Coverity, profile picture
Uploaded byCoverity
2,415 views

Static Analysis Primer

Static analysis is a technique that analyzes source code without executing it to find useful information. It works by using tools to capture how code is compiled and then analyzes every path through the code using checkers to find defects like crashes, memory issues and security vulnerabilities. It is beneficial because it can find problems early in the development process when they are cheaper to fix, and the analysis can be done continuously even when developers are not working. Static analysis fits into the software development lifecycle by integrating with activities like code checking, nightly builds, testing and security audits to surface defects.

Embed presentation

Static Analysis Primer
What It Is “A family of techniques of program analysis where the program is not actually executed but is analyzed by tools to produce useful information. Techniques range from the most mundane (statistics on the density of comments, for instance) to the more complex, semantics-based techniques. Qualities sought in static analysis techniques are soundness and completeness.” 2 Source: Webster’s Dictionary
Why You Should Use It 1. It Saves Time and Money
Static Analysis: Why You Should Use It The later software defects are addressed in the product lifecycle, the more expensive they are to fix. SoftwareDevelopmentStage Post Release Beta Testing Integration and System Testing Code and Unit Testing Requirements and Design 30X 15X 10X 5X 1X Graph data source: The Economic Impacts of Inadequate Infrastructure for Software Testing, National Institute of Standards and Technology (NIST), 2002 Cost to Fix Static analysis finds problems here It can cost 30x more to find and fix defects post-release vs. in the Requirements & Design phase of development.
Why You Should Use It 2. It works while you sleep
Resource Leaks • Memory leaks • Resource leak in object • Incomplete delete • Microsoft COM BSTR memory leak Uninitialized variables • Missing return statement • Uninitialized pointer/scalar/array read/write • Uninitialized data member in class or structure Concurrency Issues • Deadlocks • Race conditions • Blocking call misuse Integer handling issues • Improper use of negative value • Unintended sign extension • Incompatible cast Improper Use of APIs • Insecure chroot • Using invalid iterator • printf() argument mismatch Memory Corruptions • Out-of-bounds access • String length miscalculations • Copying to destination buffers too small • Overflowed pointer write • Negative array index write • Allocation size error Memory-illegal access • Incorrect delete operator • Overflowed pointer read • Out-of-bounds read • Returning pointer to local variable • Negative array index read • Use/read pointer after free Control flow issues • Logically dead code • Missing break in switch • Structurally dead code Error handling issues • Unchecked return value • Uncaught exception • Invalid use of negative variables What It Can Find
Program hangs • Infinite loop • Double lock or missing unlock • Negative loop bound • Thread deadlock • sleep() while holding a lock Null pointer differences • Dereference after a null check • Dereference a null return value • Dereference before a null check Code maintainability issues • Multiple return statements • Unused pointer value Incorrect expressions • Evaluation order violation • Copy and paste error Insecure data handling • Integer overflow • Loop bound by untrusted source • Write/read array/pointer with untrusted value • Format string with untrusted source Performance inefficiencies • Big parameter passed by value • Large stack use Security best practices violations • Possible buffer overflow • Copy into a fixed size buffer • Calling risky function • Use of insecure temporary file • Time of check different than time of use • User pointer dereference What It Can Find
How It Works • Three steps… AnalyzeBuild Present & Manage
• Captures information about how your code is compiled. • Creates a virtual build that wraps around your standard build process and captures how it invokes your compiler(s). • Captures all source files, incl. parameters about how the source is compiled • Macro definitions, meaning of command line options, etc. • Provides a high-fidelity recording of your code and how it’s assembled. How It Works Build
• Analyzes every path through your code via “checkers” which look for actual defects vs. style violations. • Patterns of code execution that cause crashes, memory corruption, memory and handle leaks, etc. • Eliminates false positives. • Industry accepted standard for a “good” false positive rate is less than 20% How It Works Analyze
• Clearly presents results including actionable information, enabling defects to be quickly and efficiently found AND fixed. How It Works Present & Manage
How It Fits Into the SDLC 12 • Security Audits • Product Release Management QA Nightly/Continuous Build • Desktop Analysis • Review defects • Prioritize actions • Make fixes • Track progress Code Check In Static Analysis Results • Functional Testing • Performance Testing • Stress Testing • Integration Testing Development Product Release & Management Static Analysis Results For illustration only…other workflow integrations are possible.
13 Code Build Test Nightly Build Continuous Integration High-Fidelity Code Compilation High- Performance Analysis Low False Positive Rate Detecting Critical Defects Easy Defect Navigation and Comprehension Comprehensive Triage and Remediation Management Visibility and Governance Team Collaboration What To Look For…
Copyright 2013 Coverity, Inc.

