A year after writing the article about checking Tizen, developers of the PVS-Studio static analyzer checked the quality of the operating system code again, this time demonstrating the abilities of their product to detect errors and potential security vulnerabilities in the Android code.
Despite the fact that the Android code is of high quality and is well tested, and its development includes at least the use of Coverity static analyzer, PVS-Studio still managed to find a lot of interesting defects. Some errors are classified as CWE (Common Weakness Enumeration), which for a certain coincidence of circumstances can be used as vulnerability (CVE). That is why, if you want to protect your code from security vulnerabilities, you should find as many bugs as described in CWE and eliminate them.
According to developers, PVS-Studio is a tool for static application security testing (SAST) and can detect many potential vulnerabilities before they caused harm. This article describes examples of errors by the following categories:
- Pointless comparisons
- Null pointer dereference
- Private data is not cleared in memory
- Unspecified/implementation-defined behavior
- Incorrect memory control
- Array index out of bounds
- Broken loops
and so on.
Thus, 490 CWE per 1855000 lines of code have been detected or more than 1 vulnerability per 4000 lines.
Development of large complex projects is impossible without the use of programming methodologies and tools to help monitor the quality of the code. First of all, this is a literate coding standard, code reviews, unit tests, static and dynamic code analyzers. All this helps to detect defects in code at the earliest stages of development. Use additional programs and methods to control the quality of your code and make your product secure!
Source - https://www.viva64.com/en/b/0579/
Many programmers know firsthand that C and C++ program builds very long. Someone solves this problem by sword-fighting at build time, someone is going to the kitchen to "grab some coffee". This article is for those who are tired of this, and who decided it is time to do something about it. In this article, various ways of speeding up compilation time of a project are regarded, as well as treatment of a disease "fixed one header - a half of a project was rebuilt."
The Unreal Engine project continues to develop - new code is added, and previously written code is changed. The inevitable consequence of the development in a project? The emergence of new bugs in the code that a programmer wants to identify as early as possible. One of the ways to reduce the number of errors is the use of the static analyzer, 'PVS-Studio'. If you care about code quality, this article is for you.
Although, we did it (https://www.unrealengine.com/blog/how-pvs-studio-team-improved-unreal-engines-code) two years ago, since that time we got more work to do regards code editing and improvement. It is always useful and interesting to look at the project code base after a two-year break. There are several reasons for this.
First, we were interested to look at false positives from the analyzer. This work helped us improve our tool as well, which would reduce the number of unnecessary messages. Fighting false positives is a constant task for any developer of code analyzers.
The codebase of Unreal Engine has significantly changed over the two years. Some fragments were added, some were removed, sometimes entire folders disappeared. That's why not all the parts of the code got sufficient attention, which means that there is some work for PVS-Studio.
The fact that the company uses static analysis tools shows the maturity of the project development cycle, and the care given to ensuring the reliability and safety of the code.
We won't be talking about all the errors that we found and fixed, We will highlight only those that deserve attention, to our mind.
Read more - https://www.unrealengine.com/en-US/blog/static-analysis-as-part-of-the-process
P.S. Those who are willing, may take a look at other errors in the pull request on Github. To access the source code, and a specified pull request, you must have access to the Unreal Engine repository on GitHub. To do this, you must have accounts on GitHub and EpicGames, which must be linked on the website unrealengine.com. After that, you need to accept the invitation to join the Epic Games community on GitHub.Instruction (https://www.unrealengine.com/ue4-on-github).
In this article we'll look at the main features of SonarQube - a platform for continuous analysis and measurement of code quality, and we'll also discuss advantages of the methods for code quality evaluation based on the SonarQube metrics.
SonarQube is an open source platform, designed for continuous analysis and measurement of code quality. SonarQube provides the following capabilities: