The difference between static analysis and code review

Andrey Karpov
Articles: 565

Both static analysis and code review are methods to find errors and vulnerabilities in source code without explicitly executing the program being examined.

Code review is usually understood as a relatively regular examination of a source code fragment performed jointly by two or more developers, which may take place both in a semi-formal way or as a formal certification. Code review may also be a part of pair programming.

Static code analysis in most cases implies usage of special tools that automatically scan the source code to find out if it contains any of the known formal bug patterns that may need to be inspected by a developer. Unlike code review, automation makes static analysis in fact unlimited by the size of the code to be checked. However, static analysis results still need to be studied by developers to distinguish between genuine errors and false positives which are inevitable with this analysis approach.

Although the notions of code review and static analysis are usually separated, they may sometimes intersect and even be viewed as mutually-derivative methods that complement each other. An example of this is joint code review performed by several developers for separate code fragments pointed out in the report of a static analyzer that has carried out analysis of the whole project before.


Use PVS-Studio to search for bugs in C, C++, C# and Java

We offer you to check your project code with PVS-Studio. Just one bug found in the project will show you the benefits of the static code analysis methodology better than a dozen of the articles.

goto PVS-Studio;

Andrey Karpov
Articles: 565

Bugs Found

Checked Projects
Collected Errors
14 526
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site. Learn More →