What Is Source Code Analysis?
Source code analysis (also known as static code analysis) lets you analyze source code for quality, reliability, and security. You can identify defects and security vulnerabilities that can compromise the safety and security of your application. Formal methods–based deep semantic static code analysis also enables you to diagnose run-time errors such as overflows, divide by zero, and illegally dereferenced pointers. Static analysis can be a cost-effective approach to measure and track software quality metrics without the overhead of writing test cases or instrumenting your code. Because this analysis is automated, you can analyze code without executing the program or developing test cases.
Basic source analysis techniques include:
- Generating code quality metrics, such as counting the number of lines of code, determining comment density, and assessing code complexity
- Verifying compliance with code standards such as MISRA C®/C++ or JSF++ (Joint Strike Fighter Air Vehicle C++)
Sophisticated techniques couple source code analysis with formal methods that apply theoretical computer science fundamentals to solve problems such as proving that the software will not fail with a run-time error.
The combination of source code analysis and formal methods enables you to:
- Detect software defects and security vulnerabilities
- Comply with MISRA, CWE, CERT C, ISO/IEC 17961, and other standards and cybersecurity guidelines
- Prove the absence of certain run-time errors
This comprehensive approach makes sure that every failure point in the code is identified as proven to fail, proven not to fail, may never execute (dead code), or unproven. This is particularly important for safety because one escaped defect can compromise your system, leading to tragic consequences. Growing concerns about cybersecurity bring similar challenges because it takes just one software vulnerability to exploit your application.
For details about source code analysis tools that use formal methods, see Polyspace® products: Polyspace Bug Finder™, Polyspace Code Prover™, and Polyspace products for Ada.
Examples and How To
See also: Static analysis with Polyspace products, verification, validation, and test, embedded systems, abstract interpretation, code review, cyclomatic complexity, formal methods, software metrics, software QA, software quality objectives, static code analysis