Static code analysis

•Transferir como PPTX, PDF•

1 gostou•1,187 visualizações

Rushana Bandara

Educação

 What Is Static Code Analysis?
 Why Static Code Analysis Is Useful?
 Seven axes of code quality
 Effects of Fixing Code Quality
 Static coda analysis tools
◦ Sonarqube
◦ Coverity
1/21/2016 2

 Static code analysis is a method of computer
program debugging that is done by examine
in the code without executing the program.
1/21/2016 3

From W. S. Humphrey, "Using a Defined and
Measured Personal Software Process," IEEE
Software, May, 1996
 “Even experienced programmers typically
make a mistake for every seven to ten lines of
code they develop.”
1/21/2016 4

 monitoring and fixing code quality issues is
something that is proven to raise the quality
of your application AND your ability to deliver
that application to stakeholders on time.
1/21/2016 6

What is SonarQube
Code quality
Features
Benefits
Strength of the platform
1/21/2016 9

 Platform to manage code
quality.
 Open source, possible to pay
for support and some plug-
ins.
 Active community support,
plug-ins,books
1/21/2016 10

 Platform Independent
Runs on Windows, Mac OSX, Linux, Solaris.
 Server is fairly light weight.
 Plug-in architecture
Vibrant community extending sonar
functionalities
Plug-ins for nearly every language you can
expect.
Plug-ins providing additional metrics, including
total quality, technical debt and more.
1/21/2016 14

 Total cost of ownership
 Functional coverage
 Continuous inspection
 Actionable reporting
 Interaction
 Strong community
 Languages coverage
 Extensibility
1/21/2016 15

 User runs client to analyze source
 Analyzer sends data on source files to
database
 Web server provides presentation for violation
data, administration for users and analyses,
configuration of plug-ins, features and
functionalities.
1/21/2016 19

 Coverity Static Analysis (CSA) helps
developers find hard-to-spot, yet potentially
crash-causing defects early in the software
development life-cycle, reducing the cost,
time, and risk of software errors
1/21/2016 21

 Concurency Defects
 Performance degradation
 Crash causing errors
 Incorrect program behavior
 Security Vulnarabilities
1/21/2016 22

 API usage errors
 Code maintainability issues
 Concurrent data access violations
 Control flow issues
 Error handling issues
 Incorrect expression
 Integer handling issues
 Memory - corruptions
 Memory - illegal accesses
 Null pointer dereferences
 Program hangs
 Resource leaks
 Security best practices violations
 Uninitialized variables
1/21/2016 25

 Best of Bread Analysis
 Integration With The Developer Workflow
 Defect Management and Impact Management
 Performance and Scale
 Extensible Platform
1/21/2016 27

Supported
Platforms
Supported
Compilers
Supported IDEs Minimum System
Requiremets
• AIX
• FreeBSD
• HP-UX
• Linux
• Mac OS X
• NetBSD
• Solaris
• Windowss
• ARM
• Cosmic C
Cross Compilers
• Freescale Code
Warrior
• GNU GCC,
G++
• Intel C++
• Keil
• QNX
• Renesas
• Sun (Oracle)CC
and cc
• Texas
Instruments
• Visual Studio
• WindRiver
• Xcode GCC
and G++
• Eclipse v3.5,
v3.6, v3.7
• WindRiver
Workbench v3.2,
v3.3
• Visual Studio
versions 2005,
2008, and 2010
• 1 GHz CPU
• 1 GB of RAM
minimum,
2 GB
recommended
• 1 GB of free
hard disk space
1/21/2016 28

 Proven significant operational cost
reduction.
 Metric visibility of code estate onshore and
offshore.
 Proven history of finding crash causing or
unexpected behavior causing defects.
 Process improvement of the Application
Lifecycle Management.
1/21/2016 30

 http://zeroturnaround.com/rebellabs
 http://docs.codehaus.org/display/SONAR/Co
nfiguring+SonarQube+in+Eclipse
1/21/2016 32

