Shulou(Shulou.com)06/01 Report--

What is static analysis?

Static analysis does not involve dynamic execution of the software under test, and possible defects can be detected in the early stages before running the program.

Static analysis is done after coding and before unit tests are executed.

Static analysis can be done by a machine to automatically "traverse" the source code and detect non-compliance. A classic example is a compiler that can find vocabulary, syntax and even some semantic errors.

Static analysis can also be performed by people who review the code to ensure that the program is built using the correct coding standards and conventions. This is often called code review and is done by peer developers (people other than the developers who wrote the code).

Static analysis is also used to force developers not to use programming language risks or errors by setting rules that must not be used.

When developers perform code analysis, they usually look for

lines of code

comment frequency

Proper nesting of 

Number of function calls

Complexity of cycle

can also check unit tests

Quality attributes can be the focus of static analysis:

reliability

maintainability

testability

reusability

portability

efficiency

What are the advantages of static analysis?

The main advantage of static analysis is that it finds problems with the code before preparing for integration and further testing.

Advantages of static code analysis:

it can find weaknesses in the code in the exact location.

it can be done by trained software assurance developers who fully understand the code.

other or future developers can easily understand the source code

it allows faster conversion and repair

identified weaknesses early in the development lifecycle, reducing repair costs.

reduces defects in future testing

detects unique defects that cannot or can hardly be detected using dynamic testing

Code that cannot be accessed by 

variable use (undeclared, unused)

Functions not called by 

boundary value violation

Static code analysis limitations:

is time-consuming if it is done manually.

automation tools can produce false positives and false positives.

does not have enough trained personnel to do a thorough static code analysis.

automation tools can provide the wrong sense of security to solve all problems.

automation tools work as well as the rules they use for scanning.

it found no vulnerabilities introduced in the runtime environment.

What is dynamic analysis?

In contrast to static analysis, dynamic analysis is based on system execution and usually uses tools without code execution.

From Wikipedia's definition of dynamic program analysis:

Dynamic program analysis is the analysis of computer software, which is executed by executing a program built from the software on a real or virtual processor (analysis performed without executing the program is called static code analysis). Dynamic program analysis tools may need to load special libraries or even recompile program code.

The most common practice of dynamic analysis is to perform unit tests on the code to find any errors in the code.

Advantages of dynamic code analysis:

, which identifies vulnerabilities in the runtime environment.

it allows you to analyze applications that you cannot access the actual code.

identifies possible unreported vulnerabilities in static code analysis.

it allows you to validate static code analysis results.

it can be done for any application.

Dynamic code analysis limitations:

The automation tool provides a wrong sense of security, and everything is being resolved.

cannot guarantee the complete test coverage of the source code

automation tools can produce false positives and false positives.

The automation tool is only as good as the rules used for scanning.

It is more difficult for to trace the vulnerability to the exact location in the code, and it takes longer to resolve the problem.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.