Author: Xiao Pu
Static analysis is the process of analysing computer programme without executing the code. This practice is often used to ensure that codes follow certain structures or standards (e.g coding standards).
It is possible to do static analysis manually, but there are automated tools(static analysers) that can assist developers in this process.
In some situations, it is impossible to achieve 100% test coverage. There will be some sections in the code that are not covered by test cases, which may result in bugs (see how static analysis will help you find bugs). In static analysis, all the related files/codes will be analysed.
Static analysis can find bugs before the execution. For example, some programmers may forget to add break statement in switch statement.
switch(colour) {
case 'blue':
value = 1;
case 'green':
value = 2;
}
Static analysis tools will automatically alert the programmers about the potential problems/bugs.
Many projects enforce certain coding standards. For example, some project require the following format for if statement.
if (condition) {
// true
} else {
// false
}
While others enforce the following standard:
if (condition) {
// true
}
else {
// false
}
Such standards can be configured in static analysis tools and the tools will help you enforce the standards.
Static analysis will pick up common pitfalls in coding and suggest changes to help you improve your code quality. For example, for the following Java code:
if (isConditionTrue()) {
return true;
} else {
return false;
}
Majority of static analysis tools will point out that this can be simplified to:
return isConditionTrue();
Since static analysis tools only recognize patterns, there might be false positives introduced.
try {
// logic part
} catch (Throwable t) {
// alert user
}
For example, the above code will catch any Throwable object and alert users that a fatal error has occurred in the system. In many static analysis tools, catching Throwable is regarded as a bad practice and thus the tools will prompt the error to developers. However, in this case, we want to provide a friendly alert for system crash instead of showing an ugly stack track. It is acceptable to catch Throwable and thus the violation detected by static analysis tools is a false positive.
Solution: Many static analysis tools provide ways to suppress the warnings. For example, in PMD (a static analysis tool), @SuppressWarnings annotation can be used. In this case,
@SuppressWarnings("PMD.AvoidCatchingThrowable") // used as fallback
is the correct way to suppress warnings.
Since static analysis is done without executing the programme. Some vulnerabilities that are introduced in the runtime cannot be caught. Thus, you should not merely depend on static analysis tools to find bugs. Comprehensive test cases are also needed to verify the functionalities in logic, UI and etc.
There are several static analysis tools that can be used to assist the process.
Here, we will introduce several well-known ones in detail. You can click the hyperlinks to look through them. We organised them by languages.
Java
JavaScript