6 Hidden Costs of Maintaining an Open Source Code Analyzer Platform


So, you’re ready to get started on building your own multi-language custom source code analyzer platform using open source components.  Your return estimates are still looking pretty good, even after taking into account the costs in our previous post, “6 Hidden Costs of Building Your Own Multi-Language Code Analyzer Platform”.

Well, we have a quick list of maintenance costs that you may not have considered.  So, before you break ground on that project, see if you thought of all these.

Source Code Analyzers: A Comprehensive Platform

Remember, a “multi-language custom source code analyzer platform” analyzes all the source code underlying your critical custom software applications and projects, and:

  • Delivers consistent and business relevant measurements, trends, and benchmarking
  • Enables staff to identify and address flaws causing instability and excess complexity
  • Provides insights on the trajectory of code quality and complexity
  • Analyzes flaws at both the code and component interaction levels across all technology layers

Anything less would be difficult for your management team to get on board, have very little impact on your code quality, and deplete your budget with very little return.

source code analyzer

Hidden Costs to Maintain an Open Source Code Analyzer

The cost of maintaining and supporting a cohesive open source code analyzer platform is a not a trivial responsibility.  There are some hidden costs:

  1. Ongoing Maintenance – This new code analysis platform is like any other custom application in your portfolio.  It requires maintenance, needs to be compliant with system architecture, and needs to evolve with user requirements.
  1. Component Updates – Each new release of an open source code analyzer will mean you have to research if it is necessary to upgrade your current component, and, if needed, actually upgrading the component.  You may face multiple new component releases within a very short time frame that is misaligned with your release schedule.
  1. Version Control – Different components within your application may be written using the same technology, for example, JDK.  But, they may be written in different versions of JDK, for example, JDK 5 and JDK 6.  When open source code analyzers are updated they may change the versions of the language they support.  This means that you may need more than one version of a code analyzer in order to properly manage your application as well.
  1. Internal User Support – As with any new application, you will need to setup a support organization, documentation, and requirements and bug collection mechanism.  Further, you will have to train your user on how to properly use the code analyzers and consume its information in order to boost your enterprise software quality.
  1. Licensing Legality – Although the initial license had no cost, many companies face legal action due to mismanagement of open source code analyzer components.  Lawsuits can be a serious drain on resources, money, and force good talent to leave your organization (taking their knowledge with them).
  1. Lack of Analyzer Support – Naturally, open source analyzers (or any open source components) tend to have very little support.  Large software systems can require up to 50 analyzers.  Some system integrators and consulting agencies may offer support.  Most companies are caught off guard, when they discover each analyzer can carry its own support expenses.

An off-the-shelf solution can mitigate much of the above hidden costs.  A support organization and dedication to product development are just some of the benefits a software vendor can offer.

This is the second in a series of two blog posts.  In the previous post, we examined the hidden costs of building your own software quality analysis platform based on open source components.




Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
John Chang
John Chang
John Chang has helped Fortune 2000 companies leverage CAST’s solutions to reduce system-level defects and improve application development outcome success.
Load more reviews
Thank you for the review! Your review must be approved first
New code

You've already submitted a review for this item