In IBM Garage Method, one of the Develop practices is to automate tests for continuous delivery, in part by using static source code analysis tools. SonarQube automates performing static code analysis and enables it to be added to a continuous integration pipeline. The environment’s CI pipeline (Jenkins, Tekton, etc.) includes a SonarQube stage. Simply by building your app using the pipeline, your code gets analyzed, just open the SonarQube UI to browse the findings.
Static code analysis (a.k.a. code analysis) is a method of debugging by performing automated evaluation of code without executing the program. The analysis is structured as a set of coding rules that evaluate the code’s quality. Analysis can be performed on source code or compiled code. The analyzer must support the programming language the code is written in so that it can parse the code like a compiler or simulate its execution.
Static code analysis differs from dynamic analysis, which observes and evaluates a running program. Dynamic analysis requires test inputs and can meansure user functionality as well as runtime qualities like execution time and resource consumption. A code review is static code analysis performed by a human.
Static code analysis can evaluate several different aspects of code quality, such as:
- Bug: Programming error that breaks functionality
- Vulnerability: A point in a program that can be attacked
- Hotspot: Code that uses a security-sensitive API
- Coding standards: Practices that increase the human readability and undestandability of code
- Code smell: Code that is confusing and difficult to maintain
- Technical debt: Estimated time required to fix all maintainability issues
- Code complexity: Code’s control flow and number of paths through the code
- Duplicated code: The same code sequence appearing more than once in the same program
- Testability: How easily tests can be developed and used to show the program meets requirements
- Portability: How easily the program can be reused in different environments
- Reusability: The program’s modularity, loose coupling, and limited interdependencies
Static code analysis collects several metrics that measure code quality:
- Type: Bug, Vunerability, Code Smell
- Blocker: Bug with a high probability to impact the behavior of the application in production
- Critical: Bug with a low probability to impact the behavior of the application in production, or a security vulnerability
- Major: Code smell with high impact to developer productivity
- Minor: Code smell with slight impact to developer productivity
- Info: Neither a bug nor a code smell, just a finding
- Classes: Number of class definitions (concrete, abstract, nested, interfaces, enums, annotations)
- Lines of code: Linespace seperated text that is not whitespace or comments
- Comment lines: Linespace seperated text containing significant commentary or commented-out code
- Test coverage: Code that was executed by a test suite
A Quality gate defines a policy that assesses pass/fail whether or not the number of issues and their severity is acceptable.