Do you suffer from poorly written code? Is your codebase riddled with inconsistencies? Do you experience anxiety every time your code is being reviewed? If you answered 'yes' to any of these questions, static code analysis could help.
Static code analysis is the process of analyzing code before it is executed. It provides numerous advantages to developers, and integrating static code analyzers can supercharge your developer workflow.
Big / Bug Data: Analyzing the Apache Flink Source Code
Applications used in the field of Big Data process huge amounts of information, and this often happens in real time. Naturally, such applications must be highly reliable so that no error in the code can interfere with data processing. To achieve high reliability, one needs to keep a wary eye on the code quality of projects developed for this area. The PVS-Studio static analyzer is one of the solutions to this problem. Today, the Apache Flink project developed by the Apache Software Foundation, one of the leaders in the Big Data software market, was chosen as a test subject for the analyzer.
So, what is Apache Flink? It is an open-source framework for distributed processing of large amounts of data. It was developed as an alternative to Hadoop MapReduce in 2010 at the Technical University of Berlin. The framework is based on the distributed execution engine for batch and streaming data processing applications. This engine is written in Java and Scala. Today, Apache Flink can be used in projects written using Java, Scala, Python, and even SQL.
Top 7 Static Code Analysis Tools
What Is a Static Code Analysis?
Static code analysis or Source code analysis is a method performed on the ‘static’ (non-running) source code of the software with static code analysis tools that attempt to highlight potential vulnerabilities. Static code analyzers check source code for specific vulnerabilities as well as for compliance with various coding standards.
Why Use Static Analysis?
- Get code insights before execution
- Executes quickly compared with dynamic analysis
- Code quality maintenance can be automated
- Search for bugs can be automated at early stages (although not all)
- Finding security problems can be automated at an early stage
- You already use static analyzers if you use any IDE that already has static analyzers (like Pycharm uses pep8).
Now that we are aware of static code analysis, we must know the tools that are already leading the market. Without further ado, let's have a look at the tools that are popular for static code analysis:
Git branch naming conventions
We use git branches at DeepSource to organize ongoing work to ensure that software delivery stays effective. If you use git today, there are high chances that you're either using the famed git-flow or the more recent GitHub flow. Both these workflows depend extensively on using branches effectively — and naming a new branch is something many developers struggle with.
A consistent branch naming convention is part of code review best practices, and can make life much more easier for anyone who’s collaborating and reviewing your code, in addition to using static analysis tools.
The Silent Villains of the Coding Universe: A Review of Anti-Patterns
Anti-Patterns seem harmless but lead to error-prone solutions and make your code unmaintainable in the long-run.
For those who aren't familiar with the term ‘anti-pattern,’ it may sound like frivolous jargon or a throwaway catchphrase, but for those in the know, it’s a little more sinister than that.
Analysis of Merge Requests in GitLab Using PVS-Studio For C#
Do you like GitLab and don't like bugs? Do you want to improve the quality of your source code? Then you've come to the right place. Today we will tell you how to configure the PVS-Studio C# analyzer for checking merge requests. Enjoy the reading and have a nice unicorn mood.
PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, and Java. Works in 64-bit systems on Windows, Linux, and macOS. Can analyze the code meant for 32-bit, 64-bit, and embedded ARM platforms.
PVS-Studio: Analyzing Pull Requests In Azure DevOps Using Self-Hosted Agents
Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.
Briefly About What We Are Dealing With
Minetest is an open-source cross-platform game engine containing about 200,000 lines of code in C, C++, and Lua. It allows you to create different game modes in voxel space. Supports multiplayer, and a lot of mods from community. The project repository is located here: https://github.com/minetest/minetest.
Apache Hadoop Code Quality: Production VS Test
In order to get high-quality production code, it's not enough just to ensure maximum coverage with tests. No doubt, great results require the main project code and tests to work efficiently together. Therefore, tests have to be paid as much attention to as source code. A decent test is a key success factor, as it will catch regression in production. Let's take a look at PVS-Studio static analyzer warnings to see the importance of the fact that errors in tests are no worse than the ones in production. Today's focus: Apache Hadoop. 
About the Project
Those who were formerly interested in Big Data have probably heard or worked with the Apache Hadoop project. In a nutshell, Hadoop is a framework that can be used as a basis for building and working with Big Data systems.
