Example of Using a Static Analysis Tool:
Klocwork's static analysis tool, inSpect (more information at http://www.klocwork.com ), provides a great example of how a static analysis tool should work. Klocwork inSpect checks for many implementation and security bugs as well as cyclomatic complexity and coding technique violations. The checks run quickly and efficiently which is important when running the tool on large source trees daily. Klocwork's tool also includes an ability to add or remove checks which is important to allow developers to run a lightweight version of the tool such as Klocwork inForce on their local machines before check in which can be executed from the command or integrated into many popular IDEs.
By using a tool such as inSpect a development shop can discover bugs early in the development process that would normally only be found in testing if they are found at all. In the following section Klocwork inSpect will be covered in detail.
The Klocwork inSpect static analysis tool is split into three major sections. The inSpect engine analyzes the code and updates the database with new information about the source code. The Management console allows you to manage each of your reports from each project, since multiple reports can be held for each project it is easy to keep track of progress as the source changes. Finally the tool generates a web based report which includes a source viewer, and outlines each problem with a brief description of the problem as well as the line number where the problem occurs.
Klocwork inSpect uses each of the technologies stated in the previous sections, including semantic analysis, abstract syntax trees, extensible rules and many others. By using many different technologies inSpect can catch more source flaws than limiting scanning to a single type.
Klocwork inSpect can be executed from the command line or the analysis can be started from the Management Console. Starting inSpect from the command line allows the user to completely automate the analysis process so it can be completed on each build without having to set options or make changes each time. The management console gives the user control over which reports are generated and how. This allows the user to drill down into the source code to get a more precise view of the problems found.
Klocwork inSpect can scan the source using many different options including: architecture, coding violations, metrics, security, and many more. Each report is individually selectable so the person running the tool can customize the report to each specific coding project. Klocwork inSpect can also output the report in a number of useful formats, HTML, PDF, text, XML and others make integration with other reporting tools easy. Klocwork inSpect includes many other options to custom tailor the scanning and reporting process.
The reports inSpect creates are easy to read and make it easy to drill down into the source code to see the exact line the error occurs. This can help speed up bug finding and fixing time. The inSpect reporting feature integrates into the web browser and includes a source viewer which highlights each line of code that contains an error.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company