Static Analysis with Paul Anderson

Static analysis is the process of evaluating code for errors, memory leaks, and security vulnerabilities. The “static” part refers to the fact that the code is not running. This differentiates it from unit tests and integration tests, which evaluate the runtime characteristics of code.

If you use an IDE or a linter, you are using a basic form of static analysis all the time. More sophisticated static analysis tools can be used to analyze code in sensitive domains like healthcare or automobiles.

During static analysis, we can discover problems in the code by evaluating the structure of a program. Buffer overruns can be identified before they turn into a vulnerability like Heartbleed. Null pointer exceptions can be fixed before they cause a segmentation fault. Concurrency issues can be serialized before they result in a problematic race condition.

Today’s guest Paul Anderson is the VP of engineering at GrammaTech, where he works on CodeSonar, a static analysis tool. We discussed how static analysis works, why it is useful, and how it fits into a modern software delivery pipeline. Full disclosure: GrammaTech is a sponsor of Software Engineering Daily.

Sponsors


To build the kinds of things developers want to build today, they need better tools.  That’s why Amazon Web Services built Amazon Aurora. A relational database engine that’s compatible with MySQL and PostgreSQL, and provides up to five times the performance of standard MySQL—on the same hardware, at a tenth of the cost. Amazon Aurora from AWS can scale up to millions of transactions per minute. Automatically grow your storage up to 64 terabytes. And replicates data to three different Availability Zones. And you don’t have to manage a thing. There are no upfront charges, no commitments—you only pay for what you use. Check it out, at aurora.aws.


Indeed Prime flips the typical model of job search and makes it easy to apply to multiple jobs and get multiple offers. Indeed Prime simplifies your job search and helps you land that ideal software engineering position. Candidates get immediate exposure to top companies with just one simple application to Indeed Prime. Companies on Prime’s exclusive platform message candidates with salary and equity upfront. Indeed Prime is 100% free for candidates – no strings attached. Sign up now at indeed.com/sedailyYou can also put money in your pocket by referring your friends and colleagues. Refer a software engineer to the platform and get $200 when they get contacted by a company…. and $2,000 when they accept a job through Prime! Learn more at indeed.com/prime/referral.


Spring Framework gives developers an environment for building cloud native projects. On December 4th-7th, SpringOne Platform is coming to San Francisco. SpringOne Platform is a conference where developers congregate to explore the latest technologies in the Spring ecosystem and beyond. Speakers at SpringOne Platform include Eric Brewer (who created the CAP theorem), Vaughn Vernon (who writes extensively about Domain Driven Design), and many thought leaders in the Spring Ecosystem. SpringOne Platform is the premier conference for those who build, deploy, and run cloud-native software. Software Engineering Daily listeners can sign up with the discount code SEDaily100 and receive $100 off of a Spring One Platform conference pass. I will also be at SpringOne reporting on developments in the cloud native ecosystem. Join me December 4th-7th at the SpringOne Platform conference, and use discount code SEDaily100 for $100 off your conference pass.


Thanks to Symphono for sponsoring Software Engineering Daily. Symphono is a custom engineering shop where senior engineers tackle big tech challenges while learning from each other. Check it out at symphono.com/sedaily. Thanks to Symphono for being a sponsor of Software Engineering Daily for almost a year now. Your continued support allows us to deliver content to the listeners on a regular basis.