Static code analysis, or static analysis, is a software verification activity that analyzes source code for quality, reliability, and security. You can identify defects and security vulnerabilities that can compromise the safety and security of your application. Formal methods–based deep semantic static code analysis also enables you to diagnose run-time errors such as overflows, divide by zero, and illegally dereferenced pointers. Static analysis can be a cost-effective approach to measure and track software quality metrics without the overhead of writing test cases or instrumenting your code. In contrast to other verification techniques, static code analysis is automated, which means you can do this analysis without executing the program or developing test cases.
Basic static code analysis techniques include:
Sophisticated techniques couple static code analysis with formal methods. Formal methods apply theoretical computer science fundamentals to solve difficult problems in software, such as proving that the software will not fail with a run-time error.
The combination of static code analysis and formal methods enables you to:
- Detect software defects and security vulnerabilities
- Comply with MISRA, CWE, CERT C, ISO/IEC 17961, and other standards and cybersecurity guidelines
- Prove the absence of certain run-time errors
This approach is comprehensive and complete, because every failure point in the code is identified as proven to fail, proven not to fail, may never execute (dead code), or unproven. This is particularly important for safety because one escaped defect can compromise your system, leading to tragic consequences. Growing concerns about cybersecurity bring similar challenges because it takes just one software vulnerability to exploit your application.