Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Using Automated Code
Reviews to Achieve
“Continuous Quality”
ASQF Agile Night Austria, Oct. 2018
Peter Kofler, ‘Code Cop’
...
Peter Kofler
• Ph.D. (Appl. Math.)
• Professional Software
Developer for 20 years
• “fanatic about code quality”
• Indepen...
I help development teams with
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
●
Professionalism
●
Quality and
Produc...
Mentoring
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
●
Pair Programming
●
Programming
Workshops
●
Deliberate
Pr...
Developing Quality
Software Developers
Agenda
●
What's the
problem?
●
Static Code
Analysis
●
Examples
●
Conclusions
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE...
“standing on the
shoulder of giants“
●
Productive
languages
●
Complete
libraries
●
Powerful
frameworks
●
Automated
everyth...
But
●
Requirements and complexity increase
●
Technology
moves fast
●
Knowledge
Half-Life of
18 months(2007)
●
Abstractions...
http://www.hypermodelling.com/
Complexity and Size of
Modern Code Bases
http://hypermodelling.com
We use Conventions,
Guidelines, Best Practices
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
But I cannot
remember
eveyrthnig.
What are you doing...
●
to ensure external quality?
(e.g. “it works”)
●
to ensure
internal
quality?
(e.g. “it can
be chang...
One developer is not enough
●
Double Program Entry (Punch Cards)
●
Code Reviews
●
Pair Programming (XP, 1990)
●
Pull Reque...
Continuous Delivery needs
Automated Code Reviews
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
Static CodeStatic Code
Analysis FTWAnalysis FTW
Possibilities of Analysis
●
Lexical analysis
●
coding conventions, design idioms
●
Flow/path analysis
●
null-pointer, dead...
Levels of Analysis
●
Micro Level
●
Statements, e.g. =, ==, {}
●
Macro Level
●
Class Design, APIs, Error Handling
●
Archite...
Impact and Cost
●
Statements
●
low impact, but can be severe (bug)
●
easy to find, easy to fix
●
Class and API (Design)
●
...
Example:
Quality Dashboard
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
https://www.sonarqube.org/
e.g. SonarQube, CAST
●
Lexical analysis
●
Findings on Micro and Macro Level
●
Works out of the box
●
SonarQube is free for...
SonarQube checks
●
> 1000 Rules (Java):
●
Formatting
●
Language Usage
●
Redundancies
●
(Micro) Performance Improvements
●
...
Do you care?
●
Which issues on Micro and Macro Level
are relevant to you?
●
Which issues
should stop
the pipeline?
PETER K...
Problems
● Forces team to follow same rules
● Rock stars, “Fix it later” ;-)
● Not all violations are equally severe.
● No...
Real World Experience
●
Emergency Services
●
Evaluation at “Half-Completed” (2015)
●
Excellent team
●
Oops, some code
excl...
Example:
Dependency Analysis
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
https://www.hello2morrow.com/products/s...
e.g. Sotoarc, Structure101
●
Dependency analysis
●
Macro and Architecture Level
●
Needs up front customisation
●
Definitio...
Dependency Analysis finds
●
Architecture deviations
●
High coupling (Classes and Modules)
●
Cycles
●
Stability of API
●
Ba...
Do you care?
●
Do you have a defined target structure?
●
Which issues
should stop
the pipeline?
●
Why?
PETER KOFLER, CODE-...
Problems
●
Usually no detailed architecture definition
(or not actionable/measureable)
●
Impossible to see problems withou...
Real World Experience
●
3rd place Deloitte Technology Fast 500
●
“A fresh look at the project” (2016)
●
2 DevOps teams
●
H...
Continuous Quality?
Death of a Thousand Cuts
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
Real World Experience:
Missing Lexical Analysis
●
Due Diligence for smaller company (2018)
●
4M lines of code
●
80K warnin...
Real World Experience:
Missing Dependency Analysis
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
Real World Experience:
Missing Dependency Analysis
●
Internal product to calculate costs of
large outsourcing deals (2013)...
Conclusion
Add Code Analysis
to Build Pipeline
Today!
Break Pipeline on
(selected) Violations
Peter Kofler
@codecopkofler
www.code-cop.org
PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
CC Images
●
Bruce http://www.flickr.com/photos/sherpas428/4350620602/
●
pairing http://www.flickr.com/photos/dav/94735395/...
Prochain SlideShare
Chargement dans…5
×

