SlideShare a Scribd company logo

685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

Š
Šumadin Šumić

SWAT is working to maximize the effectiveness of static code analysis for IV&V projects. This includes identifying gaps, evaluating new tools, customizing tools, and leveraging historical data. Proper preparation is important, such as understanding the code, development environment, and target architecture. Choosing the right tools requires considering project characteristics and IV&V analysis needs. Maximizing tool effectiveness also requires properly configuring builds and enabling relevant analysis checks.

Engineering
1 of 31
Download to read offline
SWAT Extending Benefits of Static Code Analysis Tools NASA IV&V Software Assurance Tools (SWAT)
SWAT Outline • Setting Context • Identifying Types of Code Defects • Preparing for Analysis • Maximizing Tool Effectiveness • Selecting Appropriate Tools • Customizing to Support Analysis • Leveraging Historical Analysis Data • Reviewing Ongoing Efforts • Taking Questions 2
SWAT Setting Context 3 • SWAT is now actively participating in the Static Code Analysis Working Group to help facilitate improvements in the use of static code analysis tools within the IV&V Program • SWAT is working with IV&V projects to gather representative source code and creating sample test code when necessary for a library to support evaluation of both current and additional tools • SWAT is responding to requests from projects regarding specific capabilities by verifying current tools with test code and evaluating additional tools for use SWAT is working to maximize the effectiveness of IV&V’s static code analysis capabilities. Identifying gaps in our current static analysis capabilities and evaluating solutions to improve IV&V’s analysis coverage Working to better understand the capabilities of current static code analysis tools Evaluating how current tools are being applied and identifying opportunities to improve the process of using them
SWAT Identifying Types of Code Defects 4 Syntax Run-timeLogic Categories of code defects
SWAT Identifying Types of Code Defects 5 Syntax Caught during compile time, e.g. code is attempting to use an undeclared variable May include style or certain coding standards violations that are caught through basic parsing and “pattern matching”
SWAT Identifying Types of Code Defects 6 Logic May be caught during functional requirements based testing, i.e. does the code do what it was supposed to? High value findings when IV&V is able to identify or confirm logic defects through either manual analysis or use of dynamic analysis resources such as the ITC JSTAR lab Analysts have indicated that, from their experience, digging deeper into understanding the code when reviewing static code analysis results can provide a side benefit of identifying other unrelated logic defects
SWAT Identifying Types of Code Defects 7 Occurs during program execution, e.g. out of bounds array access (“buffer overflow”), division by zero, non-initialized local variables, integer overflows, illegal dereferenced pointer High value findings, as these defects may result in program crash or undefined behavior that could ultimately result in the loss of the mission or impact the accomplishment of a mission objective Run-time Underlying tool technology (e.g. abstract interpretation) and project configuration impacts the effectiveness of identifying certain defects Static code analysis tools can help detect dangerous run-time defects in the code or even prove the absence of certain run-time defects when using formal methods-based approaches
SWAT Preparing for Analysis 8 What code do I expect to get and what does it do? What is the development environment for this build of code, and how will it affect my analysis?What are the characteristics of the target architecture on which this code was written to run?
SWAT Preparing for Analysis 9 What code do I expect to get and what does it do? Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build What are the characteristics of the target architecture on which this code was written to run? Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout
SWAT Preparing for Analysis 10 Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout • Know what to expect when you receive code (or recognize if you didn’t get what was expected!) • Create a team “cheat sheet” of important characteristics of the architecture that could be reflected in the source code. • Determine what prior projects may be relevant to the analysis • Check with ITC JSTAR lab for any available project simulations that could support understanding of the architecture for analysis
SWAT Preparing for Analysis 11 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis What is the development environment for this build of code, and how will it affect my analysis?
SWAT Preparing for Analysis 12 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis • Identify dependencies that may exist in source code • Identify build artifacts and settings to expect, with respect to the build system used by the developer • Leverage previous experience with the same development environment if possible • Identify what static analysis tools the development project is using to prevent overlap where possible
SWAT Preparing for Analysis 13
SWAT Preparing for Analysis 14 Development Environment Characteristics • Developed in Wind River Workbench • Uses the GNU toolchain • Windows desktop environment • Regular source code Linting during builds • Source code with VxWorks dependencies and version information • Makefiles to build the code with the VxWorks GNU make tool • Source code and makefiles with file references that assume case insensitivity • Source code that may be more effectively analyzed with some tool other than FlexeLint (because of the developer-initiated lint during the build process) • Create cheat sheet with processor, memory, and VxWorks characteristics • Evaluate projects with similar mission characteristics to get an idea of what will be delivered
