Menu
Our team is investigating various options for static analysis in our project, and have mixed opinions about whether we want our Continuous Integration build to fail because of warnings from static analysis.
The argument against failing the build is that there are often exceptions to the rules, and attempting to work around them just to make the build succeed reduces productivity. A better approach would be to generate reports with the build, and regularly dedicate developer time to addressing the reported issues.
The counter-argument is that it is easy for the technical debt to build up if the bugs are not addressed immediately. Also, if the build fails when a potential bug is introduced, the amount of time required to fix it is reduced.
What are your thoughts?
680
Abstract. Many security vulnerabilities can be detected by static analysis.
Static code analysis, also known as Static Application Security Testing (SAST), is a vulnerability scanning methodology designed to work on source code rather than a compiled executable.
Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure and can help ensure that the code adheres to industry standards.
A static code analysis tool inspects your code as it is being written to identify defects, vulnerabilities and compliance issues — without having to run the program. What's more, a static code analysis tool helps to ensure that your embedded code is secure, reliable and compliant.
Personally I'd rather see the build fail. While some warnings are false positives, warnings can be excluded using a SuppressMessageAttribute using a Justification. When doing this, you are sure that every warning is evaluated by developers and nothing simply slips through.
147
It's probably a good idea to fail the build, but this doesn't have to be an absolutely black and white decision.
Hudson lets you fail a build if a certain threshold of new static analysis faults is exceeded. So you can say "mark the build as unstable if 1 new fault is introduced; mark the build as failed if 5 new faults are introduced".
This is something that's built into the various analysis plugins available for Hudson.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
