Tag: Static Code Analysis in an Agile World

Categories
Uncategorized

Static Code Analysis in an Agile World

To keep pace with ever-increasing customer demands on software functionality and time-to-market expectations, software developers have had to evolve the way they develop code to be both faster and higher quality. As part of this trend, the Waterfall method of software development began to give way in the late 1990s to a more lightweight method of software development: Agile.

And as the use of Agile has continued to grow in the last decade, it continues to mature as well. Software organizations are constantly looking for ways to improve their Agile environments and minimizing software bugs is one area of focus. This paper will demonstrate that several of the core principles of Agile cannot be fully realized without implementing a repeatable process for ensuring code that is as bug-free as possible.

The approach recommended in this paper is the use of automated static code analysis (SCA) technology to locate and describe areas of weakness in software source code, such as security vulnerabilities, logic errors, implementation defects, concurrency violations, rare boundary conditions, or any number of other types of problem causing code.

Agile development — A brief history

Simply put, Agile software development is an approach that provides flexibility to accommodate continuous change throughout the software development cycle. It stresses rapid delivery of working software, empowerment of developers, and emphasizes collaboration between developers and the rest of the team, including business people.

Agile contrasts with the still-popular Waterfall development approach, which is front-end loaded with comprehensive scope and requirements definitions, and which employs clear, consecutive hand-offs from requirements definition to design to coding and then to quality assurance. In contrast, Agile incorporates a continuous stream of requirements gathering that flows throughout the development process. Business people

are involved throughout the release cycle, ensuring that the software being developed meets the true needs of both the end-user and the business. Change to the requirements and to the overall feature set is expected to occur as outside opportunities or threats arise.

In short, Agile fully embraces change and Agile teams are structured in such a way that they can receive and act on constant feedback provided by the build process, by other developers, from QA, and from business stakeholders.

Agile is based upon a number of guiding principles that all Agile teams follow. For the purposes of this discussion, four principles — or values — are of particular interest:

  • Quality software development
  • Iterative flexibility
  • Continuous improvement
  • Collaboration and communication

Quality software development

The primary focus of Agile development is to enable the development of quality software that satisfies a customer need — i.e. provides a functioning feature or capability — within a specific period of time (typically no more than a few weeks) called an “iteration” or “sprint” in a Scrum.

Iterative flexibility

With a focus on speed and nimbleness, Agile is open to changes that inevitably arise throughout the development cycle. The iterative process is flexible, based on an understanding that original requirements may (or will likely) need to change due to customer demand, market conditions, or other reasons. Because business users are involved throughout the process, and because each iteration is short, new requirements can be introduced and prioritized very quickly.

Continuous improvement

An Agile environment provides developers with an opportunity to learn new skills and to exercise greater autonomy to do their jobs. The iterative framework is empowering because it enables continuous improvement, with testing/quality assurance occurring as part of the iterative process, rather than only periodically or at the end of a long process when it is often difficult or not cost effective to fix coding defects or to incorporate lessons learned along the way. Agile also makes the testing and QA process transparent to the developers who originate the code, further contributing to their learning and facilitating future improvements and coding efficiencies.

Collaboration and communication

Communication and collaboration is critical in software development in general, but in an Agile development environment, it’s paramount. In fact, the Agile Manifesto (widely recognized as the de facto definition of Agile) emphasizes individuals and interactions as a key concept. Ultimately, its open communication and collaboration that facilities efficiencies in the development process. Having access to the right individuals, data, and feedback when needed allows the team to deliver working software in short iterations, as the Agile process demands.

Klocwork for Agile development

Powered by a comprehensive static analysis engine, Klocwork helps developers increase their agility and development velocity. The key principles of Agile development are supported in the following ways:

  • On-the-fly desktop analysis
  • Klocwork Plugins for IDE
  • Software metrics and reporting
  • Integration with CI/CD

On-the-fly desktop analysis

Klocwork desktop analysis is like spell-check for developers, giving instant, accurate, and continuous feedback on security vulnerabilities and critical defects being introduced into code, as its being written. Highlighting critical coding issues within the developer’s IDE the instant they’re created makes fixing defects part of the natural development workflow and ensures the most secure and reliable code is created before check-in. This approach reduces both the number of problems reported downstream in the dev cycle and the time developers need to spend going back and fixing those issues. This boost in productivity is important in an Agile environment.

Klocwork Desktop – Sample report

On-the-fly desktop analysis allows developers to find and fix critical coding issues before code check-in from within their IDEs. This reduces the time developers have to spend going back and fixing issues not detected until late in the dev process.

Klocwork Plugins for IDE

Klocwork offers a variety of C/C++, C# and Java desktop solutions to help you detect and fix issues as early as possible in the development cycle. You have several options that you can use to run your analysis:

If you use one of our supported IDEs, you can run analysis directly from within your IDE. Currently, there is Klocwork Desktop Plug-ins available for Visual Studio, Eclipse and IntelliJ IDEA across multiple languages.

Klocwork integration with Visual Studio

If you prefer to work on the command line, kwcheck is a desktop analysis tool for C/C++ and Java developers using IDEs and text editors that aren’t supported by Klocwork in the form of an IDE plug-in.

Software metrics and reporting

Klocwork provides a robust suite of more than 100 objective and actionable product metrics, which are derived directly from your software code (Figure 4). With drag and drop reporting capabilities, development team managers can quickly and easily answer key questions about their organization’s software development process. For example, a key question for Agile is whether bugs are being found and fixed at the developer desktop, or whether they are leaking to the integration build. Klocwork automatically aggregates information about what is being found and fixed at the desktop even though it is never propagated into the source stream. This unique capability allows teams to better understand the bug reduction activity that is happening before code checkin, generating a bottom-up view of how well defect containment is working.

Klocwork sample report – Metric report

This — combined with custom ownership models that allow metrics to be organized by people, groups, geography, components, and any other attribute that works for your organization — allows teams early in an iteration to identify the areas of greatest risk within their code base.

Klocwork Integration with CI/CD

Klocwork’s Continuous Integration (CI) capability enables your organization to identify and communicate errors faster, without waiting for nightly builds. By identifying and communicating issues faster, developers can fix problematic code earlier.

Klocwork with Jenkins integration

As developers update and commit code, the CI build system picks up the changes and performs many small, incremental builds throughout the day. Instead of waiting for nightly builds, Klocwork CI analyzes the new code and notifies developers of problems right away.

CONCLUSION

The ubiquitous nature of software today, coupled with the pressure to rapidly develop market-ready features and products in just weeks, has led to two related phenomena:

• The widespread adoption of Agile software development principles

• The adoption of various tools by Agile teams designed to help streamline and de-risk development projects

SCA may be right for your Agile team, particularly if you are finding your process being impacted by quality issues or security vulnerabilities, non-Agile friendly processes, and hard to maintain code. Implementing source code analysis within your Agile environment does not have to be disruptive. You can start small and analyze only a small project or a portion of a project. Compare the results against a similar project where these tools were not used. You’ll undoubtedly find opportunities to save significant time and money by using SCA in your Agile development process.