Analysing the Analysers: An Investigation of Source Code Analysis Tools-Reference-Cited by-同舟云学术

Analysing the Analysers: An Investigation of Source Code Analysis Tools

Published:2024-06-01 Issue:1 Volume:29 Page:98-111
ISSN:2255-8691
Container-title:Applied Computer Systems
language:en
Short-container-title:

Author:

Bhutani Vikram¹^ORCID,Toosi Farshad Ghassemi¹^ORCID,Buckley Jim²^ORCID

Affiliation:

1. Department of Computer Science , Munster Technological University , Cork , Ireland

2. Lero and CSIS, University of Limerick , Limerick , Ireland

Abstract

Abstract Context The primary expectation from a software system revolves around its functionality. However, as the software development process advances, equal emphasis is placed on the quality of the software system for non-functional attributes like maintainability and performance. Tools are available to aid in this endeavour, assessing the quality of a software system from multiple perspectives. Objective This study aims to perform a comprehensive analysis of a particular set of source code analytical tools by examining diverse perspectives found in the literature and documentations. Given the vast array of programming languages available today, selecting appropriate source-code analytical tools presents a significant challenge. Therefore, this analysis aims to provide general insights to aid in selecting a more suitable analytical tool tailored to specific requirements. Method Seven prominent static analysis tools, namely SonarQube, Coverty, CodeSonar, Snyk Code, ESLint, Klocwork, and PMD, were chosen based on their prevalence in the literature and recognition in the software development community. To systematically categorise and organise their distinctive features and capabilities, a taxonomy was developed. This taxonomy covers crucial dimensions, including input support, technology employed, extensibility, user experience, rules, configurability, and supported languages. Results The comparative analysis highlights the distinctive strengths of each tool. SonarQube stands out as a comprehensive solution with a hybrid approach supporting static and dynamic code evaluations, accommodating multiple languages and integrating with popular Integrated Development Environments (IDEs). Coverity excels in identifying security vulnerabilities and defects, making it an excellent choice for security -focused development. CodeSonar prioritises code security and safety, offering a robust analysis. Snyk Code and ESLint, focusing on JavaScript, emphasise code quality and standards adherence. Klocwork is exceptional in defect detection and security analysis for C, C++, and Java. Lastly, PMD specialises in Java, emphasising code style and best practices.

Publisher

Walter de Gruyter GmbH

Link

https://www.sciendo.com/pdf/10.2478/acss-2024-0013

Reference75 articles.

1. D. Baca, K. Petersen, B. Carlsson, and L. Lundberg, “Static code analysis to detect software security vulnerabilities – does experience matter?” in 2009 International Conference on Availability, Reliability and Security, Fukuoka, Japan, Mar. 2009, pp. 804–810. https://doi.org/10.1109/ARES.2009.163

2. A. G. Bardas et al., “Static code analysis,” Journal of Information Systems & Operations Management, vol. 4, no. 2, pp. 99–107, 2010.

3. B. A. Kitchenham, T. Dyba, and M. Jorgensen, “Evidence-based software engineering,” in Proceedings. 26th International Conference on Software Engineering, Edinburgh, UK, Jun. 2004, pp. 273–281. https://doi.org/10.1109/ICSE.2004.1317449

4. T. B. C. Arias, P. Avgeriou, and P. America, “Analyzing the actual execution of a large software-intensive system for determining dependencies,” in 2008 15th Working Conference on Reverse Engineering, Antwerp, Belgium, Oct. 2008, pp. 49–58. https://doi.org/10.1109/WCRE.2008.11

5. F. Angerer, “Variability-aware change impact analysis of multi-language product lines,” in Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, Sep. 2014, pp. 903–906. https://doi.org/10.1145/2642937.2653472