One could argue that static analysis is actually fairly pervasive, particularly among companies who produce shipped software as their business and where quality and security is critical. If you count the organizations who use static analysis (and ignore some overlap) it would number well into the thousands. In addition, opensource tools like Findbugs and others have a decent following as do free static analysis tools bundled with IDE's and compilers. And yet, static analysis still has a way to go before it becomes a part of the standard toolchain that most every organization uses. Getting static analysis used effectively within the organization is a second order challenge once an organization decides to use static analysis.
I will attempt to summarize some of the interesting points that were surfaced in the sometimes heated discussion. Some I agree with and some I don't.
- Static analysis tools can be noisy - producing false positives. Does static analysis consistently produce real issues? Are the issues reported comprehensible and actionable?
- Static analysis tools were overhyped many years ago causing expectations to be set too high.
- Developers are protective of their code and don't like a tool poking at their "treasured creations".
- Static analysis vendors are still small or medium-sized and therefore don't yet have the marketing budgets to communicate to the broad market. HP and IBM's recent acquisitions of Fortify Software and Ounce Labs may change this at least in the security space.
- Static analysis is often viewed as as an additional step after a "successful build" when it should be release criteria for passing or failure.
- The term "static analysis" is boring and doesn't reflect the sophistication of the analysis
- A multitude of defects are reported and developers don't know where to start or how to create a real process that addresses the issues
- Ignorance of the value of tools in the software development process. The all too frequent way that managers and senior staff treat software as an art that cannot be improved through better process and tools.
- Need a clearer demonstration of the value static analysis provides (the benefit minus the costs).