What is static code analysis?
You might see the terms “static code analysis“, “source code analysis”, and “static analysis” in discussions on code quality and wonder how they differ from one another. Well, ultimately, they’re interchangeable.
All three terms refer to a process in software development where static code analyzers use specialized tools, such as linters, to examine code and detect potential errors, inconsistencies, and security vulnerabilities, without executing the code. As a result, you and your team can enforce coding standards without running the program or script.
Static analysis tools analyze the source code, byte code, or binary code. These tools can automatically detect problems that might be difficult or time-consuming for a human reviewer to find, such as syntax errors, type mismatches, memory leaks, potential null pointer dereferences, undefined behavior, and more. They can also enforce coding conventions and ensure compliance with best practices.
This can help ensure better software quality, maintainability, reliability, and sustainability in a codebase and guarantee that your code adheres to the quality standards you’ve established as a group. It also enables greater compliance and helps development teams avoid risk. Let’s take a look at the specifics.
What’s the point of static code analysis?
The main objective of static code analysis is to detect and resolve potential problems early in the development process – before the code is compiled or executed.
Prevent a lapse in coding standards for your programming language
Static analysis tools can be configured with a set of rules that define the coding standards for a project. These standards might include naming conventions, file organization, indentation styles, and other formatting guidelines that ensure code readability and consistency across the codebase.
During analysis, the tool examines the source code to ensure it adheres to specified rules and flags any deviations as violations.
License issues
It’s important to check that your project and dependency licenses are compatible for legal compliance. During a license audit conducted through static analysis, the tool scrutinizes your source code to verify compliance with licensing requirements and identifies any discrepancies or violations related to licensing agreements.
For example, if your revenue-generating project incorporates a library restricted to non-commercial use under its license, you can detect this in a license audit and address it.
The License Audit uses the configuration files of dependency management tools, and files containing license texts, to collect information about project and dependency licenses. Based on the data it collects, it builds a dependency tree, which can tell you more about:
- The project license
- Licenses of project dependencies
- Licenses of the dependencies invoked by project dependencies
This tree will show you which licenses are compatible and incompatible with your project. Learn how to run a license audit and manage results.
Taint analysis on the source code via data flow analysis
Use taint analysis to track potentially unsafe or untrusted data through a software program and to identify security vulnerabilities that come up when untrusted data is used harmfully without proper validation or sanitization.
Hackers can use unprotected data entry points and exploit these vulnerabilities to conduct a wide range of malicious activities. Examples include executing SQL injections, performing cross-site scripting (XSS) attacks, and exploiting directory traversal weaknesses to access unauthorized files.
Discover security vulnerabilities
Security breaches can take many forms – one of which is a vulnerable dependency (libraries used in the project). When you rely on third-party software, you’re opening up your project to issues that could come from external packages.
With static code analysis tools, you can check your team’s projects for these dependencies and manage them on a case-by-case basis. Then you can take action to upgrade the packages you use as needed.
The benefits: How static code analysis tools help software developers and teams
Improving code quality for maintenance is the clearest benefit of using static code analysis. This involves (but is not limited to):
Enhanced code styling and formatting: To help you maintain readability and consistency within a project.
Probable bug identification and data flow analysis: These features enable teams to prevent issues such as null pointer dereferences, divide-by-zero errors, infinite loops, unused branches in logical expressions, errors in regular expressions, suboptimal code, resource leaks, and more.
Duplication analysis: Though often overlooked, duplication analysis is an important part of code maintenance, and it’s easy to achieve with static analysis. By identifying and eliminating redundant code, you reduce maintenance efforts and the risk of inconsistencies.
This leads to a more manageable and cohesive codebase. It also encourages the development of reusable components, streamlining modifications, and modular building. In doing so, teams can:
- Ensure security
- Ensure license compliance
- Know the state of the codebase
Static vs. dynamic analysis
| Static analysis | Dynamic analysis | |
| Definition | Static analysis involves examining your code without executing it. | Dynamic analysis involves executing your code and observing its behavior during runtime. |
| Process | Analysis is performed by parsing the code and applying predefined rules or patterns to identify issues such as syntax errors, coding conventions violations, potential bugs, or security vulnerabilities. | Dynamic analysis typically involves running the program with different inputs, monitoring its memory usage, CPU usage, and other runtime characteristics. It may also involve techniques like code instrumentation to gather additional runtime data. |
| Benefits | Early detection of potential issues before runtime. Can be automated and integrated into the development process, providing immediate feedback to developers. Examines all code paths and can potentially identify all possible errors and vulnerabilities in the codebase, regardless of whether they are executed at runtime. Doesn’t need a running environment | Provides insights into runtime behavior, including interactions with external systems, memory management, and performance characteristics. Helps identify runtime errors, memory leaks, concurrency issues, and other runtime-specific problems. Useful for understanding how the application behaves in real-world scenarios. |
How can static code analysis work in combination with manual code review?
Manual code reviews are still the most widely used method of maintaining code quality, but they work even better in conjunction with static analysis tools.
One example of a workflow is to write code in the IDE, run unit tests, create a merge or pull request, run server-side analysis (static code analysis), review the code, run more tests, and deploy to production.
This can help you and your team:
- Spend less time and effort on trivial problems.
- Mitigate human error, especially when deadlines are looming.
- Avoid fixing issues too late in the development process.
You can find out more about enhancing manual code reviews here.
Continuously improve your team’s code quality!
JetBrains Qodana is a static analysis tool that can ensure code quality in your team’s continuous integration pipeline. Catch coding errors, establish quality gates and coding rules, ween out unused code, and identify potential vulnerabilities and licensing issues.
Qodana’s analysis is accurate but not overbearing and understands the nuances of your code. Find out what Qodana can do.
Recommended reading
Boost code quality with Qodana and GitHub Actions
Subscribe to Qodana Blog updates
