Abstract: Static code inspection, also known as static program analysis, refers to the method of program analysis without running computer programs.
This article is shared from huawei cloud community “the company has a new quality engineer, said the team to ensure 0 error, 0 warning”, author: Agile xiaozhi.
The company has a new quality engineer, said to carry out process improvement, improve quality, reduce cost and increase efficiency… Therefore, a series of analysis, reports and new quality activities have been launched, among which the most ridiculed is: Check zero clearance. What does that mean? The quality engineer will supervise the repair results of static code inspection, and the team will ensure 0 error and 0 warning.
Figure 1 Check clearing
You might wonder: Isn’t fixing static code checks a natural part of every programmer’s life? Why make fun of it? Let’s take a look at what static code review is.
What is static code inspection
Figure 2. Static code scan
According to Wikipedia, static code inspection, also known as static program analysis, is a method of analyzing programs without running them. Static code inspection tools can scan and analyze engineering code from lexical, syntactic, semantic and other dimensions to find possible problems, such as undefined variables, type mismatch, variable scope problems, array subscript out of bounds, memory leaks and other problems. The tool classifies the severity of the problem according to its own rules, giving different signs and prompts.
Normally, static code is checked and errors are cleared, but some warnings are ignored without affecting program functionality. At the same time, it takes a lot of time to modify such problems, which increases the workload of the team. And for newcomers, if you are not familiar with the code framework, modifying static checking issues can lead to new bugs. Sometimes the tool has false positives and so on, so the team’s joke point at the beginning of the article is: check to clear zero. So why do static code checks?
Why do static code reviews
To answer this question, we go back to what teams exist for, to deliver working software to customers as early as possible, to create value. Working software must be defect free, early delivery requires early detection of problems, and static code inspection is a necessary step in this process.
Meanwhile, in terms of the cost of defect repair, Deming once proposed that “the earlier the defect is discovered, the lower the cost of repair”. Statistics show that 85% of defects are introduced during the coding phase, but most of the defects are not discovered during the coding phase, but later in the testing phase, even after the implementation. And the later defects are discovered, the more expensive they become to fix.
In an article on STICKYMINDS called “The Shift-Left Approach to Software Testing,” it says that if a defect found in The coding phase takes only one minute to fix, then The unit Testing phase takes four minutes. The functional testing phase took 10 minutes, the system testing phase took 40 minutes, and after release it could take 640 minutes to fix.
Figure 3. Applied Software Measurement:Global Analysis of Productivity and Quality
Static code inspection, also known as static testing, is one of the practice of testing left in the quality built in initiative, where the cost of fixing code problems found during static code inspection is very low.
Figure 4 Cost of defect repair
Thus, static code review is an essential part of a project.
How do I do static code reviews
Each language has its own code review tool or several, and many static code review tools support two or more languages. Coverity supports C/C++, C#, JAVA, Checkstyle, FindBugs, and PMD support JAVA, and RATS supports C/C++, Python, Perl, and PHP.
With the popularity of cloud native and DevOps and the promotion of cloud development and pipelines, static Code Check functions on the cloud have emerged. Here, Code Check of Huawei Cloud DevCloud is taken as an example to see how to easily Check multiple programming languages on the cloud.
It is very simple to use and can be completed in three steps: New task -> Execute task -> View the report.
1. Create a code check task
On the toolbar of the Huawei DevCloud home page, choose Services > Code Check or click Code Check. Click New Task on the Code Review home page to create a code review task.
Figure 5-1 Code Check Creating a task
Pull code from the repository under the associated project when creating a task. The source code is available from four different sources. For each option, fill in the corresponding parameter values and select the language type of the code project.
Figure 5-2 Code Check Select the source Code
After creating a task, you can select a rule set from the Settings. The Code Check will identify the language contained in the Code and then select the corresponding rule from the selection of the corresponding language rule set. CodeCheck can support 10 common development languages including Java, JavaScript, CSS, HTML, PHP, C# and Android, and can also be mixed with multiple languages. Huawei provides nearly 2000 typical Check rules for web check, security check, architecture check, and coding problem check.
Figure 5-3 Code Check rule set
2. Perform the code check task
After creating a code check task successfully, click the start check button of the task to execute it.
Figure 6-1 Code Check Perform the task
After the check, the system displays the impact of defects according to problem levels and provides detailed defect descriptions, correct examples, incorrect examples, and modification suggestions.
Figure 6-2 Code Check defects
3. Review the code review report
After the check, a multi-dimensional report is displayed. Click the check task name link to go to the code check task details page, where you can view information such as Overview, Code Problem, Code Quality, cyclomatic complexity, and Code repetition rate.
Figure 7 Code Check Check report
More on Code Check can be found at the Code Check introduction.
Write in the last
Having said so much, is the “check zero clearance” required by the quality engineer correct? Should we do it? This is actually the role of quality access control in code inspection. Problem items scanned by static code are classified as fatal, critical, minor, or critical. From the point of view of delivery, the first thing is to ensure that the code works, so fatal and serious problems should not exist, so the access switch is turned on and the threshold is 0. The remaining general and prompt problems can be ignored in the current iteration if they do not affect the function of the code, but to analyze whether they should be handled and determine the completion date, they can be stored in the form of technical debt in a to-do list item for unified processing in a buffer iteration. To put it simply, the team should jointly decide how to set the quality control door based on the actual situation of business delivery, rather than simply cutting the quality control door at the same time.
Figure 8 Quality access control
As for the tools, different static code inspection tools are used differently. You can find out how to use them on the tool’s official website or other web pages. It’s important to understand why static code reviews are being done, so that you can actually do them well and not just go through the motions. At any given moment, it’s always more important to let your team know why you’re doing something than how you’re doing it. In order to move testing left, build in quality, nip bugs in the bud, reduce defect repair costs, deliver working software to customers as soon as possible, and create valuable products, let’s do static code review together.
Click to follow, the first time to learn about Huawei cloud fresh technology ~