SWAT Maximizing Tool Effectiveness 15 That wasn’t too bad. I guess I’ll… !!!!! Incoming Code! Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools?
SWAT Maximizing Tool Effectiveness 16 Understand the developer’s build process and gather build information Ensure that macros and other information are defined correctly within your build Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools? Preparing for the static code analysis effort adequately and properly configuring the build are necessary for the most complete and accurate analysis results
SWAT Maximizing Tool Effectiveness 17 Build Understand the developer’s build process and gather build information INC ? INC INC Build Logs
SWAT Maximizing Tool Effectiveness 18 Understand the developer’s build process and gather build information • Once missing files have been identified, the analyst should: • Request missing files from the developer (common with third party libraries) as the ideal solution • Use other available library code if necessary • Stub out the missing code if absolutely necessary • Inspect any build logs or other status produced by our tools, looking carefully for warning or error messages such as missing header files, make any necessary adjustments and execute the build again • Inspect developer build artifacts given by the project to get a feel for the build process • Consider utilizing tools to help determine if we have the needed files for analysis, in addition to the build information (e.g., Understand, Eclipse, and SWAT script for creating a Klocwork build specification file)
SWAT Maximizing Tool Effectiveness 19 Ensure that macros and other information are defined correctly within your build so that we are analyzing the correct code Not only does the build tell us WHICH files need to be analyzed, but it also tells HOW those files should be analyzed based on macro definitions passed to the compiler. void Fsw::setupTimer( void ) { bool setupSuccessful; #ifdef TARGETCPU setupSuccessful = false; // Perform setup of interrupt handling routine. // Lines snipped that do the work... // Create a task to handle the interrupt. // More lines snipped... #endif }
SWAT Maximizing Tool Effectiveness 20 Ensure that macros and other information are defined correctly within your build • Make sure that macro definitions and other information relative to the software being analyzed are added to the build information passed to our static code analyzers. Failure to do so may produce invalid or misleading results. Most tools can: • Operate with incomplete information and provide potential issues • Execute the build and produce some output
SWAT Maximizing Tool Effectiveness 21 Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected • Review the specific checks enabled for your build in the static analysis tool to ensure that the checks of interest for the IV&V effort have been selected • Consider also documenting what is NOT being checked for, if applicable • Consider running multiple builds with different sets of checks enabled • Consider enabling MISRA checks for critical flight software, but separate builds may be warranted in this instance due to the potential for a significant number of resulting messages
SWAT Selecting Appropriate Tools 22 Which of the available tools are appropriate for my task?
SWAT Selecting Appropriate Tools 23 Project software characteristics Project development characteristics IV&V team analysis requirements Which of the available tools are appropriate for my task? IV&V Project scope
SWAT Selecting Appropriate Tools 24 Project software characteristics Project development characteristics Ground vs. Flight software Size of code base Source code language Overlapping analysis with project Availability and completeness of project artifacts
SWAT Selecting Appropriate Tools 25 IV&V team analysis requirements Turn-around time Targeted defect types Characteristics of tools available Level of assurance and verification needed Experience of the team with specific tools IV&V Project scope Mission criticality
SWAT Selecting Appropriate Tools 26
SWAT Customizing to Support Analysis 27 Zzzzz Zzzzz Zzzzz!!! SWAT is doing things to help you too!
SWAT Customizing to Support Analysis 28 Additional benefits from static code analysis tools can be realized from customization Understand Perl API Metrics, best practices, other rules or conventions Standards verification Klocwork Abstract Syntax Tree checks such as unnecessary negative value testing for unsigned integers Steep learning curve Polyspace Support ICD verification Simulate normal working conditions of software Data range specification
SWAT Leveraging Historical Analysis Data 29 Historical data can be used to further extend the benefits of static code analysis tools Code level metrics and quality attributes Focus future analysis SWAT is researching prior code defects that have been identified by IV&V to determine what tool or approach was utilized
SWAT Reviewing Ongoing Efforts 30 Static Code Analysis Working Group Documenting lists of checks that can be safely disabled or output ignored per tool given the target domain Documenting lists of required checks that should be enabled per tool given the target domain SWAT New Tool Evaluation Continuing evaluation of tools based on both additional capability (e.g. formal methods-based abstract interpretation) and target language support (e.g. Ada) Current Tool Evaluation Comparing tool setup, use and resulting output for the same source code drop across various tools
SWAT Taking Questions 31 Contact us at: ivv-swat@lists.nasa.gov

