It’s a good idea to test each tool on your codebase and gather feedback from your team before making a decision. By carefully evaluating these factors, you can select the best static analysis tool for your project’s requirements and goals.
How to introduce static analysis into your organization
As a first step, I always make an effort to engage in discussions with developers about their workflow. Although developers tend to think mostly about their own laptops, IDEs, and code, everyone on the team must consider the entire process from the initial idea to the final delivery in production. A shared understanding of best practices is essential for successful teamwork.
Starting from the early stages of a project, I would recommend including several important checks:
- Third-party license compatibility checks: License checks can ensure that any packages you intend to use are compatible with your project’s target license, and help prevent compatibility issues when packages you rely on change their license in a new version.
- Different types of security checks: Various security checks, such as package vulnerability checks, can prevent external issues from affecting your code. It’s also important to check your code for vulnerabilities in handling user input to prevent potential intrusions into your system.
- Performance checks: Performance checks can identify code that may not be written in the most efficient manner and could potentially lead to system degradation. It is much easier to make performance improvements early in the development process, before a significant amount of code has been written.
- Internationalization checks: Internationalization checks should be performed if you plan to have a user interface that supports multiple languages. Neglecting internationalization can result in significant refactoring work down the road. Incorporating these checks can help ensure high-quality code and reduce the likelihood of problems arising in production
- Code style checks: Code style and formatting checks help with consistency and simplify maintainability. Modern tools format code automatically and as a result you have everything readable out of the box.
These checks are good for starters, and you can add more checks as you go. I once worked with a team that had a rule against using “//todo” comments in their code unless a particular issue number was mentioned. By using static analysis to check for adherence to this rule, the team ensured that their workflow remained consistent and organized. I was impressed to see this level of attention to detail!
All of these checks not only should be performed on each developer’s machine but also integrated into server-side checks. Quality gates help ensure that all code going into the version control system complies with the rules. If this step is omitted initially, the team will have to deal with technical debt later, and the integration will become harder.
But of course, it’s never too late! There are several techniques for introducing static code analysis into an existing project. One approach is to gradually add checks and address some issues while putting others into technical debt (or baseline, as different tools may refer to this pile of delayed issues with different terms) and restricting the appearance of new issues.
Static analysis futures
One of the biggest trends in the static analysis space is the integration of machine learning algorithms. These algorithms can learn from large datasets of code and identify patterns and anomalies that are difficult to detect using traditional techniques, resulting in improved accuracy and fewer false positives.
Machine learning also enables smarter prioritization and configuration by being trained to understand an organization’s specific coding standards and practices. In addition, some tools that use machine learning can provide remediation suggestions to help developers quickly fix issues.
Another important area of focus for static analysis is its integration with devops workflows, where it can help catch issues earlier in the development process and reduce time and costs associated with fixing issues later.
You could even think more broadly and check consistency across code, documentation, user interface, and visual artifacts.
And one day, perhaps, we might even have bots that are able to find and fix errors automatically, leaving programmers free to focus exclusively on writing code.
Kateryna Shlyakhovetska is the Qodana product manager at JetBrains. She joined JetBrains in 2006 as a software engineer, then worked as an internal development team lead and front-end development lead. In 2020, she became the group product manager.
—
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.