Static Analysis, Software Metrics & Test

Static
Analysis
  &
Software
Metrics
  &
Test

The quality checks and software metrics produced by Imagix 4D enable you to identify potential problems during the development and testing of your source code. By identifying and correcting the problem areas, you're able to improve the security, reliability, and maintainability of your software. And if you're reviewing open source or third party software, you can judge the code's quality.

Analytical verifications of variable flow, task interactions, and interrupt protections occurring in your source code are achieved by applying program slicing-based data flow analysis. You're able to spot potential runtime conflicts in real-time embedded multitasking or multithreaded systems.

Complementing these specific analyses are source checks that identify exceptions to generally agreed upon design and coding standards. And you can compare the software metrics to specific norms for your organization to track development progress and insure that the software meets your development criteria.

Beyond their stand-alone use, these verifications and checks are combined with Imagix 4D's source code analysis and visualization to provide efficient, automated testing of security and reliability standards. The first of these is for the Common Weakness Enumeration (CWE) initiative.

Having this integrated with the other functionality of Imagix 4D improves the efficiency of both your quality assurance and your program understanding efforts. From the metrics and the quality analysis reports, you can drill down and examine the source code where a problem is occurring. You're able to understand the root causes and review all related dependencies before making changes.

Software metrics and static
analysis for C, C++ and Java

Software Metrics

Software metrics include McCabe Cyclomatic Complexity
The source metrics generated by Imagix 4D provide insight into many aspects of the quantity, quality, complexity and design of your software. From the level of individual functions up to directories and subsystems.

You're able to measure development progress, determine where to focus testing efforts. You can compare the source metrics to specific norms for your organization to insure that the software meets your development criteria. And by tracking the metrics over time, you can measure process improvement, assessing the effectiveness of process initiatives.
Over 100 metrics include:
  • McCabe Cyclomatic Complexity
  • Maintainability Index (Welker)
  • Chidamber and Kemerer object oriented (6)
  • Class Cohesion (Hitz/Mont.)
  • Class Coupling
  • Comment Ratio
  • Decision Depth
  • Halstead complexity (4)
  • Knots (Woodward, etc)
  • McCabe Essential Complexity
  • Statements, Lines, etc.

Variable Checks

Reports aid in QA activies for variable initialization and use
A series of static analytical verifications of your source code identify potential problems related to the use of variables in your code. Issues such as reading uninitialized variables can have serious impacts if they occur in the run-time execution of your software. Other issues such as unused variables or useless assignments might indicate underlying design or implementation issues.

The Variable Checks reports also provide important insight of the data flow of your software, showing the flow of variable values that go into or result from the calculation of each variable.
Variable checks include: Data flow tracking identifies:
  • Direct Assignments
  • Parameter Assignments
  • Assignments through Reference Parameter
  • Used in Condition
  • Used in Expression
  • Reference Taken

Multitasking Checks

Reports aid in QA activies for embedded, multi-tasking software
Multitasking and multithreaded systems bring a unique set of potential problems. Imagix 4D's Multitasking Checks flag concurrency conflicts in areas such as data sharing, interrupt protection, cyclical data updates and event-based communication.

As with the Variable Checks, the complexity of implementing these mechanisms across large software systems limits the effectiveness of dynamic run-time analysis or manual code inspection as alternatives to these verifications.

Source Checks

Compliance checks can automate code reviews
A collection of source level checks point out exceptions to generally agreed upon design and coding practices.

These quality checks are presented through a series of reports. Each report lists all the exceptions to a particular source check, across all the files in the project. Alternatively, reports are available which list all the exceptions to all of the source checks, for one specific file. Quality check exceptions can also be displayed in the File Editors, so you are made aware of potential problem areas while you are working with the source code itself.
Over 20 source checks include:
  • Conversion Issue
  • Jump Statement
  • K&R Style Declarator
  • Missing Default Case
  • Missing/Mismatched Decl.
  • Missing Return Type
  • Old Style Allocator
  • Potential Static Function
  • Problematic Constructor
  • Suspicious Assignment
  • Unclear Subexpression
  • Unused Static Variable

Standards (CWE)

Common Weakness Enumeration rules
The Common Weakness Enumeration (CWE) standard is increasingly being used to review software, to improve its security, quality and reliability.

Some CWE rules can be fully tested automatically via static analyzers. At the other extreme are rules that don't apply to C, C++ or Java code.

In the middle are a large number of rules that are most efficiently tested by static analysis augmented by source code analysis and inspection. Imagix 4D targets these to extend testing and documenting compliance with CWE.
Over 200 CWE checks include:
  • CWE-116 Improper Encoding or Escaping of Output
  • CWE-212 Improper Cross-boundary Removal of Sensitive Data
  • CWE-311 Missing Encryption of Sensitive Data
  • CWE-408 Incorrect Behavior Order: Early Amplification
  • CWE-767 Access to Critical Private Variable via Public Method
  • CWE-909 Missing Initialization of Resource