end to end quality
play

End to End Quality with the Sonar Ecosystem and the Water Leak - PowerPoint PPT Presentation

End to End Quality with the Sonar Ecosystem and the Water Leak Metaphor G. Ann Campbell @GAnnCampbell | ann.campbell@SonarSource.com @SonarLint | @SonarQube | @SonarSource SonarLint Leak Period Quality Gate 20+ Languages The <3 of the


  1. End to End Quality with the Sonar Ecosystem and the Water Leak Metaphor G. Ann Campbell @GAnnCampbell | ann.campbell@SonarSource.com @SonarLint | @SonarQube | @SonarSource

  2. SonarLint Leak Period Quality Gate

  3. 20+ Languages

  4. The <3 of the ecosystem Static Analysis

  5. What is Static Analysis? Analyzing code, without executing it!

  6. A Means to an End Detecting Bugs, Vulnerabilities, and Code Smells

  7. Why use Static Analysis Catch new problems ASAP ● the longer it takes to catch a bug, the more it costs ● no one writes perfect code every time ● rule description and precise issue location cut research time

  8. Why use Static Analysis Changing A might have added bugs in B ● peer review misses new issues in untouched code ● static analysis is machine-assisted code review; it looks at every file every time

  9. Why use Static Analysis Provide coaching ● language best practices ● team coding style

  10. SonarSource’s Toolbox

  11. Lexical Analysis Only two things are infinite, the universe and human stupidity, and I am not sure about the former.

  12. Syntactic Analysis Only two things are infinite, the universe and human stupidity, and I am not sure about the former. Subjects Verbs Albert E.

  13. Semantic Analysis Only two things are infinite, the universe and human stupidity, and I am not sure about the former. Albert E.

  14. Semantic Analysis Only two things are infinite, the universe and human stupidity, and I am not sure about the former. Albert E.

  15. Beyond Semantic: Symbolic Execution Object myObject = new Object(); if(a) { myObject = null; } ... if( !a ) { ... } else { myObject.toString(); }

  16. Beyond Semantic: Symbolic Execution Object myObject = new Object(); if(a) { myObject = null; } ... if( !a ) { ... } else { myObject.toString(); } //NPE

  17. Beyond Semantic: Symbolic Execution Object myObject = new Object(); Program State#0 myObject != null if(a) { myObject = null; } ... if( !a ) { ... } else { myObject.toString(); } //NPE

  18. Beyond Semantic: Symbolic Execution Object myObject = new Object(); Program State#0 myObject != null Program State#2 myObject = null a = true if(a) { myObject = null; } Program State#1 ... myObject != null a = false if( !a ) { ... } else { myObject.toString(); } //NPE

  19. Beyond Semantic: Symbolic Execution Program State#1 Program State#2 myObject != null myObject = null a = false a = true ... if( !a ) { ... } else { myObject.toString(); // NPE }

  20. Beyond Semantic: Symbolic Execution Program State#1 Program State#2 myObject != null myObject = null a = false a = true ... if( !a ) { ... } else { myObject.toString(); // NPE }

  21. Beyond Semantic: Symbolic Execution Program State#1 Program State#2 myObject != null myObject = null a = false a = true ... if( !a ) { ... } else { Program State#4 myObject = null a = true myObject.toString(); // NPE }

  22. SonarAnalyzer for Java and JavaScript Cross-Procedural Analysis

  23. What is Static Analysis ? Analyzing code, without executing it. by (symbolically) executing all possible paths!

  24. Symbolic Execution Almost Everywhere ▪ SonarAnalyzers for C#, C/C++, Java, and JS ○ Dereferences of Null Pointers ○ Unconditionally True/False (sub)conditions ○ Division by zero ○ Resource leaks ■ Unclosed resources (Java) ■ Unreleased memory (C/C++) ○ Double free (C/C++)

  25. Fewer slides, more code!

  26. Full Cycle Full Analysis IDE SonarQube

  27. Full Cycle IDE SonarQube

  28. Fix the Leak SonarLint Leak Period Quality Gate

  29. Reimbursing the Debt

  30. This is Hard ▪ Total amount of Technical Debt can be depressing ▪ How to get a budget to fix old Technical Debt? ▪ Risk of injecting functional regression ▪ This is not fun!

  31. Project Homepage

  32. Project Homepage: Leak Period

  33. Fix the Leak SonarLint Leak Period Quality Gate

  34. Quality Gate

  35. Project Homepage: Quality Gate

  36. Quality Gate

  37. Fix the Leak SonarLint Leak Period Quality Gate

  38. Thanks! G. Ann Campbell @GAnnCampbell | ann.campbell@SonarSource.com @SonarLint | @SonarQube | @SonarSource

Recommend


More recommend