As the product manager for CAST Highlight, it’s refreshing to see a shift in discussions about the “quality of cloud solutions” to “cloud quality solutions.” Recently, there have been an increasing number of cloud-based static code quality analysis tools, or should I say services. A few that I’ve been watching include:
- Code Climate consolidates the results from a suite of Ruby static analysis tools into a real-time report, giving teams the information they need to identify hotspots, evaluate new approaches, and improve code quality.
- Codeq imports your Git repositories into a Datomic database, and then performs language-aware code quality analysis. By doing so, Codeq allows you to: track changes at the program unit level (e.g. function and method definitions); query your programs and libraries declaratively, with the same cognitive units and names you use while programming; and query across repos.
- HP Fortify on Demand is a Security as a Service (SECaaS) testing solution that allows any organization to test the security of software quickly, accurately, affordably, and without any software to install or manage.
A couple things jump out as I watch this market evolve.
- Two types of providers: There are code quality solutions that are bolted onto GitHub and other cloud development environments with the goal of inline code quality support during development. Some providers are leveraging cloud platforms to extend the reach and to increase the adoption of code quality solutions through easy deployment and reduced cost.
- Specialists: Some providers focus on a single technology, such as Code Climate for Ruby, and some that focus on a characteristic of the code, such as quality or security. Static analysis tools that are specific to a language or platform require organizations to use several vendors to cover all their technology platforms, which means that projects with mixed technologies can't have a single view of issues and metrics.
- Source code location: All the solutions must analyze the source code and therefore figure out how to gain access to it. Those solutions that plug into GitHub have brought their analysis to the source code. However, these solutions cannot service developers not using GitHub. Some services require that you upload source code to their server; however, transferring possession of source code always has its own challenges and risks.
These are all personally relevant to me as we’ve tackled each issue over the past two years. I’ve attempted to provide our approach to Code Quality as a Service below.
- Cloud as a distribution channel: We are certainly leveraging the cloud to extend across geographies and reduce the cost of analysis. Many of our clients are global organizations with system integrator partners, captive centers, or dispersed development, and an accessible solution that’s available 24/7 has helped increase adoption of code quality practices while creating visibility across geographies that has sorely been missing.
- Generalist: Unlike some of the upstart services, Highlight has the benefit of a big brother, CAST Application Intelligence Platform (CAST AIP). My team benefits from the all the research produced by CAST Research Labs over the years. As such, Highlight analyzes several technologies along several software characteristics.
- Source code: Highlight is designed to support developers and IT management and therefore, it didn't make sense to create a plugin to GitHub and embed Highlight into the development workflow. We also wanted to avoid transfer of source code discussions/issues and focus on the speed of analysis. That’s why we’ve created the Highlight Analyzer that contains all the code quality analyzers and is downloaded from the website. This approach promotes distributed analysis to the application owners while accelerating the process, enabling hundreds of applications to be analyzed in a week.
Regardless of which code quality service suits an organization best, it’s exciting to see a growing focus on improving code quality, removing adoption barriers and making analysis more accessible to development teams. ZeroTurnaround even comments on the growing trend of code quality in its 2012 Developer Productivity Report. This year it has added research into the state of code quality tools in the Java developer space, reporting that “…all these tools are complementary of each other, (and) used by a nearly quarter of our respondents.”
If you’ve used any of the mentioned code quality solutions, I’d be interested in your feedback. I also invite you to try out Highlight and would love to hear what you think.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.