing - Gina Franco
 
Animales en peligro de extincion
Animales en peligro de extincionAnimales en peligro de extincion
Animales en peligro de extincion
 
PNUTS
PNUTSPNUTS
PNUTS
 
Paradigmas tecnoeconomicos
Paradigmas tecnoeconomicosParadigmas tecnoeconomicos
Paradigmas tecnoeconomicos
 
Presentacion de economica politica
Presentacion de economica politicaPresentacion de economica politica
Presentacion de economica politica
 
Ahead Week 1 Key Slides
Ahead Week 1 Key SlidesAhead Week 1 Key Slides
Ahead Week 1 Key Slides
 
ExcelCertificate18122014
ExcelCertificate18122014ExcelCertificate18122014
ExcelCertificate18122014
 
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
☆BROCHAS PARA MAQUILLAJE☆ ¡¡Las imprescindibles!!
 
Republic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining SectorRepublic of Angola: Governmental Strategy for its Mining Sector
Republic of Angola: Governmental Strategy for its Mining Sector
 
VIH-AIDS 2008.
VIH-AIDS 2008.VIH-AIDS 2008.
VIH-AIDS 2008.
 
Windows Phone Apps por Salvador Encalada
Windows Phone Apps por Salvador EncaladaWindows Phone Apps por Salvador Encalada
Windows Phone Apps por Salvador Encalada
 
Seminario..
Seminario..Seminario..
Seminario..
 
Ss for b,ed
Ss for b,edSs for b,ed
Ss for b,ed
 

Similaire à Finding Defects in C#: Coverity vs. FxCop

The Dark Side of Code Metrics
The Dark Side of Code MetricsThe Dark Side of Code Metrics
The Dark Side of Code MetricsDonald Belcham
 
Quality metrics and angular js applications
Quality metrics and angular js applicationsQuality metrics and angular js applications
Quality metrics and angular js applicationsnadeembtech
 
CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)Dilawar Khan
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)lqi
 
Compeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxCompeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxSan Kim
 
10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware ProgrammingPostSharp Technologies
 
Полезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииПолезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииSQALab
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
Technical debt management strategies
Technical debt management strategiesTechnical debt management strategies
Technical debt management strategiesRaquel Pau
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error predictionNIKHIL NAWATHE
 
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...Iosif Itkin
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software CodingNikhil Pandit
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?XebiaLabs
 
How to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantHow to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantCameron Presley
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your CodeNate Abele
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing SoftwareSteven Smith
 

Similaire à Finding Defects in C#: Coverity vs. FxCop (20)

The Dark Side of Code Metrics
The Dark Side of Code MetricsThe Dark Side of Code Metrics
The Dark Side of Code Metrics
 
Quality metrics and angular js applications
Quality metrics and angular js applicationsQuality metrics and angular js applications
Quality metrics and angular js applications
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
 
CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)CS4443 - Modern Programming Language - I Lecture (1)
CS4443 - Modern Programming Language - I Lecture (1)
 
Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)Slides for Houston iPhone Developers' Meetup (April 2012)
Slides for Houston iPhone Developers' Meetup (April 2012)
 
Compeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptxCompeition-Level Code Generation with AlphaCode.pptx
Compeition-Level Code Generation with AlphaCode.pptx
 
10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming10 Reasons You MUST Consider Pattern-Aware Programming
10 Reasons You MUST Consider Pattern-Aware Programming
 
Полезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теорииПолезные метрики покрытия. Практический опыт и немного теории
Полезные метрики покрытия. Практический опыт и немного теории
 
Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
Technical debt management strategies
Technical debt management strategiesTechnical debt management strategies
Technical debt management strategies
 
Code Analysis-run time error prediction
Code Analysis-run time error predictionCode Analysis-run time error prediction
Code Analysis-run time error prediction
 
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
 
Basics of Programming.pptx
Basics of Programming.pptxBasics of Programming.pptx
Basics of Programming.pptx
 
Code coverage
Code coverageCode coverage
Code coverage
 
Software Coding- Software Coding
Software Coding- Software CodingSoftware Coding- Software Coding
Software Coding- Software Coding
 
Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?Is Your DevOps Ready to Scale?
Is Your DevOps Ready to Scale?
 
