History:
Static analysis tools have been used in a rudimentary form for the majority of the history of modern programming languages. Early versions of lint or other simple pattern matching static analysis tools have been used to enforce coding styles within a company, or to discover simple programming errors.
As more research in the subject was completed, developers of static analysis tools found more programmatic errors that could be discovered. Today tools, such as Klocwork inSpect, can scan C, C++ and Java code for many common coding problems within many different categories.
Static analysis tools have gone through many stages of sophistication. In their infancy the tools were little more than a pattern matching command such as grep. The programmer could search for a list of functions that were known to be dangerous and which should be avoided. In this early stage the tools were difficult to use, tedious, and limited in their ability to find real bugs.
The next attempt at finding bugs using static analysis techniques came by looking at code metrics, such as lines of code, ratio of lines of code to lines of comments, cyclomatic complexity and others. Using these techniques the developer could gain a greater understanding of the complexity of the code. Complexity metrics such as lines of code per function could help a developer break the code into smaller parts for greater readability or lesser complexity. Cyclomatic complexity is one of the more widely used software quality metrics. It allows a developer or tester to measure the potential for bugs in a program, by mapping the number of independent paths through each module. The more paths that can be taken, the more complex the code is, and the more likely that there will be bugs waiting to be found.
The next step in the evolution of static code analysis was to use more sophisticated searching algorithms. By adding some context to the search it became possible to find bugs that required interaction between multiple function calls, such as usage of alloc without a matching free, failing to close an open network connection and many others. Tables could be employed to ensure each memory allocation was being properly de-allocated and that it was the same memory reference allocated in the beginning.
Static analysis tools then began adding Semantic Analysis techniques that enabled discovery of the basic structure and relation of each function within the application. This additional contextual information helps the analyzer understand and report bugs that require knowledge of specific code paths through the application. The most advanced static analyzers use abstract syntax trees to provide the best possible bug finding capabilities. Using the knowledge gained by building an abstract syntax tree, a static analysis tool can run detailed simulations of suspicious code fragments to better predict how the code will react at runtime.
Some static analysis tools allow developers to mark their code with special comments or some other form of metadata to describe rules and inter-function dependencies. This additional information allows the analyzer to understand under what conditions a bug may occur as well as expectations each function has for parameters passed in and values returned. The use of metadata keeps the number of false positives down and helps the analyzer follow code paths more closely.
Recently static analysis tools have allowed developers or testers to create their own rules or modify existing rules or plug-ins. These customizations can help tailor the static analyzer specifically to the target application. This customization enables a developer to look for bugs specific to their operating environment, application needs, and coding standards.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next>> |
Provided by: Security Innovation, The Application Security Company