Static program analysis

From Wikipedia, the free encyclopedia

Static program analysis is the analysis of computer software that is performed without actually
executing programs (analysis performed on executing programs is known as dynamic analysis).
[1]
In
most cases the analysis is performed on some version of the source code, and in the other cases,
some form of the object code. The term is usually applied to the analysis performed by
an automated tool, with human analysis being called program understanding, program
comprehension or code review.
Rationale[edit]
The sophistication of the analysis performed by tools varies from those that only consider the
behavior of individual statements and declarations, to those that include the complete source code of
a program in their analysis. The uses of the information obtained from the analysis vary from
highlighting possible coding errors (e.g., the lint tool) to formal methods that mathematically prove
properties about a given program (e.g., its behavior matches that of its specification).
Software metrics and reverse engineering can be described as forms of static analysis. Deriving
software metrics and static analysis are increasingly deployed together, especially in creation of
embedded systems, by defining so-called software quality objectives.
[2]

A growing commercial use of static analysis is in the verification of properties of software used
in safety-critical computer systems and locating potentially vulnerable code.
[3]
For example the
following industries have identified the use of static code analysis as a means of improving the
quality of increasingly sophisticated and complex software:
1. Medical software: The U.S. Food and Drug Administration (FDA) has identified the use of
static analysis for medical devices.
[4]

2. Nuclear software: In the UK the Health and Safety Executive recommends the use of static
analysis on Reactor Protection Systems.
[5]

3. Aviation software (in combination with dynamic analysis)
[6]

A study in 2012 by VDC Research reports that 28.7% of the embedded software engineers surveyed
currently use static analysis tools and 39.7% expect to use them within 2 years.
[7]

In the application security industry the name Static Application Security Testing (SAST) is also
used.
Tool types
The OMG (Object Management Group) recently published a study regarding the types of software
analysis required for software quality measurement and assessment. This document on "How to
Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ
Recommendations" describes three levels of software analysis.
[8]

Unit Level - Analysis that takes place within a specific program or subroutine, without connecting to
the context of that program.
Technology Level - Analysis that takes into account interactions between unit programs to get a
more holistic and semantic view of the overall program in order to find issues and avoid obvious
false positives.
System Level - Analysis that takes into account the interactions between unit programs, but without
being limited to one specific technology or programming language.
A further level of software analysis can be defined.
Mission/Business Level - Analysis that takes into account the business/mission layer terms, rules
and processes that are implemented within the software system for its operation as part of enterprise
or program/mission layer activities. These elements are implemented without being limited to one
specific technology or programming language and in many cases are distributed across multiple
languages but are statically extracted and analyzed for system understanding for mission assurance.

PROGRAM INSPECTING
The inspection process was developed by Michael Fagan
[1]
in the mid-1970s and it has later been
extended and modified.
The process should have entry criteria that determine if the inspection process is ready to begin.
This prevents unfinished work products from entering the inspection process. The entry criteria might
be a checklist including items such as "The document has been spell-checked".
The stages in the inspections process are: Planning, Overview meeting, Preparation, Inspection
meeting, Rework and Follow-up. The Preparation, Inspection meeting and Rework stages might be
iterated.
Planning: The inspection is planned by the moderator.
Overview meeting: The author describes the background of the work product.
Preparation: Each inspector examines the work product to identify possible defects.
Inspection meeting: During this meeting the reader reads through the work product, part by
part and the inspectors point out the defects for every part.
Rework: The author makes changes to the work product according to the action plans from the
inspection meeting.
Follow-up: The changes by the author are checked to make sure everything is correct.
The process is ended by the moderator when it satisfies some predefined exit criteria. The term
inspection refers to one of the most important elements of the entire process that surrounds the
execution and successful completion of a software engineering project.

Inspection roles[edit]
During an inspection the following roles are used.
Author: The person who created the work product being inspected.
Moderator: This is the leader of the inspection. The moderator plans the inspection and
coordinates it.
Reader: The person reading through the documents, one item at a time. The other inspectors
then point out defects.
Recorder/Scribe: The person that documents the defects that are found during the inspection.
Inspector: The person that examines the work product to identify possible defects.