Using Automated Code Reviews to Achieve Continuous Quality (ASQF Agile Night Austria 2018)

104 vues

Publié le

Slides of my talk at the ASQF Agile Night Austria 2018 about using automated code reviews (static code analysis) to achieve "Continuous Quality".

Publié dans : Technologie
  • Soyez le premier à commenter

Using Automated Code Reviews to Achieve Continuous Quality (ASQF Agile Night Austria 2018)

  1. 1. Using Automated Code Reviews to Achieve “Continuous Quality” ASQF Agile Night Austria, Oct. 2018 Peter Kofler, ‘Code Cop’ @codecopkofler www.code-cop.org Copyright Peter Kofler, licensed under CC-BY.
  2. 2. Peter Kofler • Ph.D. (Appl. Math.) • Professional Software Developer for 20 years • “fanatic about code quality” • Independent Code Quality Coach PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  3. 3. I help development teams with PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY ● Professionalism ● Quality and Productivity ● Continuous Improvement
  4. 4. Mentoring PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY ● Pair Programming ● Programming Workshops ● Deliberate Practice, e.g. Coding Dojos
  5. 5. Developing Quality Software Developers
  6. 6. Agenda ● What's the problem? ● Static Code Analysis ● Examples ● Conclusions PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  7. 7. “standing on the shoulder of giants“ ● Productive languages ● Complete libraries ● Powerful frameworks ● Automated everything PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  8. 8. But ● Requirements and complexity increase ● Technology moves fast ● Knowledge Half-Life of 18 months(2007) ● Abstractions are leaky PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  9. 9. http://www.hypermodelling.com/ Complexity and Size of Modern Code Bases http://hypermodelling.com
  10. 10. We use Conventions, Guidelines, Best Practices PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  11. 11. But I cannot remember eveyrthnig.
  12. 12. What are you doing... ● to ensure external quality? (e.g. “it works”) ● to ensure internal quality? (e.g. “it can be changed”) PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  13. 13. One developer is not enough ● Double Program Entry (Punch Cards) ● Code Reviews ● Pair Programming (XP, 1990) ● Pull Requests (GitHub, 2008) ● Mob Programming (2016) ● etc. PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  14. 14. Continuous Delivery needs Automated Code Reviews PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  15. 15. Static CodeStatic Code Analysis FTWAnalysis FTW
  16. 16. Possibilities of Analysis ● Lexical analysis ● coding conventions, design idioms ● Flow/path analysis ● null-pointer, dead code ● Dependency analysis ● architectural/design flaws ● Behavioural Code Analysis/”Commit Mining“ ● social information + time dimension PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  17. 17. Levels of Analysis ● Micro Level ● Statements, e.g. =, ==, {} ● Macro Level ● Class Design, APIs, Error Handling ● Architecture Level ● Interfaces, Layers, Components PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  18. 18. Impact and Cost ● Statements ● low impact, but can be severe (bug) ● easy to find, easy to fix ● Class and API (Design) ● e.g. class coupling medium impact→ ● easy to fix individually ● Architecture ● e.g. layer violations high impact→ ● hard to fix or easy to fix but in many places PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  19. 19. Example: Quality Dashboard PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY https://www.sonarqube.org/
