[Trustable-distros] Static Code Analysis Metrics

Edmund Sutcliffe edmundsutcliffe at codethink.com
Wed Jul 11 09:37:48 BST 2018 

On the whole yes... I still believe we should run static analysis on the 
code base to see what variances there might be. In the same way as I 
believe there is some value in the behavior around syntax and style 
checkers to provide some metrics about the work needed to improve 
things.

If you look at the reproducible builds project
       https://reproducible-builds.org
They have found issues in resolving the builds which was turned up with 
some of their tooling which
has led to them working with the dependent packages to have these issues 
fixed.
I feel we may encounter similar things and have to offer some changes to 
existing projects to reduce the worst excesses found by lint/static 
anaylsis

Edmund

--



On 2018-07-11 10:33, Ben Brewer wrote:
> Hey All,
> 
> So recently I've been discussing the use of Static Code Analysis (SCA)
> for metrics/evidence in IEC61508 for safety certification, and I
> wanted to discuss my thoughts on the matter and get some feedback.
> 
> Reading guides associated with the standard describes SCA as a
> useful/required tool in the development of safety certified code. I
> would most certainly agree with this for code developed specifically
> for safety.
> 
> Ideally code should be written to pass SCA, because if the analyzer
> can't understand what's going on, then likely it'd be difficult for a
> human to understand too, so it's a good precaution.
> 
> However I think the whole idea changes when it comes to certifying
> existing code. Existing code will in most cases have been developed
> with some practices and against some kind of SCA, however it's likely
> that newer or different tools will produce additional output.
> 
> I would argue that the output of SCA, while useful for code clarity
> purposes, doesn't give you very much tangible information about the
> quality of the code; It's perfectly possible to write fully
> functioning code with 1000's of SCA "issues".
> 
> For existing codebases, SCA should only be used to guide an audit of
> the codebase, in cases where that is a practical approach.
> 
> I guess my point here is that I would not consider automated SCA
> output to be useful evidence itself, though it could be used by an
> engineer to generate useful evidence.
> 
> Do others agree?
> 
> Regards,
> Ben
> 
> _______________________________________________
> Trustable-distros mailing list
> Trustable-distros at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-distros

More information about the Trustable-distros mailing list