Mais conteúdo relacionado

Mais procurados

Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar

WhiteSource

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

WhiteSource

Strengthening cyber resilience with Software Supply Chain Visibility

Sonatype

In recent years, the cyber-attacks have become rampant across computer systems, networks, websites and have been most widely attacking enterprises’ core business web applications, causing shock waves across the IT world.It is critical to follow a cyber-security incident response plan and risk management plan to overcome cyber threats and vulnerabilities. Evidently, CXOs need to leverage web application security testing and penetration testing to overcome the possible attacks on their business applications and systems

7 measures to overcome cyber attacks of web application

TestingXperts

Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges. In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.

The State of Open Source Vulnerabilities - A WhiteSource Webinar

WhiteSource

Hemachandra_s

Hemachandra S

Mentors View: Aligning Your Team and Your Powers for Success

Sonatype

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...

Sonatype

Hidden Speed Bumps on the Road to "Continuous"

Sonatype

The Problem Tracking System

Sonali Chawla

Application Security in a DevOps World: Three Methods for Shifting Left Operations has always resided clearly outside of development. Release candidates are tossed over the fence by development and operations was expected to “just make it work.” The same can be said about many other activities, including application security. This isn’t intended to be derision aimed at development—it’s just a feature of how processes have historically been demarcated. But with the emergence of the DevOps movement, organizations are beginning to apply the “shift-left” principle associated with early testing toward other facets of application development. Security, which has been treated as something you can test into an application, should be built into an application according to DevOps principles. In this presentation, we discuss how to get development and operations working together to build security into the application. We’ll outline three methods and discuss their merits and drawbacks: • Penetration testing: This is the approach most commonly used. • Hybrid testing: By applying flow (dynamic analysis) early in the process, you can that look for possible paths through the code that lead to security flaws. • Preventative testing: By taking a standards-based approach and implementing a set of activities that target defects that lead to security vulnerabilities, you are able to get ahead of security issues that diminish the effectiveness of DevOps approaches. Norse Live Attack Map http://map.ipviking.com/ 8,000,000 sensors in 200 data centers in 50 countries – designed to look like everything The top 5,000,000 worst IPs on the internet "There are very rarely attacks against Canada, for whatever reason. I guess they're just too nice." See also http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16447&view=map for DDOS live

AppsSec In a DevOps World

Parasoft

Automation of Security scanning easy or cheese?

Dmitriy Gumeniuk

By Karen Florykian at Automation in Action: summer conference. Video: https://youtu.be/4fUwEvnFo_Q TOPIC DESCRIPTION I will share my experience of SDLC enablement on the enterprise level. In the process I will reveal pitfalls and gotchas about the building of a developer-friendly CI-enabled service using industry standard static and dynamic scanning tools, CI platforms, ReportPortal, Carrier platform and Jira integration service.

Automation of Security scanning easy or cheese

Katherine Golovinova

Veracode - Overview

Stephen Durrant

Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS). This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints. But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Threat Stack

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance

Sonatype

High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks. Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack. The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running. Let us guide you through your application security testing journey with more key differences between SAST and DAST:

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Cigital

You can build better software faster with Open Source Software (OSS) components, but you must ensure that your organization meets component-licensing terms. Violating the terms of an open source license is copyright or intellectual property infringement and can lead to legal and financial penalties. This white paper explains why certain types of open source licenses create legal risk and describes win-win methods for avoiding risk that give lawyers the confidence they need while giving developers the speed they need.

Lawyers and Licenses in Open Source-based Development: How to Protect Your So...

Sonatype

Veeresha_Lamani_Protractor

veeresh Lamani

Testing Tools and Tips

SoftServe

Mais procurados (20)

Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...

Strengthening cyber resilience with Software Supply Chain Visibility

7 measures to overcome cyber attacks of web application

The State of Open Source Vulnerabilities - A WhiteSource Webinar

Hemachandra_s

Mentors View: Aligning Your Team and Your Powers for Success

Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...

