Static code scanning adds value to the entire development organization. Regardless of your role in the development organization, static code scanning solutions have added value, with cutting-edge capabilities needed in software development to maximize quality and manage risk in software products.
background
Microservice architecture mode has the characteristics of independent services and can be independently developed and deployed. Independent development induces the separation of technologies. HTTP communication increases the complexity of problem diagnosis and brings great challenges to the quality assurance of system functions, performance and security.
Microservices architecture challenges for testing
Micro service architecture mode multiple independent business system (service) to carry out the development work at the same time, each system has its own business scope and the development cycle, as a result, shown below in the traditional process of product manager to provide the demand, demand for requirements analysis, development personnel development, finally to testers testing method, It can not meet the requirements of test coverage and test efficiency.
Compared with the traditional singleton model, the challenges to testing in the microservice model can be summarized as follows:
-
- The module of microservice system is hierarchical, so it is necessary to ensure the quality of the code inside the module. In this scenario, the traditional end-to-end testing can not meet the testing requirements;
-
- It is necessary to ensure the correctness of the internal modules of each micro-service system. System modules and front-end and back-end usually carry out development work at the same time. Modules or front-end and back-end are connected through interfaces (usually Restful HTTP interfaces), while modules and back-end often have no interfaces. In order to ensure the correctness of a single dependent system of each system, Therefore, Mock technology is needed to isolate dependencies for interface-level testing.
-
- It is necessary to ensure interface consistency in microservice system, that is, contract consistency. It is necessary to guarantee the correctness of contract by means of contract test, and then ensure the correctness and consistency of development before and after synchronous development.
-
- The correctness of a single microservice system needs to be guaranteed. Component-level testing is required for the correctness of the microservice system;
-
- The correctness of the whole system needs to be guaranteed. After each microservice system is connected, the correctness of the whole system is ensured through end-to-end testing.
How to test in microservices Architecture
In view of the testing challenges of microservices mentioned above, on the one hand, to ensure comprehensive testing of microservices at all levels of services, especially for distributed systems; On the other hand, ensure efficient test execution so that continuous integration/continuous delivery (CI/CD) is ensured. Therefore, the overall test strategy adopts the following solutions:
-
- Develop a “quality” culture. Let developers establish a sense of code “quality” to ensure the quality within the module;
-
- Use automated testing methods. In a microservices architecture, where development is broken down into teams responsible for different services, testers often spend a significant amount of time each day tracking the progress of different teams. If you also need to do Regression tests manually, you will eventually become overwhelmed. So automated testing is a must in microservice mode.
-
- Layered automated testing strategies. Automated Test layering is described in detail in Mike Cohn’s Test Pyramid principle. It advocates different granularity testing at code level, interface level and application level to ensure system quality. In terms of the proportion of automation test investment, unit test and static code scan have the largest proportion of investment, followed by interface automation test, and finally UI automation test. At the same time, in order to improve test efficiency and test coverage, functional testing needs to use exploratory testing methods to carry out testing.
-
- Pipeline technology is used for visual fast feedback. Due to the large number of microservice systems, this often increases the cost of operation and peacekeeping communication. In order to improve communication efficiency, it is necessary to visually view every Build, Test and Deploy process with the help of pipeline technology, and quickly make quality feedback and processing decisions. Through the visual pipeline, the monitoring of all links can be finally realized, and DevOps means can be adopted to break through the walls of business, development, testing and operation and maintenance departments.
The following combined with the idea of hierarchical automated testing, first of all, static code scanning is introduced.
Static code scanning
Static code scans the background
Static code analysis refers to the scanning technology of program code through lexical analysis, syntax analysis, control flow, data flow analysis and other techniques without running the code. Its purpose is to verify that the code meets the requirements of standardization, security, reliability, and maintainability. Static code scanning is at the lowest level of hierarchical automated testing, at the same level as unit testing. In order to ensure the standardization, security and reliability of the company’s code, the company customized static code scanning specifications, scanning rules and scanning implementation process to ensure efficient implementation.
