Improving Code Quality continuously

Slide 1

Slide 1 text

IMPROVING CODE QUALITY CONTINUOUSLY JOHANNES SCHMITT, SCRUTINIZER-CI.COM

Slide 2

Slide 2 text

AGENDA  1. Quality  2. Business Benefits  3. Practices  4. Examples/Tooling

Slide 3

Slide 3 text

QUALITY WHAT IS QUALITY? WHY IS IT INTERESTING? HOW CAN WE ACHIEVE IT?

Slide 4

Slide 4 text

WHAT IS QUALITY?  „Quality is universally recognizable; it is related to a comparison of features and characteristics of products.“  „Quality is a precise measurable variable. Differences in quality reflect differences in quantity of some product attribute.“  „Quality is fitness for intended use.“  „Quality is conformance to specifications.“  „Quality is meeting or exceeding customer expectations.“  „A product that is free of defects.“

Slide 5

Slide 5 text

WHAT IS CODE QUALITY?  Deliver new functionality in the fastest sustainable lead time  Successfully execute large development initiatives  Innovate, react timely to rapidly changing business environments

Slide 6

Slide 6 text

BUSINESS BENEFITS WHY IS QUALITY INTERESTING?

Slide 7

Slide 7 text

BUSINESS BENEFITS (1) WHY CARE ABOUT CODE QUALITY, AT ALL? 1. Lower Defects in Software Products  Higher customer satisfaction  Better return on investment  Higher confidence for business partners

Slide 8

Slide 8 text

BUSINESS BENEFITS (1I) WHY CARE ABOUT CODE QUALITY, AT ALL? II. Predictability of Software Development  Creates trust between internal business partners  Pride of ownership  Motivating

Slide 9

Slide 9 text

BUSINESS BENEFITS (1II) WHY CARE ABOUT CODE QUALITY, AT ALL? III. Scalability (of team size)  Easy to add more developers  Reduces dependency on a single developer

Slide 10

Slide 10 text

BUSINESS BENEFITS (1V) WHY CARE ABOUT CODE QUALITY, AT ALL? IV. Velocity and Agility  Higher maintainability  Adding new functionality more quickly  More time for non-functional requirements like performance, scalability, security, reliability, etc.

Slide 11

Slide 11 text

BUSINESS BENEFITS (V) WHY CARE ABOUT CODE QUALITY, AT ALL? V. Ability to innovate  Fertile, technical environment  Rapidly prototype, test, and illustrate new ideas

Slide 12

Slide 12 text

PRACTICES FOR ACHIEVING HIGH CODE QUALITY

Slide 13

Slide 13 text

PRACTICES (I) FOR ACHIEVING HIGH CODE QUALITY I. Agile Architecture  Constantly evolve the design, and architecture  Concurrently add new features Principles: Emergent Design, intentional architecture, design simplicity, design for testability, prototyping, domain modeling

Slide 14

Slide 14 text

PRACTICES (II) FOR ACHIEVING HIGH CODE QUALITY II. Continuous Integration/Inspection  Find regressions as soon as possible  Accountability  Peer-pressure to not break something

Slide 15

Slide 15 text

PRACTICES (III) FOR ACHIEVING HIGH CODE QUALITY III. Refactoring  Key enabler of emergent design  Necessary and integral part of Agile

Slide 16

Slide 16 text

PRACTICES (IV) FOR ACHIEVING HIGH CODE QUALITY IV. Collective Ownership  Everyone can change every line  No dependency on a single person Requirements: Proven, agreed to coding standards, simplicity in design, knowledge sharing

Slide 17

Slide 17 text

APPLYING PRACTICES & EXAMPLES HOW CAN THESE PRACTICES BE APPLIED? HOW CAN TOOLING HELP ME?

Slide 18

Slide 18 text

EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Emergent Design  Initial design based on what you know  Evolve design as you learn more Alternative Approaches  No design  Fixed time for design (mostly upfront)

Slide 19

Slide 19 text

EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Maintainable Design (just as much design as needed) Emergent Design Refactoring Knowledge of Design Patterns Application of design patterns:  Not „the only solution to recurring problem“  Require a thought process  Provide approaches to solve problems

Slide 20

Slide 20 text

EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Code Metrics can help decide when to refactor  Many, many metrics exist  Focus on most important: Complexity, Readability, Duplication Alternatives:  Code that is annoying  Scratch method

Slide 21

Slide 21 text

EMERGENT DESIGN EXAMPLE 1 Example: - Controller that launches AWS instances - Form to define instance properties

Slide 22

Slide 22 text

EMERGENT DESIGN EXAMPLE 1

Slide 23

Slide 23 text

EMERGENT DESIGN EXAMPLE 1 1. We extract the logic for determining the AWS region 2. We commit the code

Slide 24

Slide 24 text

EMERGENT DESIGN EXAMPLE 1 Scrutinizer automatically analyzes your code, and displays any changes.