Recommended

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...RootedCON
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRushana Bandara
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 

Recommended

Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisGeneva, Switzerland
 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
 
DevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsDevSecOps: Securing Applications with DevOps
DevSecOps: Securing Applications with DevOpsWouter de Kort
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...
Joxean Koret - Interactive Static Analysis Tools for Vulnerability Discovery ...RootedCON
 
How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis How To Improve Quality With Static Code Analysis
How To Improve Quality With Static Code Analysis Perforce
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRushana Bandara
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsOrest Ivasiv
 
Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzern|u - The Open Security Community
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality ToolsСергей Гоменюк
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiarMatiar Rahman
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisPrashant Gupta
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...The University of Adelaide
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopCoverity
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applicationssilviad74
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code AnalysisObika Gellineau
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsThe University of Adelaide
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat Security Conference
 
Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luzluzr131
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financierojorgemarioibarra
 

More Related Content

What's hot

Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review ChecklistMahesh Chopker
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis PrimerCoverity
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiarMatiar Rahman
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisPrashant Gupta
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...The University of Adelaide
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopCoverity
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applicationssilviad74
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsThe University of Adelaide
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoveritySamsung Open Source Group
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCParasoft_Mitchell
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...The University of Adelaide
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting AgileCoverity
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat Security Conference
 

What's hot (20)

Java Code Review Checklist
Java Code Review ChecklistJava Code Review Checklist
Java Code Review Checklist
 
Static code analysis
Static code analysisStatic code analysis
Static code analysis
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
Fortify - Source Code Analyzer
Fortify - Source Code AnalyzerFortify - Source Code Analyzer
Fortify - Source Code Analyzer
 
Static Analysis Primer
Static Analysis PrimerStatic Analysis Primer
Static Analysis Primer
 
Java Code Quality Tools
Java Code Quality ToolsJava Code Quality Tools
Java Code Quality Tools
 
Codingstandards matiar
Codingstandards matiarCodingstandards matiar
Codingstandards matiar
 
Sonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysisSonar Tool - JAVA code analysis
Sonar Tool - JAVA code analysis
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
 
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
Ph.D. Thesis Defense: Studying Reviewer Selection and Involvement in Modern ...
 
Finding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCopFinding Defects in C#: Coverity vs. FxCop
Finding Defects in C#: Coverity vs. FxCop
 
Code review for secure web applications
Code review for secure web applicationsCode review for secure web applications
Code review for secure web applications
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Static Code Analysis
Static Code AnalysisStatic Code Analysis
Static Code Analysis
 
Using HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review AnalyticsUsing HPC Resources to Exploit Big Data for Code Review Analytics
Using HPC Resources to Exploit Big Data for Code Review Analytics
 
Static Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with CoverityStatic Analysis of Your OSS Project with Coverity
Static Analysis of Your OSS Project with Coverity
 
Best Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLCBest Practices of Static Code Analysis in the SDLC
Best Practices of Static Code Analysis in the SDLC
 
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...Revisiting Code Ownership and Its Relationship with Software Quality in the S...
Revisiting Code Ownership and Its Relationship with Software Quality in the S...
 
