Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2023-static-analysis.pdf

Jeanne Boyarsky
July 20, 2023
56

 2023-static-analysis.pdf

Jeanne Boyarsky

July 20, 2023
Tweet

Transcript

  1. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 1 Improving your Code with Static Analysis Tools

    Jeanne Boyarsky Thursday, July 20th 2023 UberConf speakerdeck.com/boyarsky https://github.com/boyarsky/2023-uberconf- static-analysis
  2. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 5 Brainstorm: what are some things static analysis

    can find? •Functionality defects •Anti patterns •Performance issues •Security problems •Coding standard violations
  3. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 6 Static Analysis SAST (Static Application Security Testing)

    Coding standards, functionality, etc Security modeling, etc Security static analysis
  4. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 9 Created 2001 Java versions 10.X - Java

    11-17 9.X - Java 8 Focus Coding standards Limits One file at a time Languages Java
  5. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 13 Artifact URL Docs https://checkstyle.sourceforge.io/ GitHub https://github.com/checkstyle/checkstyle/ releases/

    Ant Task https://checkstyle.sourceforge.io/ anttask.html Maven Plugin https://maven.apache.org/plugins/maven- checkstyle-plugin Gradle Plugin https://docs.gradle.org/current/userguide/ checkstyle_plugin.html URLs
  6. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 20 Created FindBugs SpotBugs 2006 2016 Java versions

    Any? (old docs say 9 but works with 17) Focus Scanning bytecode Languages Java
  7. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 24 Artifact URL Main page https://spotbugs.github.io/ Docs https://spotbugs.github.io/

    Rules https://spotbugs.readthedocs.io/en/latest/ bugDescriptions.html Ant task https://spotbugs.readthedocs.io/en/ stable/ant.html Maven Plugin https://spotbugs.github.io/spotbugs- maven-plugin/ Gradle Plugin https://plugins.gradle.org/plugin/ com.github.spotbugs URLs
  8. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 25 •Older tool •Support slow - deprecated gradle

    code for three versions •Rules can be finnicky •Report kludgy •Docs varying degrees of dated Caveats
  9. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 29 Custom Rule Demo Or bytecode directly if

    need to Object size = stack.getStackItem(0).getConstant(); Object str = stack.getStackItem(1).getConstant();
  10. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 32 Created 2002 Java versions Up to Java

    20 Focus Coding issues Add ons Copy paste detection Languages Many
  11. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 36 Artifact URL Main page https://pmd.github.io/ Docs https://docs.pmd-code.org/latest/

    Rules https://pmd.github.io/pmd/ pmd_rules_java.html Ant task https://pmd.github.io/pmd/ pmd_userdocs_tools_ant.html Maven Plugin https://maven.apache.org/plugins/maven- pmd-plugin/ Gradle Plugin https://docs.gradle.org/current/userguide/ pmd_plugin.html URLs
  12. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 44 Types •Sonar Lint - IDE •Open source

    web app/ scanner •Commercial web app/ scanner •SaaS - https://sonarcloud.io
  13. twitter.com/jeanneboyarsky mastodon.social/@jeanneboyarsky 47 Artifact URL Main page https://www.sonarsource.com/products/ sonarqube Docs

    https://docs.sonarqube.org/latest/ Rules https://rules.sonarsource.com/java/ Ant task https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- ant/ Maven Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- maven/ Gradle Plugin https://docs.sonarqube.org/9.7/analyzing- source-code/scanners/sonarscanner-for- gradle/ URLs