Slide 25

Slide 25 text

EMERGENT DESIGN EXAMPLE 1

Slide 26

Slide 26 text

EMERGENT DESIGN EXAMPLE 1 We extract the logic for generating a list of images

Slide 27

Slide 27 text

EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for determining the AWS region 2. Code for generating image choices Let‘s extract the form generation code, too. 1. 2.

Slide 28

Slide 28 text

EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for determining the AWS region 2. Code for generating image choices 3. Code for building the form Next: Extract the code for building up AWS instance launch data. 1. 2. 3.

Slide 29

Slide 29 text

EMERGENT DESIGN EXAMPLE 1 We extracted: 1. Code for determining the AWS region 2. Code for generating image choices 3. Code for building the form 4. Code for creating AWS launch data  Simple refactorings made method intention revealing, and easy to read 1. 2. 4. 3.

Slide 30

Slide 30 text

EMERGENT DESIGN EXAMPLE 1 Refactoring is also an enabler for non-functional concerns like performance testing. Smaller chunks of code make it easier to find the bottleneck 1. 2. 4. 3.

Slide 31

Slide 31 text

EMERGENT DESIGN EXAMPLE 1 4.

Slide 32

Slide 32 text

EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a collection class InstanceList - The instance list has a single filter method Next: We want to add another filter method

Slide 33

Slide 33 text

EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a collection class InstanceList - The instance list has a single filter method What we did: 1. Added getRecentlyStartedInstances() 1.

Slide 34

Slide 34 text

EMERGENT DESIGN EXAMPLE 1I

Slide 35

Slide 35 text

EMERGENT DESIGN EXAMPLE 1I Different types of duplication: - Literal duplication (copy/paste) - Duplication in structure - Intentional/unintentional

Slide 36

Slide 36 text

EMERGENT DESIGN EXAMPLE 1I Introducing a generic match method  Removes duplication  Updates to filtering only need to be done in a single place

Slide 37

Slide 37 text

EMERGENT DESIGN EXAMPLE 1I Possible next refactoring: Extract different concerns to different classes  Separation of concerns  More testable

Slide 38

Slide 38 text

TESTING YOUR CODE Scrutinizer is a complete solution for code quality management. Testing highlights: - Rich build environment designed for web applications/private projects - Automatic SSH access for easy debugging - Zero/minimal configuration thanks to config inference

Slide 39

Slide 39 text

COMPILER LIKE SAFETY Get compile-time benefits like a statically typed language, and avoid writing tests for basic tasks. Scrutinizer is like a compiler for PHP - Control Flow Analysis - Data Flow Analysis - Abstract Interpretation - Variable Reachability - Call Graph Analysis - Live Variable Analysis Checking type safety Dead assignments/unused code Security analysis And more

Slide 40

Slide 40 text

UNDEFINED VARIABLE EXAMPLE Naive approach: - Gather all variable assignments - Check if variable was assigned  Can only catch typos Scrutinizer‘s approach: - Run data flow analysis  Different scope in each flow point - Check if variable is always defined in the flow point where it‘s used  More accurate results, does not miss sometimes defined variables

Slide 41

Slide 41 text

UNDEFINED VARIABLE EXAMPLE - Data flow analysis also works within expression trees - Finds bugs where you only test a single path

Slide 42

Slide 42 text

ENFORCING A COMMON CODING STYLE Scrutinizer - Makes it easy to set-up a common coding style guide - Fixes many coding style issues automatically - Does not force a specific style on you - Does not depend on a specific IDE - Leaves you more time for reviewing other issues during manual review

Slide 43

Slide 43 text

WEEKLY PROGRESS REPORTS

Slide 44

Slide 44 text

SECURITY ANALYSIS OWASP Most Critical Security Issue 2013: Injection Attacks Forms of attack  SQL Injection  Path Expansion  XML Entity Injection  Command Injection  Code Injection

Slide 45

Slide 45 text

SECURITY ANALYSIS EXAMPLE 1

Slide 46

Slide 46 text

SECURITY ANALYSIS EXAMPLE 2

Slide 47

Slide 47 text

SECURITY ANALYSIS EXAMPLE 2

Slide 48

Slide 48 text

SECURITY ANALYSIS EXAMPLE 2 Input is expanded Passing an input value of ../../app/config/parameters.yml could get you access to very sensitive data.

Slide 49

Slide 49 text

SECURITY ANALYSIS EXAMPLE 2 Scrutinizer performs a security audit of your request data analyzing the entire call graph.

Slide 50

Slide 50 text

The end, thank you!