>
>
Why code review automation benefits bus…

Andrey Karpov
Articles: 674

Why code review automation benefits business

Static analysis tools can automate code reviews. The article covers the top 5 reasons why these tools are useful for software development companies. It may help you decide whether or not to learn more about code analysis tools and introduce them into your development process.

Let us note that code review automation can be viewed in two distinct ways:

  • Tools that check code and issue warnings to code fragments that are likely to contain errors. We will discuss this option in the article.
  • Tools that facilitate the code review process for programmers, particularly useful for distributed teams. This aspect will not be covered here.

Automated code review

Code review (sometimes referred to as peer review) is a process of a collaborative code review performed by developers to find bugs, security flaws, inefficient algorithms, and so on. This is a common practice, which, however, has three main flaws.

  • Code review requires significant time and effort. Involving colleagues in the process diverts them from their tasks, consuming their working time and interrupting their flow state.
  • People can be bad at catching certain kinds of errors, such as typos.
  • Code reviewers get tired quickly and tend to lose focus. After half an hour of reviewing, the quality of business logic checks starts to decline. Sometimes a review can simply end with the phrase, "it seems fine from here on out".

Automated code review can be a remedy for these drawbacks. We are talking about the use of static code analyzers. A static code analyzer can become another "team member" to review code before the developers do.

The analyzer issues warnings to anomalies in code, enabling developers to address errors, potential vulnerabilities, and improve code layout by examining these warnings. Thus, the static analyzer handles some routine bug detection. As a result, programmers can focus more on finding higher-level defects and discussing architectural solutions, rather than on finding typos.

Benefits of implementing static code analysis

Static analysis, like any other testing method, takes time to implement and use. Writing and maintaining unit tests takes time too.

However, both static analysis and unit tests save the team's valuable resources for maintaining and developing the software project.

From a business perspective, there are five reasons why static analysis benefits the development process.

  • It reduces bug-fixing time and costs.
  • It detects potential vulnerabilities early.
  • It frees up resources for solving business tasks.
  • It ensures quality control.
  • It supports various coding standards.

Let's take a closer look at each of them.

1. It reduces bug-fixing time and costs

The earlier an error is detected, the less it will cost to fix it. Static analysis allows errors to be identified at the code-writing stage, the earliest possible point for detection.

According to S. McConnell's book "Code Complete", the average cost of finding and fixing an error at the testing stage is already 10 times higher than addressing it at the coding stage. The cost of fixing an error can be even higher if it's discovered after the program has been released.

2. It detects potential vulnerabilities early

Things can become even more critical when it comes to zero-day vulnerabilities rather than bugs. A company can suffer reputational and financial losses if an attacker discovers vulnerabilities in its services. The following graph shows the average cost of fixing security defects found at different stages of the software lifecycle.

Figure 1. The relative cost of fixing a vulnerability according to IBM System Science Institute.

Static analyzers that check code for potential vulnerabilities are called SAST solutions (Static Application Security Testing). PVS-Studio is an example of such a tool.

3. It frees up resources for solving business tasks

Using static analyzers to automate error detection at the code-writing stage frees up more resources for focusing on business tasks.

Figure 2. Static analysis helps reduce work-in-progress (WIP) and urgent bug-fixing tasks.

Here's a quote from the book "Kanban: Successful Evolutionary Change for Your Technology Business" by David J. Anderson:

Capers Jones reports that in 2000, during the dot-com bubble, he evaluated the quality of programs for North American teams. The quality ranged from six errors per function point to less than three errors per 100 function points — 200 to one. The midpoint is approximately one error per 0.6–1.0 functional point. Thus, teams usually spend more than 90% of their efforts on fixing errors. There is also direct evidence of this. In late 2007, Aaron Sanders, one of the first followers of Kanban, wrote on the Kanbandev mailing list that the team he worked with spent 90% of the available productivity on bug fixes.

Striving for inherently high quality will have a serious impact on the performance and throughput of teams that make many errors. You can expect a two to fourfold increase in throughput. If the team is initially lagging behind, then focusing on quality allows you to increase this indicator tenfold.

One way to reduce error density in code is to perform regular static analysis. Analyzers find errors, and their warnings guide developers in writing cleaner, more concise code. Clean code is easier to maintain, and updates are less likely to cause new errors.

4. It ensures quality control

Managers may want to know the answers to the following questions:

  • Many new employees joined the team this year. Did that negatively affect the code quality?
  • We are going to implement X. How do we know if this will have a positive impact on the code quality?

Warning density graphs based on static analysis results can answer these questions. If the number of warnings per 1000 lines of code increases, then the quality decreases. You can visualize the state of a project using bug tracking systems such as DefectDojo.

5. It supports various coding standards

The code that you create must comply with industry standards relevant to its application. For example, MISRA C, MISRA C++, and AUTOSAR C++14 Coding Guidelines are used when developing systems that require security and fault tolerance.

It's extremely tedious and unproductive to manually check whether your code complies with the standards. Static analyzers can do this job for you. They check the code for compliance with the required criteria.

Importance of introducing static analysis into development process

Just using a static analyzer is not enough. Developers often mistakenly believe that the analyzer should be run only once in a while. However, such an approach is unproductive. Running the analyzer regularly enables it to detect most errors early.

Incorporating automated code review into the development process is important. It's best to run the check as soon as the code is compiled. It can also be run when committing the code to version control systems (GitHub, GitLab, BitBucket, etc.). It's also possible to run the analysis during the overnight build on the server. Other scenarios exist as well. Most importantly, code analysis should be a regular, ongoing process!

Figure 3. A ratchet as a metaphor for the article that we refer to below. It symbolizes a methodology that reduces the number of errors and vulnerabilities in code.

The article "Introduce static analysis in the process, don't just search for bugs with It" covers this topic well.

Use advanced code-scanning tools

In addition to regular use, choosing the right static analysis tool is very important. There's no one-size-fits-all advice here. Different tools may suit different teams. There are so many to choose from, and you can always find something that works best for you.

While it's impossible to give a definitive answer, it may be useful to start by looking at some well-known commercial solutions. They typically offer a rich feature set that covers a wide range of usage scenarios. These tools also tend to perform deeper and better code analysis. One of the options we suggest considering is the PVS-Studio SAST solution.

PVS-Studio

PVS-Studio is a static code analyzer that can detect errors and vulnerabilities in C, C++, C#, and Java projects. It's an automated code review tool that helps developers find code fragments that contain typos, logic errors, vulnerabilities, undefined behavior, and so on.

Supported operating systems: Windows, Linux, macOS.

Licensing options are based on the number of users.

Advantages that make the product stand out from competitors:

  • Technologies for an in-depth analysis: data flow analysis, symbolic execution, taint analysis, pattern matching, interprocedural analysis, intermodular analysis, automatic function annotation, SCA.
  • Well-developed scenarios for integration and regular use.
  • Fast, high-quality technical support provided by the analyzer developers.
  • Regular releases occur every two months.
  • On-premise solution, i.e. it is possible to work in a closed ecosystem.

Conclusion

By introducing static analysis into the development process, you get some extra power to provide a high level of quality, reliability, safety, and security for the code of your software projects.

Our team has extensive experience assisting businesses in integrating static analysis into their development process. Feel free to contact us if you have any questions concerning static analysis. I hope we can assist your business in enhancing its software development processes.

Additional links