Static code analysis

from Wikipedia, the free encyclopedia

Static code analysis or briefly static analysis is a static software testing method which is used to compile time is performed. The source text is subjected to a series of formal checks, in which certain types of errors can be discovered before the corresponding software (e.g. in the module test ) is executed. The methodology is one of the falsifying procedures, i.e. That is, the presence of errors is determined.

Following the classical program Lint , the process is as Linten ( English linting ), respectively.

Methodological context


As part of the software test procedure , the static code analysis can be assigned to the white box test procedure (you need the source code ). The analysis can be done by manual inspection, but also automatically by a program. One then speaks of static analysis, as the software to be tested in terms of algorithms and data in their formulation and composition ( static ) to the examiner (or tool) in front is located .


The forerunners of the static analysis are the test procedures of standardized programming and the tools for recognizing code patterns, the so-called style checkers .

In contrast to static analysis, dynamic code analysis requires a running program. A dynamic counterpart to static code analysis at compile time is z. B. Profiling at runtime .


In addition to the conscientious study of the source code by developers, it is possible to identify many content-related errors with the aid of tools or automatically. The spectrum ranges from securing simple coding standards (e.g. one returnstatement per function) to checking type conversions and area limits to searching for certain types of memory leaks to technical verification of source text.

Simple analyzes are often already integrated in the compiler (translator) of a programming language , e.g. B. the check for initialization of a variable. In addition, there are methods that test the programming style for aesthetics and pragmatics, namely the stylistic methods . However, often only warning messages are displayed that can be ignored. In the case of so-called profilers , additional object code is generated, which generates information about code coverage and code frequency. Real static analyzers are few and far between.

Automated code review software simplifies the task of reviewing large parts of the program by systematically checking for vulnerable areas such as:

Due to the still not inconsiderable number of incorrectly identified, only supposed weaknesses in the source code, a fully automatic correction by the tools for static code analysis is not customary to this day.


In addition to Lint , the “classics” in this area include Checkstyle , FindBugs and PMD for Java or Cppcheck for C / C ++, Splint for C or FxCop or StyleCop for C #.

Such tools can not only run stand-alone, but can also be integrated into the development environment or the build server . They are not limited to coding rules such as the MISRA-C rules, but also recognize functional and technical errors, potential bugs and qualitative weaknesses in the code (so-called code smells ), such as duplicated code (including software clones called).

Some tools can also check the code for security-related programming errors such as buffer overflows or race situations, such as the Rough Auditing Tool for Security (RATS).

Furthermore, there are tools that also architecture metrics and the conformity of the code with the architecture specification check. These include, for example, the Axivion Bauhaus Suite, ConQAT and Teamscale as well as Sonargraph and Sotograph.


  • Christoph Bommer, Markus Spindler, Volkert Barr: software maintenance. Fundamentals, management and maintenance techniques. dpunkt-Verlag, Heidelberg 2008, ISBN 978-3-89864-482-2 .
  • Peter Liggesmeyer : Software quality. Testing, analyzing and verifying software. 2nd Edition. Spectrum Akademischer Verlag, Heidelberg 2009, ISBN 978-3-8274-2056-5 .
  • Harry M. Sneed , Richard Seidl , Manfred Baumgartner: Software in numbers. The measurement of applications. Hanser, Munich 2010, ISBN 978-3-446-42175-2 .
  • Andreas Spillner, Tilo Linz: Basic knowledge of software testing. Training and further education to become a Certified Tester. Foundation level according to the ISTQB standard. 4th, revised and updated edition. dpunkt-Verlag, Heidelberg 2010, ISBN 978-3-89864-642-0 .

Web links