How to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually WantHow to Have Code Reviews That Developers Actually Want
How to Have Code Reviews That Developers Actually Want
 
Measuring Your Code
Measuring Your CodeMeasuring Your Code
Measuring Your Code
 
Improving the Quality of Existing Software
Improving the Quality of Existing SoftwareImproving the Quality of Existing Software
Improving the Quality of Existing Software
 
Software Design
Software DesignSoftware Design
Software Design
 

Dernier

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 

Dernier (20)

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 

Finding Defects in C#: Coverity vs. FxCop

  • 2. Selecting the Right Solution Key Considerations • • • • • • Does it find critical defects? What is the false positive rate? Is it actionable? Is it accurate? Is it integrated to my workflow? How do I manage persistency
  • 3. Varying Levels of Static Analysis Exist • Compiler warnings: verifies a program is type safe • Byte code analysis: identifies defects in the intermediate language and tries to map it back to the source code • Source code analysis: understanding the meaning and intention of the program – produces the most accurate results
  • 4. Source vs. Byte Code Analysis (Example) Indentations Don’t Match Boundaries: if (x == 0) do_something(x); x = 1; • Source code analysis solution can infer the developer’s intent: “x=1” to happen in the same block as “do_something” call • Developer is warned because “x==0” block does not actually include both statements
  • 5. Coverity and FxCop Case Study Complementary Solutions
  • 6. Coverity Makes FxCop Enterprise-Grade Stand-alone FxCop is good; FxCop + Coverity is better Analysis • Find more critical defects • Improve accuracy of FxCop analysis Efficiency • Manage all quality and security issues in one workflow • Improved defect management Governance • Improve visibility into quality and security trends over time and across the supply chain
  • 7. Case Study • Analysis of paint.net project (formerly open source) • Version 3.22 • 100K lines of code • Analysis done using • Coverity 7.0 • Microsoft Visual Studio 2013/FxCop 12.0 • Coverity and FxCop look for different things • Coverity Static Analysis looks for code defects using: • Bug Pattern Matching, Sophisticated Inter-procedural Dataflow Analysis, Abstract Interpretation, False Path Pruning, Boolean Satisfiability, Design Pattern Intelligence, Change Impact Analysis • FxCop checks conformance to Microsoft’s .NET Framework Design Guidelines
  • 8. Different Solutions for Different Things • Difference in depth vs. breadth • No issues found by both Coverity and FxCop • Numbers in orange indicate number of findings Coverity Critical Defects FxCop Coding style & standard issues
  • 9. Critical Defects vs. Coding Style Defects Type Coverity 7.0 FxCop Shared defects Resource leaks 75 0 0 Concurrency problems 20 4 0 Logic errors 4 2 0 Hierarchy problems 5 2 0 Unhandled exceptions (incl. 21 0 0 Critical Defect Subtotal 125 8 0 Coding Standards, Best Practices, Other 3 970 0 Total Bugs 128 978 0 NULL deref)
  • 10. The “Big 3” Classes of Defects in C# 1. Null references 2. Resource issues 3. Threading issues
  • 11. Issues You Can Find via Source Code Analysis Resource Leaks • Database connection leaks • Resource leaks • Socket & Stream leaks API usage errors • Use of freed resources Concurrent data access violations • Values not atomically updated • Data race conditions Performance inefficiencies • Unnecessary synchronization Program hangs • Thread deadlock • Infinite loop Logic Errors • Dead code Error handling issues • Unchecked return value Code maintainability issues • Static set in non-static method Class hierarchy inconsistencies • Failure to call base.close() or base.dispose() • Missing call to base class Control flow issues • Suspicious extraneous semicolon • Inconsistent comparison usage • Comparison of incompatible types Null pointer dereferences • Dereference after null check • Dereference before null check • Dereference null return value Suspicious code • Copy/paste errors • Significant indentation anomalies • Swapped arguments Arithmetic errors • Incorrect shift operation • Incorrect expressions • Overflow while evaluating expression
  • 12. Conclusion • Different analysis tools often find different but complementary issues • Use the right solution to find the issues that are important to you
  • 13. Want to try Coverity on your code? For a free trial visit: www.coverity.com