InfoQ Homepage Static Analysis Content on InfoQ
-
GitHub Code Scanning Is out of Beta
One year ago GitHub announced the acquisition of Semmle, maker of a semantic code analysis engine powered by the Semmle QL query language. After a few months in beta, GitHub is now announcing the availability of its new CodeQL-based code scanning capability for all public and private repos.
-
Uber Open-Sources Tool to Automatically Clean Up Stale Code
Uber has open-sourced Piranha, their tool for automated clean up of stale code caused by feature flags that are no longer required. Piranha can be run within a pipeline to continually look for stale code to be cleaned up. Currently Piranha supports Java, Swift, and Objective-C.
-
Microsoft Releases Application Inspector, a Tool for Examining Code Security
In a recent blog post, Microsoft announced an open source tool that developers can use to detect security vulnerabilities in their software solutions. The tool is called Microsoft Application Inspector and is available on GitHub. As organizations try to reduce their time to market, oversights may occur. Application Inspector can be used to identify malicious code used in third-party libraries.
-
C# Static Analysis Tool Roslynator.Analyzers Now Has over 500 Ways to Improve Code
The new version 2.3.1 of the Roslynator.Analyzers package brings the number of analyzers, refactorings and fixes to over 500. Roslynator uses the open-source Roslyn .NET Compiler Platform to perform static analysis on your C# code. This analysis drives your IDE to display hints and actions to improve your code.
-
A Proposal for IDisposable and Static Analysis: DisposeUnused Attribute
When .NET was first created, there was uncertainty about how IDisposable should be used. As a result, IDisposable was applied in an overly aggressive fashion with many categories of classes requiring empty Dispose methods. This has led to problems with static analysis tools that cannot separate real cases of missing Dispose calls from false positives.
-
The Pure Attribute in .NET Core
The Pure attribute was added to .NET in version 4 as part of the Code Contracts initiative to help developers distinguish between code that free from side effects from other code. While the Code Contracts project is over, the Pure attribute continues to see life in .NET Core.
-
Facebook Open-Sources RacerD - Java Race Condition Detector
Facebook’s open-source static analysis tool, Infer, now ships with support for detecting race conditions in Java code via RacerD.
-
Facebook’s New AL Language Aims to Simplify Static Program Analysis
AL is a simple, declarative language for reasoning about abstract syntax trees that allows to extend Facebook Infer static analyzer.
-
Dead Code Must Be Removed
Dead code needs to be found and removed; leaving dead code in is an obstacle to programmer understanding and action, and there's the risk that the code is awakened which can cause significant problems. Deleting dead code is not a technical problem; it is a problem of mindset and culture.
-
Measure and Improve Code Quality
InfoQ interviewed Boris Modylevsky about the importance of measuring code quality and how measurements can be used to improve quality, integrating static code analysis in continuous integration, testing coverage and test automation, and the benefits that continuous integration with integrated code analysis and test coverage can bring.
-
C++ Core Guidelines will Help Writing Good Modern C++
As announced at CppCon, Bjarne Stroustrup and Herb Sutter have started working on a set of guidelines for modern C++. The goal of this effort is improving how developers use the language and help ensuring they write code that is type safe, has no resource leaks, and is as much as possible free of programming logic errors.
-
LinkedIn Release QARK to Discover Security Holes in Android Apps
LinkedIn has recently open sourced QARK, a static analysis tool meant to discover potential security vulnerabilities existing in Android applications written in Java.
-
Facebook Open Sources Infer, a Static Analysis Tool
Facebook has open sourced Infer, a static analysis tool for C, Java and Objective-C.
-
CppDepend now Supports C and C++14
CppDepend is a primarily a source code analyzer, with features geared towards making it easier to understand large code bases with complex interdependencies. In addition, it can integrate with static analyzers. With the introduction of version 5, CppDepend now supports C and C++14.
-
Guido van Rossum Wants to Bring Type Annotations to Python
Guido van Rossum, best known as designer of the Python programming language, recently sent out a proposal on the python-ideas mailing list for adding type annotations to Python function declarations. The proposal aims at bringing to Python the benefits provided by static typing without changing Python's dynamic typing nature and interpreter behaviour.