Adopting Agile
Adopting AgileAdopting Agile
Adopting Agile
 
BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...BlueHat v18 || Go build a tool - best practices for building a robust & e...
BlueHat v18 || Go build a tool - best practices for building a robust & e...
 

Viewers also liked

Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luzluzr131
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financierojorgemarioibarra
 
Best Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking SpacesBest Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking SpacesFrontlineSMS
 
Jonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAidJonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAidJonathan Basden
 
Contaminacion del aire
Contaminacion del aireContaminacion del aire
Contaminacion del airejennyfergl
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopNajima Begum
 
Upute za otključavanje uređaja
Upute za otključavanje uređajaUpute za otključavanje uređaja
Upute za otključavanje uređajaŠumadin Šumić
 
Adm britez giorgio- romero
Adm britez giorgio- romeroAdm britez giorgio- romero
Adm britez giorgio- romeroCarina Britez
 
Arvind skylands
Arvind skylandsArvind skylands
Arvind skylandspropladder
 
Auxiliares del comerciante 2...
Auxiliares del comerciante 2...Auxiliares del comerciante 2...
Auxiliares del comerciante 2...22096505
 
Tributario..
Tributario..Tributario..
Tributario..22096505
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopNajima Begum
 

Viewers also liked (16)

Ponchado de cable. luz
Ponchado de cable. luzPonchado de cable. luz
Ponchado de cable. luz
 
Trabajo de diagnostico financiero
Trabajo de diagnostico financieroTrabajo de diagnostico financiero
Trabajo de diagnostico financiero
 
Best Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking SpacesBest Practices Guide: Messaging for Coworking Spaces
Best Practices Guide: Messaging for Coworking Spaces
 
portfolio_2016
portfolio_2016portfolio_2016
portfolio_2016
 
Jonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAidJonathan Basden Resume Sept 2016 w TelAid
Jonathan Basden Resume Sept 2016 w TelAid
 
Contaminacion del aire
Contaminacion del aireContaminacion del aire
Contaminacion del aire
 
nutrientes
nutrientesnutrientes
nutrientes
 
Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas Slideshow Relaciones Jurídicas
Slideshow Relaciones Jurídicas
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
 
Experiencia innovadora
Experiencia innovadoraExperiencia innovadora
Experiencia innovadora
 
Upute za otključavanje uređaja
Upute za otključavanje uređajaUpute za otključavanje uređaja
Upute za otključavanje uređaja
 
Adm britez giorgio- romero
Adm britez giorgio- romeroAdm britez giorgio- romero
Adm britez giorgio- romero
 
Arvind skylands
Arvind skylandsArvind skylands
Arvind skylands
 
Auxiliares del comerciante 2...
Auxiliares del comerciante 2...Auxiliares del comerciante 2...
Auxiliares del comerciante 2...
 
Tributario..
Tributario..Tributario..
Tributario..
 
Weather Data Analytics Using Hadoop
Weather Data Analytics Using HadoopWeather Data Analytics Using Hadoop
Weather Data Analytics Using Hadoop
 

Similar to 685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Maven Logix
 
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifijboughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifijakd3143
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsAdaCore
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Perforce
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapFelipe Prado
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolCheckmarx
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile DeveloperBSGAfrica
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...KrishnaVeni451953
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersPVS-Studio
 
Unit Testing in JavaScript
Unit Testing in JavaScriptUnit Testing in JavaScript
Unit Testing in JavaScriptRob Scaduto
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham.NET Conf UY
 
Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer AdaCore
 
Building A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation EngineBuilding A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation EngineDatabricks
 

Similar to 685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final (20)

Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening Capability Building for Cyber Defense: Software Walk through and Screening
Capability Building for Cyber Defense: Software Walk through and Screening
 
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifijboughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
boughtonalexand jdjdjfjjfjfjfjnfjfjjjfkdifij
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis ToolsGNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
GNAT Pro User Day: Latest Advances in AdaCore Static Analysis Tools
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Visual Studio Profiler
Visual Studio ProfilerVisual Studio Profiler
Visual Studio Profiler
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...Efficient Security Development and Testing Using Dynamic and Static Code Anal...
Efficient Security Development and Testing Using Dynamic and Static Code Anal...
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slapDEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
DEF CON 27 - CHRISTOPHER ROBERTS - firmware slap
 
The App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST ToolThe App Sec How-To: Choosing a SAST Tool
The App Sec How-To: Choosing a SAST Tool
 
Enter the mind of an Agile Developer
Enter the mind of an Agile DeveloperEnter the mind of an Agile Developer
Enter the mind of an Agile Developer
 
Code Inspection
Code InspectionCode Inspection
Code Inspection
 
black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...black-box testing is a type of software testing in which the tester is not co...
black-box testing is a type of software testing in which the tester is not co...
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
 
Sdlc model
Sdlc modelSdlc model
Sdlc model
 
Unit Testing in JavaScript
Unit Testing in JavaScriptUnit Testing in JavaScript
Unit Testing in JavaScript
 
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald BelchamGetting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
Getting Ahead of Delivery Issues with Deep SDLC Analysis by Donald Belcham
 
Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer Tech Days 2015: Static Analysis CodePeer
Tech Days 2015: Static Analysis CodePeer
 
Building A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation EngineBuilding A Product Assortment Recommendation Engine
Building A Product Assortment Recommendation Engine
 

Recently uploaded

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfAsst.prof M.Gokilavani
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...121011101441
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitterShivangiSharma879191
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction managementMariconPadriquez1
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 

Recently uploaded (20)

CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdfCCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
CCS355 Neural Networks & Deep Learning Unit 1 PDF notes with Question bank .pdf
 
Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...Instrumentation, measurement and control of bio process parameters ( Temperat...
Instrumentation, measurement and control of bio process parameters ( Temperat...
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter8251 universal synchronous asynchronous receiver transmitter
8251 universal synchronous asynchronous receiver transmitter
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
computer application and construction management
computer application and construction managementcomputer application and construction management
computer application and construction management
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 