Analyzing Matio and STB_VORBIS Libraries With Mayhem
At ForAllSecure, our mission is to help developers find critical bugs in their software quicker, easier, and faster than standard development practices and tools. To facilitate this mission, we have looked to the open source world for exemplar software we can analyze with our fuzzer, Mayhem, in order to get a stronger sense of its effectiveness and ease of integration into existing projects.
This process has proven invaluable for ForAllSecure, providing hands-on experience in ingesting additional real-world software targeting a variety of environments and build systems and ensuring that the process is as streamlined as possible for new adopters.
PVS-Studio in the Clouds: CircleCI
This is a new piece of our series of articles about using the PVS-Studio static analyzer with cloud CI systems. Today we are going to look at another service, CircleCI. We'll take the Kodi media player application as a test project and see if we can find any interesting bugs in its source code.
Note. The previous articles on integrating PVS-Studio with cloud CI systems:
Analyzing the Code of ROOT, Scientific Data Analysis Framework
While Stockholm was holding the 118th Nobel Week, I was sitting in our office, where we develop the PVS-Studio static analyzer, working on an analysis review of the ROOT project, a big-data processing framework used in scientific research. This code wouldn't win a prize, of course, but the authors can definitely count on a detailed review of the most interesting defects plus a free license to thoroughly check the project on their own.
Introduction
ROOT is a modular scientific software toolkit. It provides all the functionalities needed to deal with big data processing, statistical analysis, visualisation, and storage. It is mainly written in C++. ROOT was born at CERN, at the heart of the research on high-energy physics. Every day, thousands of physicists use ROOT applications to analyze their data or to perform simulations.
Running IntelliJ IDEA in Jenkins
It may be argued that IntelliJ IDEA has the most advanced static Java code analyzer, whose capabilities leaves "veterans" like Checkstyle and Spotbugs far behind. Its many “inspections” check various aspects of the code, from coding style to certain kinds of bugs.
You may also enjoy: IntelliJ IDEA Essentials (RefCard)
However, as long as the results of the analysis are visible only to a sole developer in her IDE, they are of little use in the software delivery process. Static analysis should be performed as the first step of the delivery pipeline, and the build should fail if the results of this step don’t pass quality gates. JetBrains' TeamCity CI is known to be integrated with IDEA. Less known is the fact that even if you are not using TeamCity, you may run IDEA inspections on any other CI server. Let’s see how this may be done using the IDEA Community Edition, Jenkins, and the Warnings NG plugin.
Checking the .NET Core Libraries Source Code by the PVS-Studio Static Analyzer (Part One)
Note: This article is the first in a series of three pieces that will cover a static analysis of .NET Core Libraries' source code.
I've been making my way toward this article for over a year and a half. At some point, I had an idea settled in my head that the .NET Core libraries had great promise. I was checking the project several times, and the analyzer I used kept finding more and more interesting code fragments, but it didn't go further than just scrolling through the list of warnings. And here it is — it finally happened! The project is checked, and the article is right in front of you.
How PVS-Studio Found an Error in the Library Used in PVS-Studio
This is a short story about how PVS-Studio helped us find an error in the source code of the library used in PVS-Studio. And it was not a theoretical error but an actual one — the error appeared in practice when using the library in the analyzer.
In PVS-Studio_Cmd (as well as some other utilities), we use a special library for parsing command line arguments: CommandLine.
Introduce Static Analysis in the Process, Don’t Just Search for Bugs with It
This article is an authorized translation of my post in Russian. The translation was made with the kind help of the guys from PVS-Studio.
What encouraged me to write this article is a considerable quantity of materials on static analysis, which recently has been increasingly coming up. Firstly, this is a blog of PVS-Studio, which actively promotes itself posting reviews of errors found by their tool in open source projects. PVS-Studio has recently implemented Java support, and, of course, developers from IntelliJ IDEA, whose built-in analyzer is probably the most advanced for Java today, could not stay away.
Method Parameters Marked Final: Good Approach?
On a recent project, we started to employ CheckStyle to help enforce good code quality and standards. I added the CheckStyle plugin to my IntelliJ IDEA client and introduce the checkstyle.xml from another client's project and ran the analysis.
I wasn't completely sure what to expect, since the API had been created before I started the project. As it turns out, the results were not all that bad. Making sure spacing was standardized, setting private class constructors for utility classes, and removing the public prefix on interface classes were common items that needed to be fixed.