Static code scans for meaning
For developers
Software developers are ultimately responsible for code quality. Code quality is part of the non-functional requirements and is therefore the direct responsibility of the developer. There should be no technical debt to code quality, and feedback should be provided at every step of the development process, from the IDE to release. This enables developers to make early decisions about code quality, enabling them to do better and deliver better-quality software products.
For the conversation
DevOps needs to make sure the software is built the right way. There are many responsibilities involved in DevOps, including supporting development processes, automating testing, ensuring quality, and improving productivity….. And ultimately, continuous deployment. Good code quality is a necessary, though not sufficient, condition for achieving all of these goals. Static code scanning can add a code quality check threshold to any build/test/deployment step, automating the enforcement of a uniform set of quality standards to ensure your organization delivers better software.
For managers
Code static scanning reduces risk and improves team productivity. Managers need to be able to run software safely and at a reasonable return on investment. Our solution shows at a glance the technical debt they face and the cost of their mitigation. It also has out-of-the-box capabilities that systematically improve the maintainability and long-term productivity of development teams. This enables managers to use risk control methods at the best cost to ensure that their organizations deliver better software.
Introduction to static code scanning
After the development of the feature branch, static code scanning is described as follows:
-
- The developer pulls the feature branch from the Master branch as the development branch;
-
- After the development of feature branches, code construction, unit testing, static code scanning;
-
- After passing the merger into the Master branch, for production;
Pay for static code flow
The specific implementation of the entourage static code scanning platform is through the integration of SonarQube platform tools, Jenkins integration tools, IDE SonarLint plug-in and CheckStyle localization rule template and other open source tools and plug-ins. The implementation and inspection of localized code, the secondary inspection after version construction, and the closed-loop process of email feedback are realized to ensure that the code meets the requirements of the accompanying code specification before production. The specific process is shown in the figure below:
- 1. Synchronization of SonarLint and SonarQube platform rules and specifications through SonarLint plug-in in localized IDE, and local code checking; There are 257 Java rules, XML rules and 86 javascript rules customized for tracking code standardization, code defects, loopholes, bad taste, repetition rate and other information. SonrLint plugin rules are comprehensive, including all sonaJava rules and javascript rules. In order to ensure that the custom rules are used locally and consistent with the rules in SonarQube, You need to connect to the SonarQube server remotely and bind the project. Using Eclipse as an example, show the SonarQube connection and project binding process:
-
2. After the code is submitted to the code base GitLab, when the test environment is built in Jenkins, Sonar scan will be triggered automatically and the scan results will be published to SonarQube platform. Below is the result of a project presented by SonarQube:
-
3.SonarQube platform according to the quality valve requirements, do not meet the quality valve requirements will notify the developer via email.
Quality valve requirements: 1. New coverage rate is greater than or equal to 80%; 2. The new Bugs is 0. 3. New vulnerability is 0; 4. New bad taste is 0;Copy the code
- 4. After receiving the email, the developer will process the code until it meets the specification requirements.
- 5. Count the number of Bugs, Bugs and bad smells detected by static code in SonarQube platform ona weekly basis, and automatically send weekly reports to relevant stakeholders at regular intervals, including the trend chart of problem handling.
