[Trustable-distros] Static Code Analysis Metrics
Edmund Sutcliffe
edmundsutcliffe at codethink.com
Wed Jul 11 09:37:48 BST 2018
On the whole yes... I still believe we should run static analysis on the
code base to see what variances there might be. In the same way as I
believe there is some value in the behavior around syntax and style
checkers to provide some metrics about the work needed to improve
things.
If you look at the reproducible builds project
https://reproducible-builds.org
They have found issues in resolving the builds which was turned up with
some of their tooling which
has led to them working with the dependent packages to have these issues
fixed.
I feel we may encounter similar things and have to offer some changes to
existing projects to reduce the worst excesses found by lint/static
anaylsis
Edmund
--
On 2018-07-11 10:33, Ben Brewer wrote:
> Hey All,
>
> So recently I've been discussing the use of Static Code Analysis (SCA)
> for metrics/evidence in IEC61508 for safety certification, and I
> wanted to discuss my thoughts on the matter and get some feedback.
>
> Reading guides associated with the standard describes SCA as a
> useful/required tool in the development of safety certified code. I
> would most certainly agree with this for code developed specifically
> for safety.
>
> Ideally code should be written to pass SCA, because if the analyzer
> can't understand what's going on, then likely it'd be difficult for a
> human to understand too, so it's a good precaution.
>
> However I think the whole idea changes when it comes to certifying
> existing code. Existing code will in most cases have been developed
> with some practices and against some kind of SCA, however it's likely
> that newer or different tools will produce additional output.
>
> I would argue that the output of SCA, while useful for code clarity
> purposes, doesn't give you very much tangible information about the
> quality of the code; It's perfectly possible to write fully
> functioning code with 1000's of SCA "issues".
>
> For existing codebases, SCA should only be used to guide an audit of
> the codebase, in cases where that is a practical approach.
>
> I guess my point here is that I would not consider automated SCA
> output to be useful evidence itself, though it could be used by an
> engineer to generate useful evidence.
>
> Do others agree?
>
> Regards,
> Ben
>
> _______________________________________________
> Trustable-distros mailing list
> Trustable-distros at lists.trustable.io
> https://lists.trustable.io/cgi-bin/mailman/listinfo/trustable-distros
More information about the Trustable-distros
mailing list