In our recent webinar, 5 ways to accelerate standards compliance with static code analysis, SCA experts Walter Capitani of Rogue Wave Software and Christopher Rommel of VDC Research reviewed the results of the latest VDC Research paper on the trends, techniques, and best practices for standards compliance within embedded software teams. This post is the final entry in a series answering your questions on static code analysis.
Today, Walter tackles four questions he didn’t get a chance to answer during the webinar.
- 1. Answering your questions on static code analysis
- 2. Christopher Rommel of VDC Research answers your questions on static code analysis
- 3. Walter Capitani answers your questions on static code analysis
Managing the results of static code analysis
I use static code analysis, and it returns too many results. How do you prioritize?
At Klocwork, we advise users to prioritize defects found in new code over existing defects, since the existing quality of the software product is known, but the quality of the new code is unknown. In addition, users should focus their initial efforts on finding and fixing the defects that are most critical to their product, as this will make the biggest difference in quality and security. Klocwork users can also take advantage of the SmartRank features, which assist developers by providing a list of recommended defects that they should work on first.
The last time I dealt with data flow anomaly tools, which was over 20 years ago, they produced a lot of false positives. Have the tools improved to reduce these marked issues that were not real problems?
These tools have seen many improvements which have helped reduce false positives. Improvements in processing power and available memory have allowed Klocwork to perform even deeper analysis, and new techniques, such as symbolic logic, have been implemented, which can provide better information about how the code will actually behave, improving analysis accuracy.
SCA and standards compliance
There is no coding standard officially recognized in my industry. Why should I bother with static code analysis?
Static code analysis can still provide significant value even if there is no officially recognized standard in your industry. Klocwork provides a built-in quality standard that is appropriate for many software projects, and will help reduce the number of defects found in testing or production. In addition, many industries have successfully borrowed coding standards from other industries to improve the quality of their software projects.
Research also shows that using coding standards actually speeds up development velocity – dive into the details in this blog.
Does the use of SCA tools “standardize” safety and security, or is there more to it?
SCA tools are just one part of developing safe and secure software. The entire software development lifecycle (SDLC), from requirements to testing, must be designed with safety and security in mind. SCA tools are a valuable part of the SDLC, providing earlier visibility of potential issues and reducing later rework.
Faster delivery of secure, reliable, and conformant code
Over the course of this series, we’ve shown you the benefits of static code analysis and offered some tips and tricks to best leverage these tools. It’s now time to start finding and eradicating coding bugs and security vulnerabilities with a top-tier SCA tool – and deliver better products, faster. Request a free Klocwork trial today.