Formal methods(Mathematical Methods)
Formal methods is the term applied to the analysis of software (and computer hardware) whose
results are obtained purely through the use of rigorous mathematical methods. The mathematical
techniques used include denotational semantics, axiomatic semantics,operational semantics,
and abstract interpretation.
By a straightforward reduction to the halting problem, it is possible to prove that (for any Turing
complete language), finding all possible run-time errors in an arbitrary program (or more generally
any kind of violation of a specification on the final result of a program) isundecidable: there is no
mechanical method that can always answer truthfully whether an arbitrary program may or may not
exhibit runtime errors. This result dates from the works of Church, Gdel and Turing in the 1930s
(see: Halting problem and Rice's theorem). As with many undecidable questions, one can still
attempt to give useful approximate solutions.
Some of the implementation techniques of formal static analysis include:
Model checking, considers systems that have finite state or may be reduced to finite state
by abstraction;
Data-flow analysis, a lattice-based technique for gathering information about the possible set of
values;
Abstract interpretation, to model the effect that every statement has on the state of an abstract
machine (i.e., it 'executes' the software based on the mathematical properties of each statement
and declaration). This abstract machine over-approximates the behaviours of the system: the
abstract system is thus made simpler to analyze, at the expense of incompleteness (not every
property true of the original system is true of the abstract system). If properly done, though,
abstract interpretation is sound (every property true of the abstract system can be mapped to a
true property of the original system).
[9]
The Frama-c value analysis plugin and Polyspace heavily
rely on abstract interpretation.
Hoare logic, a formal system with a set of logical rules for reasoning rigorously about
the correctness of computer programs. There is tool support for some programming languages
(e.g., the SPARK programming language (a subset of Ada) and the Java Modeling Language
JML using ESC/Java and ESC/Java2, Frama-c WP (weakest precondition) plugin for the C
language extended with ACSL (ANSI/ISO C Specification Language) ).
Symbolic execution, as used to derive mathematical expressions representing the value of
mutated variables at particular points in the code.



