Hidden Speed Bumps on the Road to "Continuous"

The Problem Tracking System

AppsSec In a DevOps World

Automation of Security scanning easy or cheese?

Automation of Security scanning easy or cheese

Veracode - Overview

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal

Tools & Techniques for Addressing Component Vulnerabilities for PCI Compliance

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Lawyers and Licenses in Open Source-based Development: How to Protect Your So...

Veeresha_Lamani_Protractor

Testing Tools and Tips

Semelhante a Static code analysis

With growing connectivity between complex automotive software components, development teams are looking for new ways to verify code security and validate against standards. This explains an exciting new approach to software testing that combines the breadth and depth of static analysis with modern test automation to provide rapid feedback to developers on incremental code changes – continuous static code analysis. By connecting deep analysis to continuous integration workflows, testing is pulled forward earlier to eliminate defects and reduce rework costs. Walk away with knowledge of real defects, security vulnerabilities, and automotive standards (such as MISRA and ISO 26262) plus key steps to start immediate deployment of continuous static code analysis for testing. Presented at GENIVI All Member Meeting & Open Community Days.

Rapid software testing and conformance with static code analysis

Rogue Wave Software

Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar

WhiteSource

SonarQube is an open-source tool for ongoing code quality inspection. It analyses static code and generates a complete report with details on defects; code smells, vulnerabilities, and duplications. SonarQube delivers clear remediation recommendations for developers to understand and solve errors and for teams to build better, safer software by covering 27 programming languages and integrating with your existing development workflow.

What is SonarQube in DevOps.docx

DevOps University

This presentation was held by Stephen Lamy, Virtual Forge, at the Basis & SAP Administration 2015 Conference in Las Vegas, March 2015. Stephen Lamy demonstrated specific risks that custom ABAP can introduce into an SAP system, and provided proven advice to minimize ABAP security risks. Key Takeaways: - What vulnerabilities exist in productive SAP systems, and better understand how your SAP systems can be compromised - What are common and dangerous ABAP risks, such as directory traversal and ABAP command injection - Best practices to develop secure and compliant ABAP code, such as implementing internal coding guidelines and standards, protecting your systems from risky third-party code, and choosing the right tools for your process

Is your SAP system vulnerable to cyber attacks?

Virtual Forge

How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps. You’ll learn: -New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments -Best practices for designing and incorporating an automated approach to application security into your existing development environment -Future development and application security challenges organizations will face and what they can do to prepare

Software Security Assurance for DevOps

Black Duck by Synopsys

Part5 - enforcing coding standard and best practices with jas forge v1.0

Jasmine Conseil

When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective. In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions. Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception

Shifting the conversation from active interception to proactive neutralization

Rogue Wave Software

IBM AppScan Source - The SAST solution

hearme limited company

Matteo Meucci Isaca Venice - 2017

Minded Security

Week 01-intro se

Nguyen Tran

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...

Rana Khalil

This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.

Programming languages and techniques for today’s embedded andIoT world

Rogue Wave Software

Presented at ESC Minneapolis - September 2016. This presentation aims to train and retain by walking through real examples of the top security defects and open source liability issues for embedded systems today. Based on data from the National Vulnerability Database and recent court decisions, attendees will be exposed to lesser known but vital research on security and licensing to better prepare their teams to combat risks.

Gimme shelter: Tips on protecting proprietary and open source code

Rogue Wave Software

mydevops.pptx

ssuserf111e7

Control source code quality using the SonarQube platform

PVS-Studio

Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck. Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things. While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers. Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about: • The evolving DevOps and software security assurance lifecycle in the age of open source • The software security considerations CISOs, security, and development teams must address when using open source • An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

Black Duck by Synopsys

Optimization of test activities in an agile development cycle is key to every organization’s success in the digital transformation age. Accelerating test execution and developer feedback through the enablement of regional test resources is essential to building customized experiences. In this webinar, Amir Rozenberg, Director of Product at Sauce Labs, will discuss how our new German data center will support your organization’s regional test execution while adhering to local data and compliance requirements. Laszlo Simity, Senior Solution Engineer at Sauce Labs, will demonstrate the performance of the Sauce Labs Continuous Testing Cloud.

