Static code analysis is the process of evaluating software without running it. The idea of this analysis is that having our source code as input, we can obtain information and metrics that allow us to improve the code base by detecting typical programming errors, bugs, code smells, etc. This tool will make suggestions about which parts of the code can be improved.
What kinds of problems can we solve?
A static analysis of the code is not enough, we also need other types of tools such as unit tests to verify the correct use and quality of our software, but doing an analysis of the code without being running we can detect elements such as:
- Design Problems: We can detect problems in the design and architecture of the software by analyzing the dependencies between the classes of the project. This allows us to act in time against creating a tangle of fully coupled and hardly reusable classes.
- Code Duplicity: Sonarqube provides us with duplicate code metrics, being able to detect parts of our software that are similar, thus being able to make decisions such as decoupling components or applying refactoring techniques using polymorphism, inheritance and component reuse. Remember Don’t Repeat Yourself!
- Vulnerability Detection: Sonarqube has a database of codesmells and typical programming errors that detect if any line of code may be committing a problem that could violate security. For example, when it comes to how to collect the parameters or how to use them in our queries to avoid SQL Injection.
- Coding standard : Notifying us of parts of the code that do not comply with the PSR or include bad practices when defining constants, variables, calls to static methods.
- Coverage Monitoring: In our case we also use it to monitor whether the test coverage is acceptable and thus have a global vision of the coverage status of all projects and invest in increasing the volume of project tests.
Conclution
We have been able to observe the power of the tool and that with very little effort we can obtain great benefits by controlling the quality level of the projects for future maintenance. I personally believe that it is very important to do this type of analysis when you are in charge of maintaining different software projects. This type of technique is very simple to implement, and we can obtain a lot of information and results for nothing.