More Related Content

PPTX
Manual testing
byShahaniIntikab
 
PDF
Postman Webinar: Postman 101
byNikita Sharma
 
PDF
Security testing presentation
byConfiz
 
PPTX
Managing code quality with SonarQube
byRadu Vunvulea
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPT
Automated Testing with Agile
byKen McCorkell
 
PPTX
Progressive Web App Testing With Cypress.io
byKnoldus Inc.
 
Manual testing
byShahaniIntikab
 
Postman Webinar: Postman 101
byNikita Sharma
 
Security testing presentation
byConfiz
 
Managing code quality with SonarQube
byRadu Vunvulea
 
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Automated Testing with Agile
byKen McCorkell
 
Progressive Web App Testing With Cypress.io
byKnoldus Inc.
 

What's hot

PPTX
Software Testing Basics
byBelal Raslan
 
PPTX
Test case techniques
byPina Parmar
 
PPT
Automated Testing vs Manual Testing
byDirecti Group
 
PPTX
POSTMAN.pptx
byRamaKrishna970827
 
PPTX
Software testing
bymkn3009
 
PDF
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
PPT
Code coverage
byReturn on Intelligence
 
PPTX
Penetration Testing
byRomSoft SRL
 
PPS
Security testing
byTabăra de Testare
 
PDF
Introduction to Security Testing
byvodQA
 
PDF
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
byPostman
 
PPTX
QA Challenge Accepted 4.0 - Cypress vs. Selenium
byLyudmil Latinov
 
PDF
The six key steps to AEM architecture
byAshokkumar T A
 
PPTX
Unit 3 Control Flow Testing
byravikhimani
 
PDF
Postman 101 for Students
byPostman
 
PPTX
RESTful API Testing using Postman, Newman, and Jenkins
byQASymphony
 
DOC
Manual testing interview question by INFOTECH
byPravinsinh
 
PDF
Types of Software Testing | Edureka
byEdureka!
 
PDF
Owasp zap
byColdFusionConference
 
PPTX
Application Threat Modeling
byRochester Security Summit
 
Software Testing Basics
byBelal Raslan
 
Test case techniques
byPina Parmar
 
Automated Testing vs Manual Testing
byDirecti Group
 
POSTMAN.pptx
byRamaKrishna970827
 
Software testing
bymkn3009
 
Penetration testing & Ethical Hacking
byS.E. CTS CERT-GOV-MD
 
Code coverage
byReturn on Intelligence
 
Penetration Testing
byRomSoft SRL
 
Security testing
byTabăra de Testare
 
Introduction to Security Testing
byvodQA
 
POST/CON 2019 Workshop: Testing, Automated Testing, and Reporting APIs with P...
byPostman
 
QA Challenge Accepted 4.0 - Cypress vs. Selenium
byLyudmil Latinov
 
The six key steps to AEM architecture
byAshokkumar T A
 
Unit 3 Control Flow Testing
byravikhimani
 
Postman 101 for Students
byPostman
 
RESTful API Testing using Postman, Newman, and Jenkins
byQASymphony
 
Manual testing interview question by INFOTECH
byPravinsinh
 
Types of Software Testing | Edureka
byEdureka!
 
