Home TMap Digital transformation & The Technology Leaders

Static analysis 

Static analysis 

Apart from people doing reviews, tools can also be used for static testing. This we call static analysis. A basic form of static analysis that many people subconsciously use is the spelling and grammar checker of a word processor. This is a good example of a tool that supports the quality improvement of texts.

static analysis

Basic checks 

Similar tools exist for program code, these are generally called static analyzers. These may be tools that are solely meant for this specific purpose, but may also be integrated in a compiler, for example. Types of faults that a static analyzer can detect are wrong spelling, violation of rules of the programming language but also logic faults such as unreachable code or unused variables. Static analyzers will report faults, but they will also issue warnings when the analyzer cannot determine for sure whether it is a fault or intended behavior.  

Cyclomatic complexity 

A specific measure for the maintainability of program code is the cyclomatic complexity. The only practical way to measure this is using a tool that calculates it. The outcome can be compared to the standard that the organization has set to determine if the program complies.  

Other static analysis techniques 

There is a wide variety of tools that support forms of static analysis. Some tools are generally applicable, many tools have a specific use for a development environment or software package. 

An example is to use the tool SonarQube.

Static code analysis with SonarQube 

Static code analysis is the analysis of software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. Static code analysis is performed on some version of the code. 

Static code analysis is part of static analysis which is one of the three groups of static testing.

Static code analysis is a collection of algorithms and techniques used to analyze source code in order to automatically find (potential) faults, vulnerabilities or poor coding practices. An example of a result of static testing are compiler warnings (which can be useful for finding coding errors), but static code analysis with more sophisticated tools takes that idea a step further to find faults that are traditionally found by dynamic testing. 

The tasks solved by static code analysis can be divided into 3 categories: 

Detecting faults or vulnerabilities in programs. These can for example be logic faults (such as unreachable code) and writing on a read only variable. 

Recommendations on code formatting. Some static analyzers allow you to check if the source code corresponds to the code formatting standard used in your company. 

Metrics computation. Software metrics are a measure that lets you get a numerical value of some property of software or its specifications. An example is cyclomatic complexity that can be used to indicate the maintainability of the code. 

There are multiple tools that cover one or more aspects of static code analysis. A well-known tool is SonarQube. 

SonarQube is an open-source platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect faults, code smells, and security vulnerabilities on 20+ programming languages.  

SonarQube analyzes source code, measuring the quality level and providing reports for your projects. It combines static and dynamic analysis tools and enables quality to be monitored continuously over time. Everything that affects a code base, from minor styling details to critical design errors, is inspected and evaluated by SonarQube. This way SonarQube enables developers to access and track code analysis data. This data ranges from styling errors, potential faults, and code problems to design inefficiencies, code duplication, lack of test coverage, and excess complexity.  

The SonarQube platform analyzes source code from different aspects and hence it drills down to your code layer by layer, moving from the module level down to the class level. At each level, SonarQube produces metric values and statistics, revealing problematic areas in the source that require inspection or improvement. This is very effective in large teams managing a big codebase. Whenever the code is built by a developer it is immediately analyzed, so they will notice any fault or vulnerability themselves as they were inserting them, rather than having to fix them at a later time.  

SonarQube can be implemented in your CI/CD pipeline and issues will be only detected when your code is pushed to the repository. For specific aspects of static code analysis, tools can be embedded in the IDE to perform the check real-time. 

Sources: