Static Code Analysis is a Best Practice in Software Development

Static Code Analysis provides developers with a powerful tool to ensure software quality, mainly correctness and security. Combined with other measures such as unit tests, compiler checks, dynamic analysis and testing, using Static Code Analysis in the software development life cycle is a commonly accepted and expected best practice.


Advantages of Static Code Analysis

Static Code Analysis is defined by using the source code and not analyzing the running applications. This provides three major advantages: First, Static Code Analysis can assess code that is not complete and would not run. Second, Static Code Analysis can take every possible path and status into account, so even exotic situations that are not covered by dynamic test cases can be evaluated. Thirdly, as it does not need to simulate the real environment, Static Code Analysis comes without reoccurring setup and reset costs. 

Depending on the language, there are several aspects where Static Code Analysis expands what is typically provided by the compiler or runtime environment. In JavaScript for example, as a dynamically typed language, types of variables, as well as type prototypes, can be changed. Static Code Analysis can infer types and changes and warn of mismatches. Static Code Analysis can also model the data flow within an application and warn if potentially malicious external data is used without clearing (this is called Taint Analysis). 

DeepCode's Static Code Analysis


Today’s software projects are seldomly single-language and make use of a landscape of complex, ever-changing libraries and frameworks. While the typical development mishaps and security attack schemes are pretty stable (see OWASP Top 10 or Common Weakness Enumeration CWE), Static Code Analysis need to be fast in adapting to new frameworks. Here, DeepCode with its ability to learn and adapt fast has a clear advantage.

DeepCode’s Static Code Analysis uses AI (both symbolic and sub-symbolic AI) to discover and learn possible issues to look out for. It uses the vast amount of changes in open source projects for this. Due to the fast DeepCode engine, DeepCode can not only scan hundreds of thousands of repositories to learn, but the scan of your code is also near real-time.