Accelerate Your Regional Tests with Sauce

Sauce Labs

Automobiles are becoming the ultimate mobile computer. Popular models have as many as 100 Electronic Control Units (ECUs), while high-end models push 200 ECUs. Those processors run hundreds of millions of lines of code written by the OEMs’ teams and external contractors—often for black-box assemblies. Modern cars also have increasingly sophisticated high-bandwidth internal networks and unprecedented external connectivity. Considering that no code is 100% error-free, these factors point to an unprecedented need to manage the risks of failure—including protecting life and property, avoiding costly recalls, and reducing the risk of ruinous lawsuits.

Driving Risks Out of Embedded Automotive Software

Parasoft

U test whitepaper_10

eshwar83

[India Merge World Tour] Coverity

Perforce

Semelhante a Static code analysis (20)

Rapid software testing and conformance with static code analysis

Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar

What is SonarQube in DevOps.docx

Is your SAP system vulnerable to cyber attacks?

Software Security Assurance for DevOps

Part5 - enforcing coding standard and best practices with jas forge v1.0

Shifting the conversation from active interception to proactive neutralization

IBM AppScan Source - The SAST solution

Matteo Meucci Isaca Venice - 2017

Week 01-intro se

Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...

Programming languages and techniques for today’s embedded andIoT world

Gimme shelter: Tips on protecting proprietary and open source code

mydevops.pptx

Control source code quality using the SonarQube platform

Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck

Accelerate Your Regional Tests with Sauce

Driving Risks Out of Embedded Automotive Software

U test whitepaper_10

[India Merge World Tour] Coverity

Último

How to setup Pycharm environment for Odoo 17.pptx

Celine George

Single or Multiple melodic lines structure

dhanjurrannsibayan2

Key note speaker Neum_Admir Softic_ENG.pdf

Admir Softic

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Nguyen Thanh Tu Collection

FSB Advising Checklist - Orientation 2024

Elizabeth Walsh

80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...

Nguyen Thanh Tu Collection

ICT role in 21st century education and it's challenges.

MaryamAhmad92

Graduate Outcomes Presentation Slides - English

neillewis46

This PowerPoint helps students to consider the concept of infinity.

christianmathematics

UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf

Nirmal Dwivedi

The basics of sentences session 3pptx.pptx

heathfieldcps1

Wizards are very useful for creating a good user experience. In all businesses, interactive sessions are most beneficial. To improve the user experience, wizards in Odoo provide an interactive session. For creating wizards, we can use transient models or abstract models. This gives features of a model class except the data storing. Transient and abstract models have permanent database persistence. For them, database tables are made, and the records in such tables are kept until they are specifically erased.

