A new quality engineer from the company said that the team must ensure 0 error and 0 warning

Abstract: static code inspection is also called static program analysis, which refers to a method of program analysis without running a computer program.

This article is shared from Huawei Cloud Community " new quality engineer from 161303731d81c5, saying that the team must ensure 0 error and 0 warning ", author: agile Xiaozhi.

A new quality engineer has come to the company, saying that it is necessary to improve the process, improve quality, reduce costs and increase efficiency... Therefore, a series of analysis, reports and new quality activities have been launched one after another. . What does that mean? That is, the quality engineer will supervise the repair results of the static code inspection, and the team must ensure that 0 error, 0 warning .

Figure 1 Check clear

My friends may be surprised: Isn’t it justified for every programmer to fix the results of static code inspections? Why are you complaining? Let's first understand what static code inspection is.

What is static code inspection

Figure 2 Static code scanning

According to Wikipedia, static code inspection is also called static program analysis, which refers to a method of program analysis without running a computer program. The static code inspection tool scans and analyzes the engineering code from multiple dimensions such as lexical, grammatical, and semantics, and finds possible problems, such as undefined variables, type mismatches, variable scope problems, array subscripts out of bounds, memory leaks, etc. . The tool will classify the severity of the problem according to its own rules, and give different signs and prompts.

Under normal circumstances, everyone will clear the error after the static code check, but some warnings will not affect the program function and can not be modified. At the same time, it takes a lot of time to modify such problems, which increases the workload of the team. And for newcomers, if you are not familiar with the code framework, when you modify the static check problem, it may cause new bugs to appear. Sometimes the tools still have false positives, etc., so the team's complaint at the beginning of the article: check is cleared. That being the case, why do static code inspections?

Why do static code inspections

To answer this question, we need to trace back to what is the meaning of the existence of the team, in order to deliver the workable software to the customer as soon as possible, in order to create value. Working software must be free of defects, and early delivery must find problems as early as possible, and static code inspection is a necessary link to be able to find problems as early as possible.

At the same time, from the perspective of defect repair cost, Deming once proposed that "the earlier the defect is discovered, the lower the repair cost". According to data, 85% of the defects are introduced during the coding phase. However, most of the defects are not discovered during coding, but later in the testing phase, even after they are online. And as defects are discovered later, the cost of repairing becomes higher.

In an article titled "The Shift-Left Approach to Software Testing" on the STICKYMINDS website, it is mentioned that if defects found in the coding phase can be resolved in only 1 minute, then the unit testing phase takes 4 minutes, and functional testing The phase takes 10 minutes, the system test phase takes 40 minutes, and after the release, it may take 640 minutes to repair.

Figure 3 Source "Applied Software Measurement: Global Analysis of Productivity and Quality"

Static code inspection is also called static testing. It is one of the practice of moving left testing in quality built-in measures. During the static code inspection stage, it is found that the cost of fixing code problems is very low.

Figure 4 Defect repair cost

This shows that static code inspection is an essential part of the project.

How to perform static code inspection

Different languages have their own corresponding one or several code checking tools, and many static code checking tools can also support two or more languages. For example, Coverity can support C/C++, C#, JAVA, Checkstyle, FindBugs and PMD support Java, rats support C/C++, Python, Perl, PHP, many tools are not listed one by one.

With the popularity of cloud native and DevOps, the promotion of cloud development and pipelines, the static code check function on the cloud has also emerged. Here, let’s take the Code Check of Huawei Cloud DevCloud as an example, let’s take a look at how to easily implement one-to-many in the cloud. Programming language check.

It is very simple to use, and it can be completed in three steps: New task -> Execute task -> View report.

1. Create a new code inspection task

On the toolbar of the HUAWEI CLOUD DevCloud homepage, select "Service> Code Check" to enter, or click Code Check to enter. Or click Code Check to enter. Click "New Task" on the "Code Check" homepage to create a code check task.

Figure 5-1 Code Check new task

When creating a task, pull the code through the code warehouse under the associated project. The source code has 4 sources to choose from. For different options, fill in the corresponding parameter values and select the language type of the code project.

Figure 5-2 Code Check select source source

After creating the task, you can select the rule set in the settings. Code Check will identify the language contained in the code, and then select the corresponding rule in the corresponding language rule set. CodeCheck can support 10 common development languages such as Java, JavaScript, CSS, HTML, PHP, C#, Android, etc., and can also check in multiple languages; it can provide nearly 2000 typical Huawei inspection rules, support web inspection, security inspection, and architecture inspection , Encoding problem checking and other scenarios.

Figure 5-3 Code Check rule set

2. Perform code inspection tasks

After the code inspection task is successfully created, click the task's start inspection button to execute it.

Figure 6-1 Code Check execution task

After the inspection, it will be classified and displayed according to the level of the problem, and provide detailed descriptions of the impact of defects, correct examples, error examples, and modification suggestions.

Figure 6-2 Code Check defect display

3. View the code inspection report

After the inspection, you can provide a multi-dimensional report. Click the check task name link to enter the code inspection task details page, where you can view "Overview", "Code Issues", "Code Quality", "Circular Complexity", "Code Duplication Rate", etc. information.

Figure 7 Code Check inspection report

For more Code Check content, please visit Code Check Introduction .

Write at the end

Having said so much, is the "check to zero" required by the quality engineer correct, should I do it? This is actually the role of quality access control in code inspection. The problem items scanned by the static code are classified according to fatal, serious, general, and prompt. From the perspective of delivery, the first thing is to ensure that the code can work, so fatal and serious problems should not exist, so the door switch is turned on, and the threshold is 0. If the remaining general and prompt questions do not affect the code function, they can be considered not to be dealt with in the current iteration, but it is necessary to analyze whether they should be dealt with and determine the completion date. They can be stored in the to-do list item in the form of technical debt. Unified processing is performed in a buffer iteration. To put it simply, the team should jointly decide how to set up the quality access control based on the actual situation of business delivery, rather than a simple one size fits all.

Figure 8 Quality Access Control

Regarding tools, different static code checking tools are used differently. You can find the corresponding usage method through the tool's official website or other webpage sharing. The point is to understand why you need to do static code checking, so that you can do it well, rather than go through the scene. At any time, letting team members know why is always more important than telling how to do it. In order to move the test to the left, achieve quality built-in, kill errors in budding species, reduce defect repair costs, deliver to customers working software as soon as possible, and create valuable products, let us do a static code inspection together.

Click to follow and learn about Huawei Cloud's fresh technology for the first time~