Static Analysis

🕓 15 minutes

What you’ll learn

How to thoroughly analyze your code to create a clear and professional application without bugs and security-related issues.

• For example:
  • You can detect whether the code contains duplicated blocks or deprecated annotation/methods.
  • Your code will be analyzed for OWASP and SANS security standards.
  • The static analysis will count the unit tests and tell you the code coverage in your project.

Prerequisites

• Built Application Component

Outline

There are two ways of choosing an application component for static analysis:

1. Go to your application, select the "More" option, and then "Static Analysis".

   • Here you will see the complete analysis of the chosen application component.
   
   
   
   
   

2. Find the "Quality Management" section and choose the "Static Analysis" option.

   • There you will see all the created application components from every existing application.
     • You can sort and filter them by different parameters or simply type the needed component name into the search field.

• For the static code analysis, CodeNow use the SonarQube tool.

  • You can read more about it here: https://www.sonarqube.org/about/

• In the top right corner, you can see the last build version and time the application was built.

• You can also choose the branch that you want to be analysed.

• In the right sidebar, you can see the base information about your component such as the number of lines of code, what languages were used, etc.

Overview section

• In this section you can see the basic information about your component:
  • Quality Gate
    • It helps you know immediately whether your project is production-ready.
    • If the current status is not Passed, it will show you the measures that caused the problem and the values required to pass.
  • Bugs
    • Shows the number of bugs in the code.
  • Vulnerabilities
    • Shows the number of security-related issues in the code.
  • Code Smells
    • A maintainability-related issue in the code.
  • Coverage
    • Shows the number of unit tests in your project and how the code is covered by them.
  • Duplications
    • Shows the number of duplicated blocks of code in the project.

Issue section

• In this section, you can see all the open issues in your code.
• You can select them by different parameters such as type, status, creation date, and more.
  • You can find all of them in the left sidebar menu.

Security Reports section

• This section contains security vulnerabilities in your code.
• You can check them by OWASP Top 10 or SANS Top 25.

OWASP Top 10

• This is a standard awareness document for developers and web application security.
  • It represents a broad consensus about the most critical security risks to web applications.
• For more information, see: https://owasp.org/www-project-top-ten/

SANS Top 25

• The SANS Top 25 list contains the most dangerous software errors.
• For more information, see: https://www.sans.org/top25-software-errors

Measures section

• This section contains the value of a metric for a given file or project at a given time.
• For example, 125 lines of code on class MyClass or density of duplicated lines of 30.5% on project myProject.

Code section

• Here you can find an analysis for every part of your code.
  • You can search through the code hierarchy.
  • You can search for files and sub-projects using the search field.

Activity section

• The Activity page offers to see the evolution of the project over time (with each new build).

• Graphs on the activity page help you understand the evolution of up to three measures of your choice against each other.
• Graph mouseovers show the measure values and events associated with particular analyses.

• You can filter the history by events and set the start and end dates.

• Choose the type of analysis to see the code and analytics changes related to the specific type on the graph.