How to Create and Manage Wizard in Odoo 17

Celine George

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Poonam Aher Patil

Food safety_Challenges food safety laboratories_.pdf

Sherif Taha

Klinik_ Apotek Onlin 085657271886 Solusi Menggugurkan Masalah Kehamilan Anda Jual Obat Aborsi Asli KLINIK ABORSI TERPEECAYA _ Jual Obat Aborsi Cytotec Misoprostol Asli 100% Ampuh Hanya 3 Jam Langsung Gugur || OBAT PENGGUGUR KANDUNGAN AMPUH MANJUR OBAT ABORSI OLINE" APOTIK Jual Obat Cytotec, Gastrul, Gynecoside Asli Ampuh. JUAL ” Obat Aborsi Tuntas | Obat Aborsi Manjur | Obat Aborsi Ampuh | Obat Penggugur Janin | Obat Pencegah Kehamilan | Obat Pelancar Haid | Obat terlambat Bulan | Ciri Obat Aborsi Asli | Obat Telat Bulan | Pil Aborsi Asli | Cara Menggugurkan Konten | Cara Aborsi Tuntas | Harga Obat Aborsi Asli | Pil Aborsi | Jual Obat Aborsi Cytotec | Cara Aborsi Sendiri | Cara Aborsi Usia 1 Bulan | Cara Aborsi Usia 2 Tahun | Cara Aborsi Usia 3 Bulan | Obat Aborsi Usia 4 Bulan | Cara Abrasi Usia 5 Bulan | Cara Menggugurkan Konten | Kandungan Obat Penggugur | Cara Menghitung Usia Konten | Cara Mengatasi Terlambat Bulan | Penjual Obat Aborsi Asli | Obat Aborsi Garansi | Kandungan Obat Peluntur | Obat Telat Datang Bulan | Obat Telat Haid | Obat Aborsi Paling Murah | Klinik Jual Obat Aborsi | Jual Pil Cytotec | Apotik Jual Obat Aborsi | Kandungan Dokter Abrasi | Cara Aborsi Cepat | Jual Obat Aborsi Bergaransi | Jual Obat Cytotec Asli | Obat Aborsi Aman Manjur | Obat Misoprostol Cytotec Asli. "APA ITU ABORSI" “Aborsi Adalah dengan membendung hormon yang di perlukan untuk mempertahankan kehamilan yaitu hormon progesteron, karena hormon ini dibendung, maka jalur kehamilan mulai membuka dan leher rahim menjadi melunak,sehingga mengeluarkan darah yang merupakan tanda bahwa obat telah bekerja || maksimal 1 jam obat diminum || PENJELASAN OBAT ABORSI USIA 1 _7 BULAN Pada usia kandungan ini, pasien akan merasakan sakit yang sedikit tidak berlebihan || sekitar 1 jam ||. namun hanya akan terjadi pada saatdarah keluar merupakan pertanda menstruasi. Hal ini dikarenakan pada usiakandungan 3 bulan,janin sudah terbentuk sebesar kepalan tangan orang dewasa. Cara kerja obat aborsi : JUAL OBAT ABORSI AMPUH dosis 3 bulan secara umum sama dengan cara kerja || DOSIS OBAT ABORSI 2 bulan”, hanya berbedanya selain mengisolasijanin juga menghancurkan janin dengan formula methotrexate dikandungdidalamnya. Formula methotrexate ini sangat ampuh untuk menghancurkan janinmenjadi serpihan-serpihan kecil akan sangat berguna pada saat dikeluarkan nanti. APA ALASAN WANITA MELAKUKAN ABORSI? Aborsi di lakukan wanita hamil baik yang sudah menikah maupun belum menikah dengan berbagai alasan , akan tetapi alasan yang utama adalah alasan-alasan non medis (termasuk aborsi sendiri / di sengaja/ buatan] MELAYANI PEMESANAN OBAT ABORSI SETIAP HARI, SIAP KIRIM KESELURUH KOTA BESAR DI INDONESIA DAN LUAR NEGERI. HUBUNGI PEMESANAN LEBIH NYAMAN VIA WA/: 085657271886

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

ZurliaSoop

REMIFENTANIL: An Ultra short acting opioid.pptx

Dr. Ravikiran H M Gowda

Sociology 101 Demonstration of Learning Exhibit

jbellavia9

Google Gemini An AI Revolution in Education.pptx

Dr. Sarita Anand

Spatium Project Simulation student brief

Association for Project Management

Jamworks pilot and AI at Jisc (20/03/2024)

Jisc

Static code analysis

1. 1/21/2016 1

2.  What Is Static Code Analysis?  Why Static Code Analysis Is Useful?  Seven axes of code quality  Effects of Fixing Code Quality  Static coda analysis tools ◦ Sonarqube ◦ Coverity 1/21/2016 2

