Improving Code Quality continuously

Transcript

1. IMPROVING CODE QUALITY CONTINUOUSLY JOHANNES SCHMITT, SCRUTINIZER-CI.COM

2. AGENDA  1. Quality  2. Business Benefits  3.

   Practices  4. Examples/Tooling

3. QUALITY WHAT IS QUALITY? WHY IS IT INTERESTING? HOW CAN

   WE ACHIEVE IT?

4. WHAT IS QUALITY?  „Quality is universally recognizable; it is

   related to a comparison of features and characteristics of products.“  „Quality is a precise measurable variable. Differences in quality reflect differences in quantity of some product attribute.“  „Quality is fitness for intended use.“  „Quality is conformance to specifications.“  „Quality is meeting or exceeding customer expectations.“  „A product that is free of defects.“

5. WHAT IS CODE QUALITY?  Deliver new functionality in the

   fastest sustainable lead time  Successfully execute large development initiatives  Innovate, react timely to rapidly changing business environments

6. BUSINESS BENEFITS WHY IS QUALITY INTERESTING?

7. BUSINESS BENEFITS (1) WHY CARE ABOUT CODE QUALITY, AT ALL?

   1. Lower Defects in Software Products  Higher customer satisfaction  Better return on investment  Higher confidence for business partners

8. BUSINESS BENEFITS (1I) WHY CARE ABOUT CODE QUALITY, AT ALL?

   II. Predictability of Software Development  Creates trust between internal business partners  Pride of ownership  Motivating

9. BUSINESS BENEFITS (1II) WHY CARE ABOUT CODE QUALITY, AT ALL?

   III. Scalability (of team size)  Easy to add more developers  Reduces dependency on a single developer

10. BUSINESS BENEFITS (1V) WHY CARE ABOUT CODE QUALITY, AT ALL?

    IV. Velocity and Agility  Higher maintainability  Adding new functionality more quickly  More time for non-functional requirements like performance, scalability, security, reliability, etc.

11. BUSINESS BENEFITS (V) WHY CARE ABOUT CODE QUALITY, AT ALL?

    V. Ability to innovate  Fertile, technical environment  Rapidly prototype, test, and illustrate new ideas

12. PRACTICES FOR ACHIEVING HIGH CODE QUALITY

13. PRACTICES (I) FOR ACHIEVING HIGH CODE QUALITY I. Agile Architecture

     Constantly evolve the design, and architecture  Concurrently add new features Principles: Emergent Design, intentional architecture, design simplicity, design for testability, prototyping, domain modeling

14. PRACTICES (II) FOR ACHIEVING HIGH CODE QUALITY II. Continuous Integration/Inspection

     Find regressions as soon as possible  Accountability  Peer-pressure to not break something

15. PRACTICES (III) FOR ACHIEVING HIGH CODE QUALITY III. Refactoring 

    Key enabler of emergent design  Necessary and integral part of Agile

16. PRACTICES (IV) FOR ACHIEVING HIGH CODE QUALITY IV. Collective Ownership

     Everyone can change every line  No dependency on a single person Requirements: Proven, agreed to coding standards, simplicity in design, knowledge sharing

17. APPLYING PRACTICES & EXAMPLES HOW CAN THESE PRACTICES BE APPLIED?

    HOW CAN TOOLING HELP ME?

18. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Emergent Design

     Initial design based on what you know  Evolve design as you learn more Alternative Approaches  No design  Fixed time for design (mostly upfront)

19. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Maintainable Design

    (just as much design as needed) Emergent Design Refactoring Knowledge of Design Patterns Application of design patterns:  Not „the only solution to recurring problem“  Require a thought process  Provide approaches to solve problems

20. EMERGENT DESIGN (VELOCITY, AGILITY ↑ - DEFECTS ↓) Code Metrics

    can help decide when to refactor  Many, many metrics exist  Focus on most important: Complexity, Readability, Duplication Alternatives:  Code that is annoying  Scratch method

21. EMERGENT DESIGN EXAMPLE 1 Example: - Controller that launches AWS

    instances - Form to define instance properties

22. EMERGENT DESIGN EXAMPLE 1

23. EMERGENT DESIGN EXAMPLE 1 1. We extract the logic for

    determining the AWS region 2. We commit the code

24. EMERGENT DESIGN EXAMPLE 1 Scrutinizer automatically analyzes your code, and

    displays any changes.