  20. 20. e.g. SonarQube, CAST ● Lexical analysis ● Findings on Micro and Macro Level ● Works out of the box ● SonarQube is free for many languages ● Commercial extensions for PL/SQL etc. ● History with trend graphs PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  21. 21. SonarQube checks ● > 1000 Rules (Java): ● Formatting ● Language Usage ● Redundancies ● (Micro) Performance Improvements ● Maintenance Issues ● (Beginner) Mistakes ● Potential Bugs PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  22. 22. Do you care? ● Which issues on Micro and Macro Level are relevant to you? ● Which issues should stop the pipeline? PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  23. 23. Problems ● Forces team to follow same rules ● Rock stars, “Fix it later” ;-) ● Not all violations are equally severe. ● Not all violations are actionable. ● Often too many findings, drowning real issues ● Need to choose subset depending on project PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  24. 24. Real World Experience ● Emergency Services ● Evaluation at “Half-Completed” (2015) ● Excellent team ● Oops, some code excluded from checks ● 9000 open issues ● Will they catch up? PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  25. 25. Example: Dependency Analysis PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY https://www.hello2morrow.com/products/sotograph/sotoarc
  26. 26. e.g. Sotoarc, Structure101 ● Dependency analysis ● Macro and Architecture Level ● Needs up front customisation ● Definition of “the architecture” ● (almost) no free tools PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  27. 27. Dependency Analysis finds ● Architecture deviations ● High coupling (Classes and Modules) ● Cycles ● Stability of API ● Bad (Design) Patterns, „Anti-Patterns“ ● Usage of internal API ● Usage of forbidden API ● (Probably) Unused classes and methods PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  28. 28. Do you care? ● Do you have a defined target structure? ● Which issues should stop the pipeline? ● Why? PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  29. 29. Problems ● Usually no detailed architecture definition (or not actionable/measureable) ● Impossible to see problems without tool ● Very abstract, need “senior” level skills ● People often build their own analysers PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  30. 30. Real World Experience ● 3rd place Deloitte Technology Fast 500 ● “A fresh look at the project” (2016) ● 2 DevOps teams ● High quality ● Layering problem PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY 1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132 0 100 200 300 400 500 600 700 800 900 1000
  31. 31. Continuous Quality?
  32. 32. Death of a Thousand Cuts PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  33. 33. Real World Experience: Missing Lexical Analysis ● Due Diligence for smaller company (2018) ● 4M lines of code ● 80K warnings ● 190K relevant issues (out of 1.1M) ● Impossible to fix ● Impacted offer/price PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  34. 34. Real World Experience: Missing Dependency Analysis PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  35. 35. Real World Experience: Missing Dependency Analysis ● Internal product to calculate costs of large outsourcing deals (2013) ● Part of product family ● Several teams working constantly ● “Everything depending on everything” ● Impossible to fix ● Impacted stability and regressions PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  36. 36. Conclusion
  37. 37. Add Code Analysis to Build Pipeline Today!
  38. 38. Break Pipeline on (selected) Violations
  39. 39. Peter Kofler @codecopkofler www.code-cop.org PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY
  40. 40. CC Images ● Bruce http://www.flickr.com/photos/sherpas428/4350620602/ ● pairing http://www.flickr.com/photos/dav/94735395/ ● agenda http://www.flickr.com/photos/24293932@N00/2752221871/ ● Altas https://www.flickr.com/photos/quinnanya/5890297160/ ● leaky wall https://www.flickr.com/photos/gammaman/7803857922 ● wants you http://www.flickr.com/photos/shutter/105497713/ ● automation http://www.flickr.com/photos/aquilaonline/510921786/ ● microscope http://www.flickr.com/photos/gonzales2010/8632116/ ● head in hands https://www.flickr.com/photos/proimos/4199675334/ ● dinosaurs https://www.flickr.com/photos/superamit/3886055392/ ● dump http://www.flickr.com/photos/sanmartin/2682745838/ ● finish http://www.flickr.com/photos/jayneandd/4450623309/ PETER KOFLER, CODE-COP.ORG FANATIC ABOUT CODE QUALITY

×