Static Code Analysis

What Is Static Code Analysis?

Static code analysis, or static analysis, is a software verification activity that analyzes source code for quality, reliability, and security without executing the code. Using static analysis, you can identify defects and security vulnerabilities that can compromise the safety and security of your application. Static analysis can be a cost-effective approach to measure and track software quality metrics without the overhead of writing test cases or instrumenting your code.


Most software development teams rely on dynamic testing techniques to detect bugs and run-time errors in software. Dynamic testing requires engineers to write and execute numerous test cases. Since dynamic testing is not exhaustive, it alone cannot be relied on to produce safe and secure software.

For example, take this very simple case:


static code analysis code sample

The speed function has the possibility of a division by zero on line 14 and can cause a sporadic run-time error. To conclusively determine that a division by zero will never happen, you need to test the function with all possible values of variable input.

Static code analysis complements dynamic testing to provide several advantages:

  • Error detection. You can identify hundreds of classes of bugs related to concurrency, tainted data, data flow, security, and static and dynamic memory. Some bugs found are nearly impossible to detect with dynamic testing.
  • Low cost. You can easily automate static code analysis, and you do not incur the overhead of writing test cases, instrumenting your code, or executing the program.
  • Compliance to coding standards. You can verify that your code complies with coding standards such as MISRA C or JSF++, with security standards such as CWE, CERT C/C++, and ISO/IEC 17961, or with cybersecurity guidelines.
  • Proving the absence of critical run-time errors. Static code analysis tools can prove that the software will not fail with a critical run-time error. Tools that achieve this level of sophistication use formal methods that apply theoretical science fundamentals for code proving.

Who Should Run Static Code Analysis and Why?

  • Software developers. Best practices recommend checking for bugs and coding standards as soon as code is written. Errors detected early in the development process are much easier to debug and fix.
  • Software testers. After application code has been integrated, it is recommended to run deep static code analysis on the integrated code to find defects and prove the absence of critical run-time errors.
  • Project managers and quality assurance leads. Static code analysis tools produce code quality metrics that can be used to monitor software quality, project status, number of defects, and quality trends.

How to Select a Static Code Analyzer

There are several tools you can use to perform static code analysis, such as Polyspace® products. Consider the following questions when selecting a static code analysis tool:

  • Does it support your industry standards?
    Complying with standards is important to minimize the risk of financial loss, physical injury, or damage to property and environment from software errors. Different industries have defined their own safety standards—for example, ISO 26262 for automotive, DO-178 for aerospace, and IEC 62304 for medical devices.
  • How reliable and actionable are the analysis results?
    A broad range of technologies can be used for static code analysis, and these technologies offer different degrees of soundness and precision of results. For instance, abstract interpretation is a formal method that is considered sound because it never produces false-negatives.
  • Does the tool provide insights and guidance for fixing bugs?
    Often it is not enough for the tool to just detect bugs. A developer needs more information to navigate through the structure of the code and find the root cause of a bug.  Information such as call hierarchy, variable values, context-sensitive help, and suggested fixes improves the ability to resolve complex issues.
  • Does the tool offer collaborative review?
    Some static code analysis tools provide capabilities to easily share analysis results and quality metrics within the software development team—for instance, through an online platform. This capability empowers the team to perform collaborative reviews, triage, and resolve defects.
  • Can the tool integrate with existing software development processes?
    An effective static code analysis tool must have the ability to integrate with different software development processes including newer processes such as continuous integration and continuous delivery (CI/CD), DevOps, and DevSecOps. The tool should provide a rich API and plugins to integrate with software development tools such as IDEs (e.g., Eclipse™ and Microsoft® Visual Studio® Code), CI tools (e.g., Jenkins™ and Bamboo®), and bug tracking tools (e.g., Jira and Redmine).
  • Will the tool work on public and private clouds?
    Developing software on public and private cloud infrastructure such as Amazon® AWS® and Microsoft Azure® is rapidly gaining in popularity. The cloud offers development teams agility, scalability, high availability, and global access. When evaluating static analysis tools, it is important to ensure that tools are cloud-ready—that is, they can be deployed and integrated with software development processes on cloud platforms. Learn more.

Why Choose Polyspace Products?

Polyspace® static code analysis products use formal methods to prove the absence of critical run-time errors under all possible control flows and data flows. The Polyspace product family includes:

  • Polyspace Bug Finder products check C/C++ source code for coding standard violations, find several types of bugs, detect security vulnerabilities, and compute quality metrics such as code complexity metrics.
  • Polyspace Code Prover products use formal methods to prove the absence of critical run-time errors in C/C++ source code without executing the code.
  • Polyspace products for Ada prove the absence of run-time errors in Ada source code.

Polyspace products provide the advantages and capabilities listed in the previous sections, such as error detection, compliance with coding standards, and the ability to prove the absence of critical run-time errors. For example, for the code snippet shown above, Polyspace Code Prover can analyze all code paths of the function speed against all possible inputs to prove that division by zero will not occur. It does this without executing the code. The results show that the division sign on line 14 in green, indicating that this operation is safe against all inputs and will not cause a run-time error.

Division-by-zero checking using Polyspace Code Prover.

Division-by-zero checking using Polyspace Code Prover.

See also: Static analysis with Polyspace products, verification, validation, and test, embedded systems, abstract interpretation, code review, cyclomatic complexity, formal methods, software metrics, software QA, software quality objectives, source code analysis, static code analysis, static code analysis videos