25. EMERGENT DESIGN EXAMPLE 1

26. EMERGENT DESIGN EXAMPLE 1 We extract the logic for generating

    a list of images

27. EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for

    determining the AWS region 2. Code for generating image choices Let‘s extract the form generation code, too. 1. 2.

28. EMERGENT DESIGN EXAMPLE 1 We already extracted: 1. Code for

    determining the AWS region 2. Code for generating image choices 3. Code for building the form Next: Extract the code for building up AWS instance launch data. 1. 2. 3.

29. EMERGENT DESIGN EXAMPLE 1 We extracted: 1. Code for determining

    the AWS region 2. Code for generating image choices 3. Code for building the form 4. Code for creating AWS launch data  Simple refactorings made method intention revealing, and easy to read 1. 2. 4. 3.

30. EMERGENT DESIGN EXAMPLE 1 Refactoring is also an enabler for

    non-functional concerns like performance testing. Smaller chunks of code make it easier to find the bottleneck 1. 2. 4. 3.

31. EMERGENT DESIGN EXAMPLE 1 4.

32. EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a

    collection class InstanceList - The instance list has a single filter method Next: We want to add another filter method

33. EMERGENT DESIGN EXAMPLE 1I Initial Situation: - We have a

    collection class InstanceList - The instance list has a single filter method What we did: 1. Added getRecentlyStartedInstances() 1.

34. EMERGENT DESIGN EXAMPLE 1I

35. EMERGENT DESIGN EXAMPLE 1I Different types of duplication: - Literal

    duplication (copy/paste) - Duplication in structure - Intentional/unintentional

36. EMERGENT DESIGN EXAMPLE 1I Introducing a generic match method 

    Removes duplication  Updates to filtering only need to be done in a single place

37. EMERGENT DESIGN EXAMPLE 1I Possible next refactoring: Extract different concerns

    to different classes  Separation of concerns  More testable

38. TESTING YOUR CODE Scrutinizer is a complete solution for code

    quality management. Testing highlights: - Rich build environment designed for web applications/private projects - Automatic SSH access for easy debugging - Zero/minimal configuration thanks to config inference

39. COMPILER LIKE SAFETY Get compile-time benefits like a statically typed

    language, and avoid writing tests for basic tasks. Scrutinizer is like a compiler for PHP - Control Flow Analysis - Data Flow Analysis - Abstract Interpretation - Variable Reachability - Call Graph Analysis - Live Variable Analysis Checking type safety Dead assignments/unused code Security analysis And more

40. UNDEFINED VARIABLE EXAMPLE Naive approach: - Gather all variable assignments

    - Check if variable was assigned  Can only catch typos Scrutinizer‘s approach: - Run data flow analysis  Different scope in each flow point - Check if variable is always defined in the flow point where it‘s used  More accurate results, does not miss sometimes defined variables

41. UNDEFINED VARIABLE EXAMPLE - Data flow analysis also works within

    expression trees - Finds bugs where you only test a single path

42. ENFORCING A COMMON CODING STYLE Scrutinizer - Makes it easy

    to set-up a common coding style guide - Fixes many coding style issues automatically - Does not force a specific style on you - Does not depend on a specific IDE - Leaves you more time for reviewing other issues during manual review

43. WEEKLY PROGRESS REPORTS

44. SECURITY ANALYSIS OWASP Most Critical Security Issue 2013: Injection Attacks

    Forms of attack  SQL Injection  Path Expansion  XML Entity Injection  Command Injection  Code Injection

45. SECURITY ANALYSIS EXAMPLE 1

46. SECURITY ANALYSIS EXAMPLE 2

47. SECURITY ANALYSIS EXAMPLE 2

48. SECURITY ANALYSIS EXAMPLE 2 Input is expanded Passing an input

    value of ../../app/config/parameters.yml could get you access to very sensitive data.

49. SECURITY ANALYSIS EXAMPLE 2 Scrutinizer performs a security audit of

    your request data analyzing the entire call graph.

50. The end, thank you!