Contenu connexe Similaire à Rapid software testing and conformance with static code analysis (20) Plus de Rogue Wave Software (20) Rapid software testing and conformance with static code analysis1. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 1
GENIVI is a registered trademark of the GENIVI Alliance in the USA and other countries. Copyright © GENIVI Alliance 2016.
Rapid software testing and
conformance with static code analysis
October 2016
Walter Capitani
Product Management, Rogue Wave Software
2. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 2
What we do
Rogue Wave helps organizations simplify complex software
development, improve code quality, and shorten cycle times
3. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 3
Company snapshot
Founded:
1989
We are the largest independent provider of cross-platform software
development tools and embedded components
Our capabilities cover different languages, code bases, and
platforms. We meet development where – and how – it happens.
Headquarters:
Louisville, CO
Employees:
350
Offices Worldwide:
11
4. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 4
Used by 3,000 customers in over 57 countries across diverse
industries to develop mission-critical applications and software
Financial Services Telecom Gov’t / Defense Technology Other Verticals
We enable mission-critical workloads
5. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 5
Rapid software testing and conformance with
static code analysis
6. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 6
SOFTWARE NOW TO BLAME FOR 15 PERCENT OF CAR
RECALLS
7. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 7
How can static code analysis improve software quality?
8. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 8
What are the factors affecting software quality, complexity,
and security?
• Greater use of software in vehicles
• Pressure to release on time (or as soon as possible!)
• Market demand for new features
• Greater use of third-party libraries
9. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 9
How can static code analysis improve software quality?
• Find common issues in code
– Buffer overflows (security exploit or program crashes)
– Null pointer dereferences (your program crashes)
– Memory leaks (processor runs out memory and locks up)
– Uninitialized data usage (data injection)
– Platform/OS specifics (privilege escalation, etc…)
– Concurrency (deadlock)
10. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 10
How does static code analysis work?
• Automatically inspects source code to find potential defects
• Different types of analysis
– Walks down every path of your code
– Inter-procedural
– Inter-file
• SCA runs the tests that your developers don’t (or won’t) write
• SCA will find defects that other testing won’t
11. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 11
How can static code analysis find bugs my testing
doesn’t?
• Traditional testing tools require reproduction of the exact runtime conditions that
cause the issue to occur
• This in turn requires developers to write specific tests that will exercise the code in
the specific way that reveals the defect at runtime
– This is time-consuming for developers
– Even comprehensive testing may not trigger the specific runtime conditions that cause the
defect
• Static code analysis helps by finding defects that are hard to find with the human eye
– These defects are mot generally found by code review
– Many are traditionally found with dynamic testing after a failure has occurred in testing or the
field – but its too late!
12. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 12
Source code analysis benefits: security & quality
• Significantly reduces the cost of reliable, secure software
• Complements existing testing approaches
• Automated and repeatable analysis
• Enforces key industry standards
• DISA STIG, CWE, MISRA
• CERT, SAMATE
• OWASP, DO-178B, FDA validation
• ...and more
13. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 13
Continuous static code analysis
14. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 14
The faster you find a defect, the less costly to fix
1X 3X 5X 10X
100X
Requirements Architecture Construction System Test Post Release $139
$455 $977
$7,136
$14,103
Requirements Design Coding Testing MaintenanceTime Detected
CosttoFix
Specification
Design
Code
Unit Test
System Test
UAT
Release
CosttoFix
Lifecycle Stage
CosttoFix
Development Unit Tests QA Testing Production
Time
15. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 15
Traditional analysis done after compile/build
Development Cycle
Edit &
Save
Compile
& Test
Check In Build
Analyze
& Fix
• Late stage “rework” reduces tool adoption
• Timelines compromised
• Issues are more expensive to fix
16. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 16
Why not perform analysis earlier in the cycle on the
desktop?
Eliminates new defects from being checked back into the team level build
No extra work for developers
In-context checking and fixes
Continuity of development flow
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In Build
Development Cycle
17. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 17
What about defects found during integration?
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Developer 1
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Developer 2
Time
Integrate
Check In
Compile
& Test
Check In
Lots of issues
found here!
18. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 18
Continuous static code analysis
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Developer 1
Edit &
Save
Analyze
& Fix
Compile
& Test
Check In
Integrate
Developer 2
Time
IntegrateIntegrate
Check In
Compile
& Test
Edit &
Save
Analyze
& Fix
Edit &
Save
Analyze
& Fix
Compile
& Test
Check InCheck In
Integrate
19. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 19
Continuous static code analysis
20. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 20
Continuous static code analysis
• Improves the predictability of software release schedules
• Improves the quality and security of release software
• Reduces the cost of finding and fixing software defects
21. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 21
Walter Capitani,
Product Manager, Klocwork
Rogue Wave Software
Thank you!