Multi-language[edit]
Axivion Bauhaus Suite A tool for Ada, C, C++, C#, and Java code that performs various
analyses such as architecture checking, interface analyses, and clone detection.
Black Duck Suite Analyzes the composition of software source code and binary files, searches
for reusable code, manages open source and third-party code approval, honors the legal
obligations associated with mixed-origin code, and monitors related security vulnerabilities.
CAST Application Intelligence Platform Detailed, audience-specific dashboards to measure
quality and productivity. 30+ languages, C, C++, Java, .NET, Oracle, PeopleSoft, SAP, Siebel,
Spring, Struts, Hibernate and all major databases.
Cigital SecureAssist - A lightweight IDE plugin that points out common security vulnerabilities in
real time as the developer is coding. Supports Java, .NET, and PHP.
ConQAT Continuous quality assessment toolkit that allows flexible configuration of quality
analyses (architecture conformance, clone detection, quality metrics, etc.) and dashboards.
Supports Java, C#, C++, JavaScript, ABAP, Ada and many other languages.
Coverity SAVE A static code analysis tool for C, C++, C# and Java source code. Coverity
commercialized a research tool for finding bugs through static analysis, the Stanford Checker,
which used abstract interpretation to identify defects in source code.
DMS Software Reengineering Toolkit Supports custom analysis of C, C++, C#, Java, COBOL,
PHP, VisualBasic and many other languages. Also COTS tools for clone analysis, dead code
analysis, and style checking.
EZSource EZSource is a suite of tools for static code analysis of business applications,
providing capabilities in coding standards, code quality metrics and impact/interdependency
analysis. Environment support is provided for COBOL, PL/1, Assembler, Natural, CA ADS, z/OS
JCL, C, SAP ABAP and Java languages as well as batch schedulers/workload management
such as IBM TWS, CA 7, A-Auto and BMC Control-M.
HP Fortify Static Code Analyzer Helps developers identify software security vulnerabilities in
C/C++, Java, JSP, .NET, ASP.NET, classic ASP, ColdFusion, PHP, Visual Basic 6, VBScript,
JavaScript, PL/SQL, T-SQL, Python, Objective-C and COBOL and configuration files.
GrammaTech CodeSonar Defect detection (buffer overruns, memory leaks, etc.), concurrency
and security checks, architecture visualization and software metrics for C, C++, and Java source
code.
IBM Rational AppScan Source Edition Analyzes source code to identify security vulnerabilities
while integrating security testing with software development processes and systems. Supports
C/C++, .NET, Java, JSP, JavaScript, ColdFusion, Classic ASP, PHP, Perl, VisualBasic 6,
PL/SQL, T-SQL, and COBOL
Imagix 4D Identifies problems in variable use, task interaction and concurrency, especially in
embedded applications, as part of an overall system for understanding, improving and
documenting C, C++ and Java code.
Klocwork Insight Provides security vulnerability, defect detection and build-over-build trend
analysis for C, C++, C# and Java.
LDRA Testbed A software analysis and testing tool suite for C, C++, Ada83, Ada95 and
Assembler (Intel, Freescale, Texas Instruments).
MALPAS A software static analysis toolset for a variety of languages including Ada, C, Pascal
and Assembler (Intel, PowerPC and Motorola). Used primarily for safety critical applications in
Nuclear and Aerospace industries.
Moose Moose started as a software analysis platform with many tools to manipulate, assess or
visualize software. It can evolve to a more generic data analysis platform. Supported languages
are C/C++, Java, Smalltalk, .NET, more may be added.
Parasoft Provides static analysis (pattern-based, flow-based, in-line, metrics) for C, C++,
Java, .NET (C#, VB.NET, etc.), JSP, JavaScript, XML, and other languages. Through a
Development Testing Platform, static code analysis functionality is integrated with unit
testing, peer code review, runtime error detection and traceability.
Copy/Paste Detector (CPD) PMDs duplicate code detection for
(e.g.) Java, JSP, C, C++, ColdFusion, PHP and JavaScript
[1]
code.
Polyspace Uses abstract interpretation to detect and prove the absence of certain run time
errors in source code for C, C++, and Ada
Pretty Diff - A language-specific code comparison tool that features language-specific analysis
reporting in addition to language-specific minification and beautification algorithms.
Protecode Analyzes the composition of software source code and binary files, searches for
open source and third party code and their associated licensing obligations. Can also detect
security vulnerabilities.
.NET Compiler Platform (Codename "Roslyn") - Open-source compiler framework
for C# and Visual Basic .NET developed by Microsoft .NET. Provides an API for analyzing and
manipulating syntax.
Semmle supports Java, C, C++, C#.
SofCheck Inspector Static detection of logic errors, race conditions, and redundant
code for Ada and Java; automatically extracts pre/postconditions from code.
SonarQube A continuous inspection engine to manage the technical debt: unit tests,
complexity, duplication, design, comments, coding standards and potential problems. Supports
languages: ABAP, C, C++, Objective-C, COBOL, C#, Flex, Forms, Groovy, Java, JavaScript,
Natural, PHP, PL/SQL, Visual Basic 6, Web, XML, Python.
Sotoarc/Sotograph Architecture and quality in-depth analysis and monitoring for C, C++, C#,
Java, ABAP.
SQuORE is a multi-purpose and multi-language monitoring tool
[2]
for software projects.
Veracode Finds security flaws in application binaries and bytecode without requiring source.
Supported languages include C, C++, .NET (C#, C++/CLI, VB.NET, ASP.NET), Java,
JSP, ColdFusion, PHP, Ruby on Rails, and Objective-C, including mobile applications on
the Windows Mobile, BlackBerry, Android, and iOS platforms.
Visual Studio Team System Analyzes C++, C# source codes. only available in team suite and
development edition.
Yasca Yet Another Source Code Analyzer, a plugin-based framework to scan arbitrary file
types, with plugins for C/C++, Java, JavaScript, ASP, PHP, HTML/CSS, ColdFusion, COBOL,
