Cramming More Value Into the Static Analysis Workflow

Static analysis tools find bugs in source code during the earliest part of development.  Where in the process static analysis is used varies widely, depending upon the software development organization's specific goals and the environment in which it will operate in.  Some organizations run static analysis on entire codebases just before release.  Others run static analysis on a nightly basis or several times a day during a continuous integration process.  Still others run static analysis locally on a developer's desktop so that they can find and fix problems on the snippet of code they are working on.

One can make a distinction of when static analysis MUST be run versus when it is CONVENIENT to be run.  Organizations are increasingly using the results of static analysis as part of the acceptance criteria for a codebase.  Meeting acceptance criteria may be just before release, before collapsing a development branch into the main line or even before a developer checks in code.  It makes a lot of sense to ensure that all reported issues have been addressed as part of graduating the code from one level to the next.

Of course, we all know it's a good practice to prepare well in advance of a future requirement.  By providing static analysis throughout the development process, you eliminate the situation where you're two days before release and you run the static analysis tool and find that you have hundreds of problems yet to be addressed.  Clearly, fixing bugs as you develop will improve the quality and security of the software early, letting you more comfortably coast into and through your acceptance process.

What else should be in your acceptance process?  The static analysis workflow is a convenient place to find and fix other problems other than just bugs.  Here are some additional things that static analysis can help you enforce, conveniently borrowing the same workflow.

• Industry coding standards such as MISRA, Scott Meyers Effective C++
• Government compliance standards such as DO-178B, PCI and FDA
• Internal coding standards
• Architectural coding standards

Using the same workflow makes it easier and efficient for developers and administrators.  Tools are starting to combine their capabilities to help software development organizations solve bigger problems.  One of the major vendors in the static analysis space recently announced the support for MISRA.  Many vendors offer the ability to author custom checks to find and fix a wide range of problems.  They provide a huge benefit because these checks can find problems across all codebases in the company and can be modified to meet the changing needs of the organization.   Custom checks can be written to enforce coding standards, architectural requirements and find defect categories that are particularly important to your company.  Custom checking can also serve as a complement to code review.

So leverage existing workflows by adding other types of checking during the right points in the development process.  And then arm the developers with the ability to meet their goals easily.  The more you can push checking up front, the more likely you'll meet your time pressure goals.