Why developers disable code analysis? What is the impact and how to avoid?

Dec 10, 2019 by Shibin Michael

Code Analysis is often seen as an overhead by developers.  With the increasing demands from businesses for faster GoToMarket, ensuring software quality is usually not the first thing in the mind of developers.  However, to ensure software quality means to prevent future defects. Why would developers prefer future rework over spending some extra time today to ensure quality? Why do they disable code analysis, especially when the cost of poor software quality is exceptionally high at $2.8 Trillion for U.S alone, as reported by CISQ in 2018?

How Developers disable code analysis rules

Let’s start by understanding - can developers actually disable code analysis tools? If so, how? Below are few instances where developers have deactivated checking by static code analysis tools such as Sonar, PMD and coverity

disable-sonar

disable-pmd
disable-coverity

Why Developers disable code analysis tools

The reason is that developers are just too overwhelmed in producing features, that it leaves them no space or time to train on security and fix the defects that code analysis tools identify. There is also this perception that code analysis tools provide a lot of findings that are irrelevant or false positives– which in fact is true for some tools but not for all of them.

[Suggested reading : False Positive in security – Why We Like to Cry Wolf]


False Positives

False positive is a result that wrongly indicates that there is a defect when in reality there is none.  Developers dread code analysis tools for the numerous false positives they produce. A small application with few thousand lines of code could throw up 1000 coding violations. Out of the 1000, only 100 would be meaningful and worth addressing. The rest would be noise that need to be manually reviewed and ignored.  While developers are mandated to use code analysis tools, they clearly do not have the time to wade through the numerous false positives to filter the meaningful findings.  So, often the easy way to circumvent the problem is to disable code analysis.

What happens when code analysis tools are disabled?

Blindly disabling code analysis tools could impact the quality of the software severely

  • The disable code analysis check stays forever in the source code and it might “hide” new potential issues when modifying the application.
  • The copy/paste practice will copy those tags and prevent the quality checks on the new destination source code
  • This might end up becoming a short-cut for the developers to pass the code quality checks without having to fix the problems

 

What’s the alternative to disabling code analysis - The Solution

contextual-system-analysis 

While selecting a code analysis tool, organization should check for the tool that would result in tangible benefits for the developers. The code analysis solution should not only look at individual pieces of code in silos but also do a contextual system level analysis of code w.r.t the whole application. This kind of structural analysis prevents a lot of false positives and highlights only the most critical violations that need to be addressed.  A tool like CAST that uses structural analysis will only show a few highly critical violations that can be fixed as opposed to showing hundreds of violations that cannot be comprehended.

New call-to-action

Example of how contextual analysis could prevent false positives

example-contextual-analysis-false-positives 

Several code analysis tools check for input validation – to test whether an input provided by a user is sanitized before being used in the application. However, without contextual analysis, false positives can show up when validation does not happen in the  UI layer. Since, contextual analysis understands the entire application structure, it knows for sure before reporting if input validation happens in any of the other application layers.

To know more about contextual analysis and how CAST can help overcome the issue of false positives without disabling code analysis rules, schedule time with our expert.

Filed in: Application Quality Software Analysis Software Measurement Software Quality Benchmarking
Tagged: code analysis code analysis tools Contextual Software Analytics false positive reduction False positives Structural Analysis system level analysis
Cloud Smart: How to Ensure an Efficient and Secure Journey
Cloud Smart: How to Ensure an Efficient and Secure Journey
Recorded Webinar
Software Intelligence at the core of M&A Advisory

Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services. 

Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the target’s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.

Video Interview
Eliminate vulnerabilities while improving performance
CAST AIP was implemented for a Federal Law Enforcement Agency in the US. CAST AIP helped identify and resolve several critical violations and flaws in the software leading to an immediate saving of ~ $250K in software maintenance.
Case Study
Shibin Michael
Shibin Michael Product Marketing Manager, CAST
Shibin started his career as a developer and has spent close to a decade in the tech industry across a wide range of roles. He is passionate about using Software Intelligence to help IT practitioners.
More Posts from Shibin >>

Write a review Average rating:
()
Newest on top Oldest on top
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()