and other file types. It integrates with other scanners, including FindBugs, PMD, and Pixy.
.NET[edit]
CodeIt.Right Combines static code analysis and automatic refactoring to best practices which
allows automatic correction of code errors and violations; supports C# and VB.NET.
CodeRush A plugin for Visual Studio which alerts users to violations of best practices.
FxCop Free static analysis for Microsoft .NET programs that compiles to CIL. Standalone and
integrated in some Microsoft Visual Studio editions; by Microsoft.
NDepend Simplifies managing a complex .NET code base by analyzing and visualizing code
dependencies, by defining design rules, by doing impact analysis, and by comparing different
versions of the code. Integrates into Visual Studio.
Parasoft dotTEST A static analysis, unit testing, and code review plugin for Visual Studio;
works with languages for Microsoft .NET Framework and .NET Compact Framework, including
C#, VB.NET, ASP.NET and Managed C++.
StyleCop Analyzes C# source code to enforce a set of style and consistency rules. It can be
run from inside of Microsoft Visual Studio or integrated into an MSBuild project.
Ada[edit]
AdaControl A tool to control occurrences of various entities or programming patterns in Ada
code, used for checking coding standards, enforcement of safety related rules, and support for
various manual inspections.
CodePeer An advanced static analysis tool that detects potential run-time logic errors in Ada
programs.
Fluctuat Abstract interpreter for the validation of numerical properties of programs.
LDRA Testbed A software analysis and testing tool suite for Ada83/95.
Polyspace Uses abstract interpretation to detect and prove the absence of certain run time
errors in source code.
SofCheck Inspector (Bought by AdaCore) Static detection of logic errors, race conditions, and
redundant code for Ada; automatically extracts pre/postconditions from code.
C/C++[edit]
Astre finds all potential runtime errors by abstract interpretation, can prove the absence of
runtime errors and can prove functional assertions; tailored towards safety-critical C code (e.g.
avionics).
BLAST (Berkeley Lazy Abstraction Software verification Tool) An open-source software
model checker for C programs based on lazy abstraction.
Cppcheck Open-source tool that checks for several types of errors, including use of STL.
cpplint An open-source tool that checks for compliance with Google's style guide for C++
coding.
Clang An open-source compiler that includes a static analyzer.
Coccinelle An open-source source code pattern matching and transformation.
ECLAIR A platform for the automatic analysis, verification, testing and transformation of C and
C++ programs.
Eclipse (software) An open-source IDE that includes a static code analyzer (CODAN).
Fluctuat Abstract interpreter for the validation of numerical properties of programs.
Frama-C An open-source static analysis framework for C.
Goanna A software analysis tool for C/C++.
GrammaTech CodeSonar Defect detection (Buffer overruns, memory leaks, ...), concurrency
and security checks, architecture visualization and software metrics for C, C++ and Java source
code.
Klocwork Insight A static analysis tool for C/C++.
Lint The original static code analyzer for C.
LDRA Testbed A software analysis and testing tool suite for C/C++.
Parasoft C/C++test A C/C++ tool that does static analysis, unit testing, code review, and
runtime error detection; plugins available for Visual Studio and Eclipse-based IDEs.
PC-Lint A software analysis tool for C/C++.
Polyspace Uses abstract interpretation to detect and prove the absence of certain run time
errors in source code.
PVS-Studio A software analysis tool for C, C++, C++11, C++/CX (Component Extensions).
PRQA QAC and QAC++ Deep static analysis of C/C++ for quality assurance and
guideline/coding standard enforcement.
SLAM project a project of Microsoft Research for checking that software satisfies critical
behavioral properties of the interfaces it uses.
Sparse An open-source tool designed to find faults in the Linux kernel.
Splint An open-source evolved version of Lint, for C.
Eiffel[edit]
Inspector Eiffel Rule-based analysis based on AST and Control Flow Graph ("CFG") of Eiffel
code. Masters Thesis
Java[edit]
AgileJ StructureViews Reverse engineered Java class diagrams with an emphasis on filtering.
ObjectWeb ASM allows decomposing, modifying, and recomposing binary Java classes (i.e.
bytecode).
Checkstyle Besides some static code analysis, it can be used to show violations of a
configured coding standard.
FindBugs An open-source static bytecode analyzer for Java (based on Jakarta BCEL) from the
University of Maryland.
GrammaTech CodeSonar Defect detection (Buffer overruns, memory leaks, ...), concurrency
and security checks, architecture visualization and software metrics for C, C++ and Java source
code.
IntelliJ IDEA Cross-platform Java IDE with own set of several hundred code inspections
available for analyzing code on-the-fly in the editor and bulk analysis of the whole project.
Jtest Testing and static code analysis product by Parasoft.
LDRA Testbed A software analysis and testing tool suite for Java.
PMD A static ruleset based Java source code analyzer that identifies potential problems.
SemmleCode Object oriented code queries for static program analysis.
SonarJ Monitors conformance of code to intended architecture, also computes a wide range of
software metrics.
Soot A language manipulation and optimization framework consisting of intermediate
languages for Java.
Squale A platform to manage software quality (also available for other languages, using
commercial analysis tools though).
SonarQube is an open source platform for Continuous Inspection of code quality.
ThreadSafe A static analysis tool for Java focused on finding concurrency bugs.
JavaScript[edit]
Closure Compiler JavaScript optimizer that rewrites code to be faster and smaller, and checks
use of native JavaScript functions.
JSLint JavaScript syntax checker and validator.
JSHint A community driven fork of JSLint.
Objective-C[edit]
Clang The free Clang project includes a static analyzer. As of version 3.2, this analyzer is
included in Xcode.
[3]