Owasp zap
byColdFusionConference
 
Application Threat Modeling
byRochester Security Summit
 

Viewers also liked

PPTX
Concurrency Errors in Java
byCoverity
 
PPTX
Finding Defects in C#: Coverity vs. FxCop
byCoverity
 
PDF
Render thead of hwui
byRouyun Pan
 
PPT
Android图形系统简介
byzhucai1234
 
PDF
Soa test methodology
byInfosys
 
PDF
Static Analysis of Your OSS Project with Coverity
bySamsung Open Source Group
 
PDF
Static Analysis of Computer programs
byArvind Devaraj
 
PDF
Static program analysis tools
byKamil Jezek
 
PPTX
The Landbank's Role in Driving Redevelopment, UC DAAP by Chris Recht
byThe Port
 
DOCX
SAP_Business_Object_Professional
byKapil Verma
 
PPT
Core & advanced java classes in mumbai
byVibrant Technologies & Computers
 
PDF
PaaSing a Java EE 6 Application at Geecon 2012
byArun Gupta
 
PDF
Global leader in real-time clearing
byCinnober
 
PPTX
Learn advanced java programming
byTOPS Technologies
 
PPTX
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
byCODE BLUE
 
PPT
Developing With JAAS
byrahmed_sct
 
PPTX
Survey and Analysis of ICS Vulnerabilities (Japanese)
byDigital Bond
 
PPT
03 stacks and_queues_using_arrays
bytameemyousaf
 
PDF
A Short Intorduction to JasperReports
byGuo Albert
 
PDF
The Android graphics path, in depth
byChris Simmonds
 
Concurrency Errors in Java
byCoverity
 
Finding Defects in C#: Coverity vs. FxCop
byCoverity
 
Render thead of hwui
byRouyun Pan
 
Android图形系统简介
byzhucai1234
 
Soa test methodology
byInfosys
 
Static Analysis of Your OSS Project with Coverity
bySamsung Open Source Group
 
Static Analysis of Computer programs
byArvind Devaraj
 
Static program analysis tools
byKamil Jezek
 
The Landbank's Role in Driving Redevelopment, UC DAAP by Chris Recht
byThe Port
 
SAP_Business_Object_Professional
byKapil Verma
 
Core & advanced java classes in mumbai
byVibrant Technologies & Computers
 
PaaSing a Java EE 6 Application at Geecon 2012
byArun Gupta
 
Global leader in real-time clearing
byCinnober
 
Learn advanced java programming
byTOPS Technologies
 
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
byCODE BLUE
 
Developing With JAAS
byrahmed_sct
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
byDigital Bond
 
03 stacks and_queues_using_arrays
bytameemyousaf
 
A Short Intorduction to JasperReports
byGuo Albert
 
The Android graphics path, in depth
byChris Simmonds
 

Similar to Static Analysis Primer

PDF
Secure Programming With Static Analysis
byConSanFrancisco123
 
PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
PPTX
Static analysis as means of improving code quality
byAndrey Karpov
 
PDF
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
PPTX
PVS-Studio and static code analysis technique
byAndrey Karpov
 
PDF
Videos about static code analysis
byPVS-Studio
 
PDF
We continue checking Microsoft projects: analysis of PowerShell
byPVS-Studio
 
PDF
Static analysis is most efficient when being used regularly. We'll tell you w...
byPVS-Studio
 
PDF
Static analysis is most efficient when being used regularly. We'll tell you w...
byAndrey Karpov
 
PDF
Debugging in Software Engineering SE Unit-4 Part-6.pdf
byiron57441
 
PPTX
Static-Analysis-in-Industry.pptx
byShivashankarHR1
 
PDF
Static analysis as part of the development process in Unreal Engine
byPVS-Studio
 
PPTX
Static Code Analysis
byGeneva, Switzerland
 
PPTX
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
PPT
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
PPT
debugging (1).ppt
byjerlinS1
 
PPT
An important characteristic of a test suite that is computed by a dynamic ana...
byjeyasrig
 
PDF
Static Analysis: From Getting Started to Integration
byAndrey Karpov
 
PDF
PVS-Studio for Visual C++
byPVS-Studio
 
PDF
PVS-Studio for Visual C++
byAndrey Karpov
 
Secure Programming With Static Analysis
byConSanFrancisco123
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
byDenim Group
 
Static analysis as means of improving code quality
byAndrey Karpov
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
PVS-Studio and static code analysis technique
byAndrey Karpov
 
Videos about static code analysis
byPVS-Studio
 
We continue checking Microsoft projects: analysis of PowerShell
byPVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
byPVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
byAndrey Karpov
 
