Browse Definitions :
Definition

static analysis (static code analysis)

Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards. Static analysis is used in software engineering by software development and quality assurance teams. Automated tools can assist programmers and developers in carrying out static analysis. The software will scan all code in a project to check for vulnerabilities while validating the code.

Static analysis is generally good at finding coding issues such as:

  • Programming errors
  • Coding standard violations
  • Undefined values
  • syntax violations
  • Security vulnerabilities

The static analysis process is also useful for addressing weaknesses in source code that could lead to buffer overflows -- a common software vulnerability.

How is static analysis done?

The static analysis process is relatively simple, as long as it's automated. Generally, static analysis occurs before software testing in early development. In the DevOps development practice, it will occur in the create phases.

Once the code is written, a static code analyzer should be run to look over the code. It will check against defined coding rules from standards or custom predefined rules. Once the code is run through the static code analyzer, the analyzer will have identified whether or not the code complies with the set rules. It is sometimes possible for the software to flag false positives, so it is important for someone to go through and dismiss any. Once false positives are waived, developers can begin to fix any apparent mistakes, generally starting from the most critical ones. Once the code issues are resolved, the code can move on to testing through execution.

Without having code testing tools, static analysis will take a lot of work, since humans will have to review the code and figure out how it will behave in runtime environments. Therefore, it's a good idea to find a tool that automates the process. Getting rid of any lengthy processes will make for a more efficient work environment.

Types of static analysis

There are several static analysis methods an organization could use, which include:

  • Control analysis -- focuses on the control flow in a calling structure. For example, a control flow could be a process, function, method or in a subroutine.
  • Data analysis -- makes sure defined data is properly used while also making sure data objects are properly operating.
  • Fault/failure analysis -- analyzes faults and failures in model components.
  • Interface analysis -- verifies simulations to check the code and makes sure the interface fits into the model and simulation.

In a broader sense, with less official categorization, static analysis can be broken into formal, cosmetic, design properties, error checking and predictive categories. Formal meaning if the code is correct; cosmetic meaning if the code syncs up with style standards; design properties meaning the level of complexities; error checking which looks for code violations; and predictive, which asks how code will behave when run.

static analysis objectivesThis image shows some of the objectives within static analysis.

Benefits and drawbacks of static analysis

Benefits of using static analysis include:

  • It can evaluate all the code in an application, increasing code quality.
  • It provides speed in using automated tools compared to manual code review
  • Paired with normal testing methods, static testing allows for more depth into debugging code.
  • Automated tools are less prone to human error.
  • It will increase the likelihood of finding vulnerabilities in the code, increasing web or application security.
  • It can be done in an offline development environment.

However, static analysis comes with some drawbacks. For example, organizations should stay aware of the following:

  • False positives can be detected.
  • A tool might not indicate what the defect is if there is a defect in the code.
  • Not all coding rules can always be followed, like rules that need external documentation.
  • Static analysis may take more time than comparable methods.
  • Static analysis can't detect how a function will execute.
  • System and third-party libraries may not be able to be analyzed.

Static verification vs. dynamic verification

The principal advantage of static analysis is the fact that it can reveal errors that do not manifest themselves until a disaster occurs weeks, months or years after release. Nevertheless, static analysis is only a first step in a comprehensive software quality-control regime. After static analysis has been done, Dynamic analysis is often performed in an effort to uncover subtle defects or vulnerabilities. In computer terminology, static means fixed, while dynamic means capable of action and/or change. Dynamic analysis involves the testing and evaluation of a program based on execution. Static and dynamic analysis, considered together, are sometimes referred to as glass-box testing.

Static analysis tools and vendors

There are plenty of static verification tools out there, so it can be confusing to pick the right one. Software tools will work at a variety of levels. Unit-level tools look at programs or subroutines. Technology-level tools will test between unit programs and a view of the overall program. System-level tools will analyze the interactions between unit programs. And mission-level tools will focus on mission layer terms, rules and processes. Before committing to a tool, an organization should also make sure that the tool supports the programming language they're using as well as the standards they want to comply with.

Embold is an example static analysis tool which claims to be an intelligent software analytics platform. The tool can automatically prioritize issues with code and give a clear visualization of it. The tool will also verify the correctness and accuracy of design patterns used in the code.

Kiuwan is another example of a static analyzer. It is a large platform that focuses on implementing static analysis in a DevOps environment. It features up to 4,000 updated rules based around 25 security standards. It also integrates well with Jenkins.

PyCharm is another example tool that is built for developers who work in Python with large code bases. The tool features code navigation, automatic refactoring as well as a set of other productivity tools.

This was last updated in July 2020

Continue Reading About static analysis (static code analysis)

Networking
  • local area network (LAN)

    A local area network (LAN) is a group of computers and peripheral devices that are connected together within a distinct ...

  • TCP/IP

    TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a suite of communication protocols used to interconnect ...

  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

Security
  • identity management (ID management)

    Identity management (ID management) is the organizational process for ensuring individuals have the appropriate access to ...

  • single sign-on (SSO)

    Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials -- for ...

  • fraud detection

    Fraud detection is a set of activities undertaken to prevent money or property from being obtained through false pretenses.

CIO
  • project scope

    Project scope is the part of project planning that involves determining and documenting a list of specific project goals, ...

  • core competencies

    For any organization, its core competencies refer to the capabilities, knowledge, skills and resources that constitute its '...

  • change management

    Change management is a systematic approach to dealing with the transition or transformation of an organization's goals, processes...

HRSoftware
  • recruitment management system (RMS)

    A recruitment management system (RMS) is a set of tools designed to manage the employee recruiting and hiring process. It might ...

  • core HR (core human resources)

    Core HR (core human resources) is an umbrella term that refers to the basic tasks and functions of an HR department as it manages...

  • HR service delivery

    HR service delivery is a term used to explain how an organization's human resources department offers services to and interacts ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close