Taking code analysis into use for existing codebase
Uitto, Janne (2020)
Uitto, Janne
2020
Tietotekniikan DI-tutkinto-ohjelma - Degree Programme in Information Technology, MSc (Tech)
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2020-05-27
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202004173357
https://urn.fi/URN:NBN:fi:tuni-202004173357
Tiivistelmä
The amount of the code increases in applications across industries. Also, the amount of vulnerabilities has increased, which increases the importance of quality assurance. Any kind of quality assurance increases the probability of finding the issues from programs. One method to detect security vulnerabilities is to run code analysis. Code analysis tools can automatically detect potential security vulnerabilities from source code including overruns, using uninitialised memory, null pointer dereferences, and memory leaks.
This thesis shows how a code analysis tool can be included as part of a company's existing software development process so that new issues can be found as early as possible. Code analysis tools might report many findings from codebases that have not been analysed previously. Existing issues need to be fixed so that new issues can be identified easily. The effort on fixing existing issues was compared to the severity of found issues, which then gave the cost-effectiveness of the effort spent on fixing.
A code analysis tool was taken into use at M-Files. The code analysis tool reported a total of 3,064 existing issues from the company's codebase. Found issues were categorised into three severity levels: 3,054 low, 3 high, and 7 critical issues were found. Found issues were fixed. It took 60.5 work hours to fix these issues.
A CI pipeline is used to automate integration steps for the new code. After existing issues were fixed the code analysis tool was set to monitor all new changes in the company's CI pipeline. Currently, it is mandatory to have a clean analysis result before new changes can be merged into the main code branch. This reduces the number of issues, including vulnerabilities, in released software.
It is not mandatory to have a code analysis tool to verify codebase from the beginning of the project. This thesis shows that it was a tolerable effort to take code analysis into use for the existing codebase. Setting up code analysis as part of the development process as soon as possible is a recommended action for all organisations.
This thesis shows how a code analysis tool can be included as part of a company's existing software development process so that new issues can be found as early as possible. Code analysis tools might report many findings from codebases that have not been analysed previously. Existing issues need to be fixed so that new issues can be identified easily. The effort on fixing existing issues was compared to the severity of found issues, which then gave the cost-effectiveness of the effort spent on fixing.
A code analysis tool was taken into use at M-Files. The code analysis tool reported a total of 3,064 existing issues from the company's codebase. Found issues were categorised into three severity levels: 3,054 low, 3 high, and 7 critical issues were found. Found issues were fixed. It took 60.5 work hours to fix these issues.
A CI pipeline is used to automate integration steps for the new code. After existing issues were fixed the code analysis tool was set to monitor all new changes in the company's CI pipeline. Currently, it is mandatory to have a clean analysis result before new changes can be merged into the main code branch. This reduces the number of issues, including vulnerabilities, in released software.
It is not mandatory to have a code analysis tool to verify codebase from the beginning of the project. This thesis shows that it was a tolerable effort to take code analysis into use for the existing codebase. Setting up code analysis as part of the development process as soon as possible is a recommended action for all organisations.