685163main 2 4-a-swat_extendingbenefitsofstaticcodeanalysistools_final

  • 1. SWAT Extending Benefits of Static Code Analysis Tools NASA IV&V Software Assurance Tools (SWAT)
  • 2. SWAT Outline • Setting Context • Identifying Types of Code Defects • Preparing for Analysis • Maximizing Tool Effectiveness • Selecting Appropriate Tools • Customizing to Support Analysis • Leveraging Historical Analysis Data • Reviewing Ongoing Efforts • Taking Questions 2
  • 3. SWAT Setting Context 3 • SWAT is now actively participating in the Static Code Analysis Working Group to help facilitate improvements in the use of static code analysis tools within the IV&V Program • SWAT is working with IV&V projects to gather representative source code and creating sample test code when necessary for a library to support evaluation of both current and additional tools • SWAT is responding to requests from projects regarding specific capabilities by verifying current tools with test code and evaluating additional tools for use SWAT is working to maximize the effectiveness of IV&V’s static code analysis capabilities. Identifying gaps in our current static analysis capabilities and evaluating solutions to improve IV&V’s analysis coverage Working to better understand the capabilities of current static code analysis tools Evaluating how current tools are being applied and identifying opportunities to improve the process of using them
  • 4. SWAT Identifying Types of Code Defects 4 Syntax Run-timeLogic Categories of code defects
  • 5. SWAT Identifying Types of Code Defects 5 Syntax Caught during compile time, e.g. code is attempting to use an undeclared variable May include style or certain coding standards violations that are caught through basic parsing and “pattern matching”
  • 6. SWAT Identifying Types of Code Defects 6 Logic May be caught during functional requirements based testing, i.e. does the code do what it was supposed to? High value findings when IV&V is able to identify or confirm logic defects through either manual analysis or use of dynamic analysis resources such as the ITC JSTAR lab Analysts have indicated that, from their experience, digging deeper into understanding the code when reviewing static code analysis results can provide a side benefit of identifying other unrelated logic defects
  • 7. SWAT Identifying Types of Code Defects 7 Occurs during program execution, e.g. out of bounds array access (“buffer overflow”), division by zero, non-initialized local variables, integer overflows, illegal dereferenced pointer High value findings, as these defects may result in program crash or undefined behavior that could ultimately result in the loss of the mission or impact the accomplishment of a mission objective Run-time Underlying tool technology (e.g. abstract interpretation) and project configuration impacts the effectiveness of identifying certain defects Static code analysis tools can help detect dangerous run-time defects in the code or even prove the absence of certain run-time defects when using formal methods-based approaches
  • 8. SWAT Preparing for Analysis 8 What code do I expect to get and what does it do? What is the development environment for this build of code, and how will it affect my analysis?What are the characteristics of the target architecture on which this code was written to run?
  • 9. SWAT Preparing for Analysis 9 What code do I expect to get and what does it do? Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build What are the characteristics of the target architecture on which this code was written to run? Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout
  • 10. SWAT Preparing for Analysis 10 Understanding of requirements implemented in the code Form an expectation of interfaces that should be present in the code build Identify the important characteristics of the architecture that could be reflected in the source code such as CPU, operating system, key addresses, and memory layout • Know what to expect when you receive code (or recognize if you didn’t get what was expected!) • Create a team “cheat sheet” of important characteristics of the architecture that could be reflected in the source code. • Determine what prior projects may be relevant to the analysis • Check with ITC JSTAR lab for any available project simulations that could support understanding of the architecture for analysis
  • 11. SWAT Preparing for Analysis 11 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis What is the development environment for this build of code, and how will it affect my analysis?
  • 12. SWAT Preparing for Analysis 12 Understand the characteristics of the developer’s environment Identify differences between the developer’s environment and your analysis environment Consider most appropriate tools to aid in analysis • Identify dependencies that may exist in source code • Identify build artifacts and settings to expect, with respect to the build system used by the developer • Leverage previous experience with the same development environment if possible • Identify what static analysis tools the development project is using to prevent overlap where possible
  • 14. SWAT Preparing for Analysis 14 Development Environment Characteristics • Developed in Wind River Workbench • Uses the GNU toolchain • Windows desktop environment • Regular source code Linting during builds • Source code with VxWorks dependencies and version information • Makefiles to build the code with the VxWorks GNU make tool • Source code and makefiles with file references that assume case insensitivity • Source code that may be more effectively analyzed with some tool other than FlexeLint (because of the developer-initiated lint during the build process) • Create cheat sheet with processor, memory, and VxWorks characteristics • Evaluate projects with similar mission characteristics to get an idea of what will be delivered