SonarQube and rules
SonarQube is an open source platform for code quality management that supports quality scanning in 25+ programming languages. SonqrQube consists of remote machine, Server and database. Remote clients upload analyzed project code to SonarQube Server for code quality management and analysis through a variety of analysis mechanisms, and SonarQube presents the results of analysis in a visual and measurable manner through Web APIS. Img11.png %} {% asset_img img11.png %}
SonarQube’s integration capabilities
SonarQube platform supports the integration of various static code scan detection tools. Comparison of analysis objects and application technologies of various code detection tools in SonarQube:
| Java static analysis tools | Analysis object | Application technology |
|---|---|---|
| CheckStyle | Java source files | Defect pattern matching |
| FindBugs | The bytecode | Defect pattern matching; Data flow analysis |
| PMD | Java source code | Defect pattern matching |
CheckStyle
It makes it easy to check for formatting errors in Java code, automates the code specification checking process, and relieves developers of this important, but boring, task. Basically, you customize the rules based on the development rules. It mainly covers the following contents:
- Javadoc comments: Check Javadoc comments for classes and methods
- Naming convention: Checks that the name conforms to the naming convention
- Title: Checks whether the file starts with a certain line
- Import statement: Check whether the Import statement conforms to the definition specification
- Code block size, which checks the number of lines of code blocks for classes, methods, and so on
- Whitespace: Check for whitespace characters, such as TAB, carriage return, etc
- Modifiers: Inspection of modifiers, such as the order in which modifiers are defined
- Block: Checks for empty or invalid blocks
- Code problems: check for duplicate code, conditional judgment, magic number and other problems
- Class design: Check that the definition of a class conforms to the specification, such as the definition of a constructor
FindBugs
Findbugs is a static analysis tool that examines classes or JAR files and compares bytecode to a set of defect patterns to find possible problems. It mainly covers the following contents:
- Bad practice: Common code errors used to match defect patterns during static code reviews
- Correctness of code that may lead to errors such as null pointer references etc
- Internationalization related issues: such as bad string conversions
- Possible malicious attacks, such as the definition of access modifiers
- Correctness of multithreading: such as common synchronization, thread scheduling problems in multithreading programming
- Runtime performance issues: Code inefficiencies caused by variable definitions, method calls, etc
PMD
An open source tool for analyzing Java code errors by using a JavaCC generation parser to parse source code and generate an AST(abstract syntax tree). Unlike other analysis tools, PMD learns about code errors through static analysis. That is, reporting an error without running a Java program. PMD comes with a number of rules that you can use directly to find many problems with Java sources, such as:
- Potential Bugs: Check for potential code errors, such as empty try/catch/finally/switch statements
- Dead Code: Check for unused variables, parameters, methods, etc
- Optional code: String/StringBuffer abuse
- Complex expressions: Check for unnecessary if statements, for loops that can be replaced by while
- Duplicate code: Check for duplicate code
- Body of loop creates new object: Check that the new object is instantiated in the body of loop
- Resource closure: Check whether the Connect, Result, and Statement resources are closed after being used
In addition, users can define their own rules to check that Java code conforms to certain coding specifications. For example, you could write a rule that requires PMD to find all operations that create Thread and Socket objects.
Compare the three tools
| Code defect classification | The sample | Checkstyle | FindBugs | PMD |
|---|---|---|---|---|
| Refer to the operating | Null pointer reference | Square root | Square root | Square root |
| The object operation | Object comparison (using == instead of equals) | Square root | Square root | |
| Expression complexity | Redundant if statements | Square root | ||
| No variables or code snippets are used | Unused variable | Square root | Square root | |
| Resource recovery | The I/O is not closed | Square root | ||
| The method call | Method return value not used | Square root | ||
| Code design | Empty the try/catch/finally block | Square root |
You can see from the table that several tools focus on code review. Among them, Checkstyle focuses more on the code writing format, and whether it conforms to the code specification inspection, and the code bug detection function is weak; FindBugs, PMD focuses on finding code defects. In code defect inspection, the three tools also have different and overlapping code defect categories.
Custom rules
Given that Sonar Java rules already include PMD and CheckStyle rules, we chose Sonar’s default rules and customized them. Part of the customization rule content is shown in SonarQube below.
The types of code defects covered by customized rules are shown in the following table:
| Code defect classification | The sample |
|---|---|
| Refer to the operating | Null pointer reference |
| The object operation | Object comparison (using == instead of equals) |
| Expression complexity | If statement for |
| Using an array | Array index out of bounds |
| No variables or code snippets are used | Unused variable |
| Resource recovery | The I/O is not closed |
| The method call | Method return value not used |
| Code design | Empty the try/catch/finally block |
conclusion
This article describes the challenges of microservices architecture for testing, how to conduct testing under microservices architecture, and how to implement static code scanning under microservices architecture. Follow-up articles will be introduced, please pay attention to:
-
- Unit testing for microservice testing
-
- Contract testing for microservice testing
-
- Interface testing for microservice testing
-
- UI automation testing for microservice testing
-
- Exploratory testing of microservice testing
This classified article is synchronized with the wechat account of "Entourage Payment Research Institute", and the first time to receive the public account push, please pay attention to the "entourage payment Research Institute" public account.Copy the code