Source code analysis (also known as static code analysis) lets you analyze source code for quality, reliability, and security. You can identify defects and security vulnerabilities that can compromise the safety and security of your application. Formal methods–based deep semantic static code analysis also enables you to diagnose run-time errors such as overflows, divide by zero, and illegally dereferenced pointers. Static analysis can be a cost-effective approach to measure and track software quality metrics without the overhead of writing test cases or instrumenting your code. Because this analysis is automated, you can analyze code without executing the program or developing test cases.
Basic source analysis techniques include:
Sophisticated techniques couple source code analysis with formal methods that apply theoretical computer science fundamentals to solve problems such as proving that the software will not fail with a run-time error.
The combination of source code analysis and formal methods enables you to:
- Detect software defects and security vulnerabilities
- Comply with MISRA, CWE, CERT C, ISO/IEC 17961, and other standards and cybersecurity guidelines
- Prove the absence of certain run-time errors
This comprehensive approach makes sure that every failure point in the code is identified as proven to fail, proven not to fail, may never execute (dead code), or unproven. This is particularly important for safety because one escaped defect can compromise your system, leading to tragic consequences. Growing concerns about cybersecurity bring similar challenges because it takes just one software vulnerability to exploit your application.