Debugging in Software Engineering SE Unit-4 Part-6.pdf
byiron57441
 
Static-Analysis-in-Industry.pptx
byShivashankarHR1
 
Static analysis as part of the development process in Unreal Engine
byPVS-Studio
 
Static Code Analysis
byGeneva, Switzerland
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
5_StaticAnalysisPREfast.pptaaaaaaaaaaaaa
byJooPedroLopes42
 
debugging (1).ppt
byjerlinS1
 
An important characteristic of a test suite that is computed by a dynamic ana...
byjeyasrig
 
Static Analysis: From Getting Started to Integration
byAndrey Karpov
 
PVS-Studio for Visual C++
byPVS-Studio
 
PVS-Studio for Visual C++
byAndrey Karpov
 

More from Coverity

PPTX
Adopting Agile
byCoverity
 
PPTX
DevBeat 2013 - Developer-first Security
byCoverity
 
PPTX
OSS Java Analysis - What You Might Be Missing
byCoverity
 
PDF
The State of Software Quality
byCoverity
 
PDF
The Impact of a Medical Device Recall
byCoverity
 
PPTX
The Psychology of C# Analysis
byCoverity
 
PPTX
Resource Leaks in Java
byCoverity
 
Adopting Agile
byCoverity
 
DevBeat 2013 - Developer-first Security
byCoverity
 
OSS Java Analysis - What You Might Be Missing
byCoverity
 
The State of Software Quality
byCoverity
 
The Impact of a Medical Device Recall
byCoverity
 
The Psychology of C# Analysis
byCoverity
 
Resource Leaks in Java
byCoverity
 

Recently uploaded

PPTX
communication-skills-with-technology tools
byJaleto Sunkemo
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
communication-skills-with-technology tools
byJaleto Sunkemo
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
API-First Architecture in Financial Systems
bycyy111112
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
How to Evaluate a High Performance Database
byScyllaDB
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 

Static Analysis Primer

  • 1.
  • 2.
    What It Is “Afamily of techniques of program analysis where the program is not actually executed but is analyzed by tools to produce useful information. Techniques range from the most mundane (statistics on the density of comments, for instance) to the more complex, semantics-based techniques. Qualities sought in static analysis techniques are soundness and completeness.” 2 Source: Webster’s Dictionary
  • 3.
    Why You ShouldUse It 1. It Saves Time and Money
  • 4.
    Static Analysis: WhyYou Should Use It The later software defects are addressed in the product lifecycle, the more expensive they are to fix. SoftwareDevelopmentStage Post Release Beta Testing Integration and System Testing Code and Unit Testing Requirements and Design 30X 15X 10X 5X 1X Graph data source: The Economic Impacts of Inadequate Infrastructure for Software Testing, National Institute of Standards and Technology (NIST), 2002 Cost to Fix Static analysis finds problems here It can cost 30x more to find and fix defects post-release vs. in the Requirements & Design phase of development.
  • 5.
    Why You ShouldUse It 2. It works while you sleep
  • 6.
    Resource Leaks • Memoryleaks • Resource leak in object • Incomplete delete • Microsoft COM BSTR memory leak Uninitialized variables • Missing return statement • Uninitialized pointer/scalar/array read/write • Uninitialized data member in class or structure Concurrency Issues • Deadlocks • Race conditions • Blocking call misuse Integer handling issues • Improper use of negative value • Unintended sign extension • Incompatible cast Improper Use of APIs • Insecure chroot • Using invalid iterator • printf() argument mismatch Memory Corruptions • Out-of-bounds access • String length miscalculations • Copying to destination buffers too small • Overflowed pointer write • Negative array index write • Allocation size error Memory-illegal access • Incorrect delete operator • Overflowed pointer read • Out-of-bounds read • Returning pointer to local variable • Negative array index read • Use/read pointer after free Control flow issues • Logically dead code • Missing break in switch • Structurally dead code Error handling issues • Unchecked return value • Uncaught exception • Invalid use of negative variables What It Can Find
  • 7.
    Program hangs • Infiniteloop • Double lock or missing unlock • Negative loop bound • Thread deadlock • sleep() while holding a lock Null pointer differences • Dereference after a null check • Dereference a null return value • Dereference before a null check Code maintainability issues • Multiple return statements • Unused pointer value Incorrect expressions • Evaluation order violation • Copy and paste error Insecure data handling • Integer overflow • Loop bound by untrusted source • Write/read array/pointer with untrusted value • Format string with untrusted source Performance inefficiencies • Big parameter passed by value • Large stack use Security best practices violations • Possible buffer overflow • Copy into a fixed size buffer • Calling risky function • Use of insecure temporary file • Time of check different than time of use • User pointer dereference What It Can Find
  • 8.
    How It Works •Three steps… AnalyzeBuild Present & Manage
  • 9.
    • Captures informationabout how your code is compiled. • Creates a virtual build that wraps around your standard build process and captures how it invokes your compiler(s). • Captures all source files, incl. parameters about how the source is compiled • Macro definitions, meaning of command line options, etc. • Provides a high-fidelity recording of your code and how it’s assembled. How It Works Build
  • 10.
    • Analyzes everypath through your code via “checkers” which look for actual defects vs. style violations. • Patterns of code execution that cause crashes, memory corruption, memory and handle leaks, etc. • Eliminates false positives. • Industry accepted standard for a “good” false positive rate is less than 20% How It Works Analyze
  • 11.
    • Clearly presentsresults including actionable information, enabling defects to be quickly and efficiently found AND fixed. How It Works Present & Manage
  • 12.
    How It FitsInto the SDLC 12 • Security Audits • Product Release Management QA Nightly/Continuous Build • Desktop Analysis • Review defects • Prioritize actions • Make fixes • Track progress Code Check In Static Analysis Results • Functional Testing • Performance Testing • Stress Testing • Integration Testing Development Product Release & Management Static Analysis Results For illustration only…other workflow integrations are possible.
  • 13.
    13 Code Build Test Nightly Build Continuous Integration High-Fidelity Code Compilation High- Performance Analysis Low False PositiveRate Detecting Critical Defects Easy Defect Navigation and Comprehension Comprehensive Triage and Remediation Management Visibility and Governance Team Collaboration What To Look For…
  • 14.