3.  Static code analysis is a method of computer program debugging that is done by examine in the code without executing the program. 1/21/2016 3

4. From W. S. Humphrey, "Using a Defined and Measured Personal Software Process," IEEE Software, May, 1996  “Even experienced programmers typically make a mistake for every seven to ten lines of code they develop.” 1/21/2016 4

5. 1/21/2016 5

6.  monitoring and fixing code quality issues is something that is proven to raise the quality of your application AND your ability to deliver that application to stakeholders on time. 1/21/2016 6

7. 1/21/2016 7

8. 1/21/2016 8

9. What is SonarQube Code quality Features Benefits Strength of the platform 1/21/2016 9

10.  Platform to manage code quality.  Open source, possible to pay for support and some plug- ins.  Active community support, plug-ins,books 1/21/2016 10

11. 1/21/2016 11

12. 1/21/2016 12

13. 1/21/2016 13

14.  Platform Independent Runs on Windows, Mac OSX, Linux, Solaris.  Server is fairly light weight.  Plug-in architecture Vibrant community extending sonar functionalities Plug-ins for nearly every language you can expect. Plug-ins providing additional metrics, including total quality, technical debt and more. 1/21/2016 14

15.  Total cost of ownership  Functional coverage  Continuous inspection  Actionable reporting  Interaction  Strong community  Languages coverage  Extensibility 1/21/2016 15

16. 1/21/2016 16

17. 1/21/2016 17

18. 1/21/2016 18

19.  User runs client to analyze source  Analyzer sends data on source files to database  Web server provides presentation for violation data, administration for users and analyses, configuration of plug-ins, features and functionalities. 1/21/2016 19

20. 1/21/2016 20

21.  Coverity Static Analysis (CSA) helps developers find hard-to-spot, yet potentially crash-causing defects early in the software development life-cycle, reducing the cost, time, and risk of software errors 1/21/2016 21

22.  Concurency Defects  Performance degradation  Crash causing errors  Incorrect program behavior  Security Vulnarabilities 1/21/2016 22

23. 1/21/2016 23

24. 1/21/2016 24

25.  API usage errors  Code maintainability issues  Concurrent data access violations  Control flow issues  Error handling issues  Incorrect expression  Integer handling issues  Memory - corruptions  Memory - illegal accesses  Null pointer dereferences  Program hangs  Resource leaks  Security best practices violations  Uninitialized variables 1/21/2016 25

26. 1/21/2016 26

27.  Best of Bread Analysis  Integration With The Developer Workflow  Defect Management and Impact Management  Performance and Scale  Extensible Platform 1/21/2016 27

28. Supported Platforms Supported Compilers Supported IDEs Minimum System Requiremets • AIX • FreeBSD • HP-UX • Linux • Mac OS X • NetBSD • Solaris • Windowss • ARM • Cosmic C Cross Compilers • Freescale Code Warrior • GNU GCC, G++ • Intel C++ • Keil • QNX • Renesas • Sun (Oracle)CC and cc • Texas Instruments • Visual Studio • WindRiver • Xcode GCC and G++ • Eclipse v3.5, v3.6, v3.7 • WindRiver Workbench v3.2, v3.3 • Visual Studio versions 2005, 2008, and 2010 • 1 GHz CPU • 1 GB of RAM minimum, 2 GB recommended • 1 GB of free hard disk space 1/21/2016 28

29. 1/21/2016 29

30.  Proven significant operational cost reduction.  Metric visibility of code estate onshore and offshore.  Proven history of finding crash causing or unexpected behavior causing defects.  Process improvement of the Application Lifecycle Management. 1/21/2016 30

31. THANKYOU!! 1/21/2016 31

32.  http://zeroturnaround.com/rebellabs  http://docs.codehaus.org/display/SONAR/Co nfiguring+SonarQube+in+Eclipse 1/21/2016 32

Static code analysis

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Static code analysis

Semelhante a Static code analysis (20)

Último

Último (20)

Static code analysis