Why developers disable code analysis? What is the impact and how to avoid?

by

Code Analysis is often seen as an overhead by developers.  With the increasing demands from businesses for faster GoToMarket, ensuring software quality is usually not the first thing in the mind of developers.  However, to ensure software quality means to prevent future defects. Why would developers prefer future rework over spending some extra time today to ensure quality? Why do they disable code analysis, especially when the cost of poor software quality is exceptionally high at $2.8 Trillion for U.S alone, as reported by CISQ in 2018?

How Developers disable code analysis rules

Let’s start by understanding - can developers actually disable code analysis tools? If so, how? Below are few instances where developers have deactivated checking by static code analysis tools such as Sonar, PMD and coverity

disable-sonar

disable-pmd
disable-coverity

Why Developers disable code analysis tools

The reason is that developers are just too overwhelmed in producing features, that it leaves them no space or time to train on security and fix the defects that code analysis tools identify. There is also this perception that code analysis tools provide a lot of findings that are irrelevant or false positives– which in fact is true for some tools but not for all of them.

[Suggested reading : False Positive in security – Why We Like to Cry Wolf]


False Positives

False positive is a result that wrongly indicates that there is a defect when in reality there is none.  Developers dread code analysis tools for the numerous false positives they produce. A small application with few thousand lines of code could throw up 1000 coding violations. Out of the 1000, only 100 would be meaningful and worth addressing. The rest would be noise that need to be manually reviewed and ignored.  While developers are mandated to use code analysis tools, they clearly do not have the time to wade through the numerous false positives to filter the meaningful findings.  So, often the easy way to circumvent the problem is to disable code analysis.

What happens when code analysis tools are disabled?

Blindly disabling code analysis tools could impact the quality of the software severely

  • The disable code analysis check stays forever in the source code and it might “hide” new potential issues when modifying the application.
  • The copy/paste practice will copy those tags and prevent the quality checks on the new destination source code
  • This might end up becoming a short-cut for the developers to pass the code quality checks without having to fix the problems

 

What’s the alternative to disabling code analysis - The Solution

contextual-system-analysis 

While selecting a code analysis tool, organization should check for the tool that would result in tangible benefits for the developers. The code analysis solution should not only look at individual pieces of code in silos but also do a contextual system level analysis of code w.r.t the whole application. This kind of structural analysis prevents a lot of false positives and highlights only the most critical violations that need to be addressed.  A tool like CAST that uses structural analysis will only show a few highly critical violations that can be fixed as opposed to showing hundreds of violations that cannot be comprehended.

New call-to-action

Example of how contextual analysis could prevent false positives

example-contextual-analysis-false-positives 

Several code analysis tools check for input validation – to test whether an input provided by a user is sanitized before being used in the application. However, without contextual analysis, false positives can show up when validation does not happen in the  UI layer. Since, contextual analysis understands the entire application structure, it knows for sure before reporting if input validation happens in any of the other application layers.

To know more about contextual analysis and how CAST can help overcome the issue of false positives without disabling code analysis rules, schedule time with our expert.

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Shibin Michael
Shibin Michael Product Marketing Manager, CAST
Shibin started his career as a developer and has spent close to a decade in the tech industry across a wide range of roles. He is passionate about using Software Intelligence to help IT practitioners.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|