And, static analysis tools are good these days. They aren't perfect, but with the right usage they provide a good bang for the buck. I stress the word "usage". Many companies buy the tool. The vast majority install the tool but a surprisingly high number don't get past running the tool even a couple of times. The product sits on the shelf.
There are many reasons why this occurs but the one we'll explore today is owner

The purview of the tools group varies but does not include setting up new processes in isolation from the software development team. Oftentimes static tools are thrust on the tools group. The tools group then sets it up with the only goal of offering it as a voluntary service to the software development team. What ends up happening is a static analysis tool that is used by only a few enterprising software developers who believe in the value of tools and of software quality. The tools group is powerless to force more developers to use the tool and only a fraction of the potential value of the tool is realized.
Tools groups can lower the cost of usage by making it as simple as possible to use, by integrating the tools within their development process more effectively and by providing training, support and mentorship to developers. Tools groups also can take responsibility for tuning the analysis to make sure the results are as relevant as possible. But while carrot approaches are important and necessary, it won't get everyone over. You need to foster experts within the organization who can establish and defend the tool's worth. When you can set check-in, commit or release criteria that include static analysis, then you start getting the usage that will provide the payoffs that were paid for.
We've seen organizations that mandate that all new issues get addressed. Even false positives are "fixed" because if the code is confusing enough to fool a static tool, it will likely be confusing to the next person who must maintain the code. Others simply require that at least everything needs to be reviewed and it is up to the developers to determine whether they should fix them (the developers must document why they don't fix a problem). Others require specific classes of bugs to be fixed. The rules simply must match the business goals.
So even though tools groups are essential to the success of static analysis, they cannot be the only owner. Like any change within an organization, it requires executive sponsors, champions and a technical and organizational infrastructure to make it happen.
No comments:
Post a Comment