Opa[edit]
Opa includes its own static analyzer. As the language is intended for web application
development, the strongly statically typed compiler checks the validity of high-level types for web
data, and prevents by default many vulnerabilities such as XSS attacks and database code
injections.
Packaging[edit]
Lintian Checks Debian software packages for common inconsistencies and errors.
Rpmlint Checks for common problems in rpm packages.
Perl[edit]
Perl::Critic A tool to help enforce common Perl best practices. Most best practices are based
on Damian Conway's Perl Best Practices book.
PerlTidy Program that acts as a syntax checker and tester/enforcer for coding practices in Perl.
Padre An IDE for Perl that also provides static code analysis to check for common beginner
errors.
Python[edit]
Pylint Static code analyzer.





The Cleanroom software engineering process is a software development process intended to
produce software with a certifiable level of reliability. The Cleanroom process was originally
developed by Harlan Mills and several of his colleagues including Alan Hevner at IBM.
[1]
The focus of
the Cleanroom process is on defect prevention, rather than defect removal. The
name Cleanroom was chosen to evoke the cleanrooms used in the electronics industry to prevent
the introduction of defects during the fabrication of semiconductors. The Cleanroom process first
saw use in the mid to late 80s. Demonstration projects within the military began in the early
1990s.
[2]
Recent work on the Cleanroom process has examined fusing Cleanroom with the
automated verification capabilities provided by specifications expressed in CSP.
[3]

Central principles[edit]
The basic principles of the Cleanroom process are
Software development based on formal methods
Cleanroom development makes use of the Box Structure Method to specify and design a
software product. Verification that the design correctly implements the specification is
performed through team review.
Incremental implementation under statistical quality control
Cleanroom development uses an iterative approach, in which the product is developed in
increments that gradually increase the implemented functionality. The quality of each
increment is measured against pre-established standards to verify that the development
process is proceeding acceptably. A failure to meet quality standards results in the cessation
of testing for the current increment, and a return to the design phase.
Statistically sound testing
Software testing in the Cleanroom process is carried out as a statistical experiment. Based
on the formal specification, a representative subset of software input/output trajectories is
selected and tested. This sample is then statistically analyzed to produce an estimate of the
reliability of the software, and a level of confidence in that estimate.