Editor's Notes

  • #3 Given the diversity of approaches and goals for static analysis tools, I wanted to better understand how static analysis tools differ.
  • #9 There are three parts:the Build step captures information about how your code is compiled. We create a virtual build that wraps around your standard build process and transparently captures how it invokes your compiler(s). From this we capture all of the source files as well as the parameters describing how the source is compiled, including things like macro definitions and the meaning of command line options. This results in a high fidelity recording of your code and the way it’s assembled.The analysis is where we analyze every path through your code with a battery of tests, organized by what we call “checkers”. These checkers look for actual defects, not just coding style violations. These are patterns of code execution that can cause crashes, memory corruption, memory and handle leaks, and other kinds problems that are hard errors, not just stylistic rules. Throughout our analysis we have taken great care to try to eliminate false positives, which are error reports that are not true defects. Our false positive rate is the lowest in the industry, typically less than 20% out of the box. This is important because developers will not adopt tools that are mostly a waste of their time.Finally it’s important to present the results clearly because it’s not only about finding defects, it’s about fixing them. The results are stored in a database and presented to give actionable information so developers can fix them efficiently.We’ll focus this talk on the Analysis and Presentation. For more about the Build, click on the Build icon, otherwise we will skip this.
  • #10 The analysis is where we analyze every path through your code with a battery of tests, organized by what we call “checkers”. These checkers look for actual defects, not just coding style violations. These are patterns of code execution that can cause crashes, memory corruption, memory and handle leaks, and other kinds problems that are hard errors, not just stylistic rules. Throughout our analysis we have taken great care to try to eliminate false positives, which are error reports that are not true defects. Our false positive rate is the lowest in the industry, typically less than 20% out of the box. This is important because developers will not adopt tools that are mostly a waste of their time.Finally it’s important to present the results clearly because it’s not only about finding defects, it’s about fixing them. The results are stored in a database and presented to give actionable information so developers can fix them efficiently.We’ll focus this talk on the Analysis and Presentation. For more about the Build, click on the Build icon, otherwise we will skip this.