  • 15. SWAT Maximizing Tool Effectiveness 15 That wasn’t too bad. I guess I’ll… !!!!! Incoming Code! Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools?
  • 16. SWAT Maximizing Tool Effectiveness 16 Understand the developer’s build process and gather build information Ensure that macros and other information are defined correctly within your build Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected Now that I have code, what do I need to know to maximize the effectiveness of my static code analysis tools? Preparing for the static code analysis effort adequately and properly configuring the build are necessary for the most complete and accurate analysis results
  • 17. SWAT Maximizing Tool Effectiveness 17 Build Understand the developer’s build process and gather build information INC ? INC INC Build Logs
  • 18. SWAT Maximizing Tool Effectiveness 18 Understand the developer’s build process and gather build information • Once missing files have been identified, the analyst should: • Request missing files from the developer (common with third party libraries) as the ideal solution • Use other available library code if necessary • Stub out the missing code if absolutely necessary • Inspect any build logs or other status produced by our tools, looking carefully for warning or error messages such as missing header files, make any necessary adjustments and execute the build again • Inspect developer build artifacts given by the project to get a feel for the build process • Consider utilizing tools to help determine if we have the needed files for analysis, in addition to the build information (e.g., Understand, Eclipse, and SWAT script for creating a Klocwork build specification file)
  • 19. SWAT Maximizing Tool Effectiveness 19 Ensure that macros and other information are defined correctly within your build so that we are analyzing the correct code Not only does the build tell us WHICH files need to be analyzed, but it also tells HOW those files should be analyzed based on macro definitions passed to the compiler. void Fsw::setupTimer( void ) { bool setupSuccessful; #ifdef TARGETCPU setupSuccessful = false; // Perform setup of interrupt handling routine. // Lines snipped that do the work... // Create a task to handle the interrupt. // More lines snipped... #endif }
  • 20. SWAT Maximizing Tool Effectiveness 20 Ensure that macros and other information are defined correctly within your build • Make sure that macro definitions and other information relative to the software being analyzed are added to the build information passed to our static code analyzers. Failure to do so may produce invalid or misleading results. Most tools can: • Operate with incomplete information and provide potential issues • Execute the build and produce some output
  • 21. SWAT Maximizing Tool Effectiveness 21 Review the checks enabled for your build to ensure that the checks of interest for the IV&V effort have been selected • Review the specific checks enabled for your build in the static analysis tool to ensure that the checks of interest for the IV&V effort have been selected • Consider also documenting what is NOT being checked for, if applicable • Consider running multiple builds with different sets of checks enabled • Consider enabling MISRA checks for critical flight software, but separate builds may be warranted in this instance due to the potential for a significant number of resulting messages
  • 22. SWAT Selecting Appropriate Tools 22 Which of the available tools are appropriate for my task?
  • 23. SWAT Selecting Appropriate Tools 23 Project software characteristics Project development characteristics IV&V team analysis requirements Which of the available tools are appropriate for my task? IV&V Project scope
  • 24. SWAT Selecting Appropriate Tools 24 Project software characteristics Project development characteristics Ground vs. Flight software Size of code base Source code language Overlapping analysis with project Availability and completeness of project artifacts
  • 25. SWAT Selecting Appropriate Tools 25 IV&V team analysis requirements Turn-around time Targeted defect types Characteristics of tools available Level of assurance and verification needed Experience of the team with specific tools IV&V Project scope Mission criticality
  • 27. SWAT Customizing to Support Analysis 27 Zzzzz Zzzzz Zzzzz!!! SWAT is doing things to help you too!
  • 28. SWAT Customizing to Support Analysis 28 Additional benefits from static code analysis tools can be realized from customization Understand Perl API Metrics, best practices, other rules or conventions Standards verification Klocwork Abstract Syntax Tree checks such as unnecessary negative value testing for unsigned integers Steep learning curve Polyspace Support ICD verification Simulate normal working conditions of software Data range specification
  • 29. SWAT Leveraging Historical Analysis Data 29 Historical data can be used to further extend the benefits of static code analysis tools Code level metrics and quality attributes Focus future analysis SWAT is researching prior code defects that have been identified by IV&V to determine what tool or approach was utilized
  • 30. SWAT Reviewing Ongoing Efforts 30 Static Code Analysis Working Group Documenting lists of checks that can be safely disabled or output ignored per tool given the target domain Documenting lists of required checks that should be enabled per tool given the target domain SWAT New Tool Evaluation Continuing evaluation of tools based on both additional capability (e.g. formal methods-based abstract interpretation) and target language support (e.g. Ada) Current Tool Evaluation Comparing tool setup, use and resulting output for the same source code drop across various tools
  • 31. SWAT Taking Questions 31 Contact us at: ivv-swat@lists.nasa.gov