Using the static analysis feature for code review in Rational Application Developer Version 7.0

Easily and quickly detect and fix problems early to improve software quality

This article introduces the static analysis feature of IBM® Rational® Application Developer Version 7.0. Because this feature is quick to run, you can detect problems and inconsistencies in a code base early. Consequently, you can fix these problems before they affect your application's maintenance, scalability, and performance.

Sayeed Sanaullah (ssanaull@in.ibm.com), Development Lead, IBM

Sayeed Sanaullah is a Development Lead for the Web Site Designer component of IBM Rational Application Developer. He has more than six years industry experience, which includes more than a year working on Rational Software. He holds a Bachelor of Technology degree from Indian Institute of Technology, Kanpur. He is a technical speaker for the University Relations program and leads the Rational Application Developer customer engagement activities. Sayeed has also been a speaker at the IBM WebSphere Technical Conference and IBM Rational Software Development Conference.



04 December 2007

Also available in Chinese

Software engineering is a challenging practice that requires focus. Projects are often late, and many defects are discovered only through running the software. Late delivery leads to pressure, and what's the first thing to go? Testing.

When fewer and fewer tests are performed as a result of this pressure, many defects go undiscovered, and the product becomes more and more unstable. As the instability increases, pressure on the development team also grows, and the cycle continues. Therefore, effective testing is essential to the success of a project. The alternative is last-minute discovery of extensive, hard-to-isolate software defects and inevitable poor product quality. Static analysis breaks this insidious cycle by empowering developers and testers with an unobtrusive approach for effective testing without distracting them from their regular development activities.

Overview of the Analysis feature for code review

Static code analysis represents a gradual evolution of tools and tests. Just as the development tools and platforms have evolved to enable developers to create much larger and more complex applications, the analysis features of IBM® Rational® Application Developer enable developers to quickly review, identify, and correct potential problems in the code.

Automated code review does not take the place of the manual code review, however. The code review tools supplement the manual review process. They allow you to bring better code to the manual review and to make better use of your time in review sessions. Rather than spending your time correcting routine faults and inconsistencies, you can concentrate on more complex and creative design decisions that are beyond the scope of an automated review.

In group reviews, you can focus on design issues without being side-tracked by trivial and embarrassing coding errors and inconsistencies. If code changes are worth checking in, then they are worth running through code review first.

Static code analysis allows you to review the code base -- all of it or any part -- for the occurrence of code that meets certain criteria. These may be predefined conditions or conditions that you define. This kind of code review is a prerequisite for component testing and runtime analysis. After you determine that the code passes static code analysis tests, component testing and runtime analysis should yield useful results, thereby enabling you to run the following types of reviews:

Size and complexity matter. Size prevents developers and architects from effectively detecting issues early on. Complexity hides side effects from developers. Performing manual code reviews and inspections can be a highly effective way of identifying defects in code. However, the effectiveness is often limited because of time constraints, leading to a situation where code reviews and inspections are either not conducted or are conducted infrequently.

Because the automated process is quick, you can run code reviews often. The code review findings let you catch and correct problems early, when it is easiest and least expensive to make changes.

The automated code review tool adds value to the software development process in several ways, because it performs these tasks:

  • Finds defects in the code
  • Prevents typical coding errors
  • Explains each finding and provides solutions
  • Improves performance and stability through rules based on best practices
  • Provides an automated fix for many typical problems
  • Enables you to create rules to ensure that you follow application design and standards as you write code

Code review rules

The Analysis feature of Rational Application Developer Version 7.0 and later includes 212 rules grouped into these categories:

  • Design Principles (5): Rules for design principles of object-oriented programming
  • Globalization (47): Rules based on globalization coding best practices, helping to ensure that code runs correctly in localized environments
  • J2EE Best Practices (32): Rules that are based on the best Java™ 2 Platform, Enterprise Edition (J2EE) development practices and that support Web projects targeted to IBM® WebSphere® servers
  • J2EE Security (17): Rules that validate code for compliance with the security requirements for J2EE technology
  • J2SE Best Practices (71): Rules based on the Java™ 2 Platform, Standard Edition (J2SE) best practices for Java development
  • J2SE Security (9): Rules that validate code for compliance with the security requirements for J2SE technology
  • Naming (2): Rules regarding naming conventions for elements in Java code
  • Performance (26): Rules that enforce suggestions for improving performance and reducing the memory footprint in Java applications
  • Private APIs (3): Rules that locate APIs that do not belong in Java code

These rule categories are further organized into reviews. The selected review dictates which rules will be applied against your code. The Analysis feature includes these reviews, or rule sets:

  • Java Complete Code Review: All rules from all categories
  • Java Globalization Code Review: All rules from the Globalization category
  • Java Security Code Review: All rules from the J2EE Security category
  • Java Quick Code Review: All rules for the highest-severity problems
  • Java Best Practices Code Review: All rules from the J2SE Best Practices category

The static analysis process involves three basic steps (see Figure 1):

  1. Configure the code review
  2. Run the code review
  3. Interpret the code review
Figure 1. Static analysis process
Static analysis process

Setting up the sample project

To set up the sample project for this article, import the sample source files from the StaticSampleCodeAnalysis.zip file. (See Download. You will use this sample code for exercises throughout this article.) You may also run the static analysis on your own code. The steps are the same as those described here.

Using the Analysis feature

The Java and Debug perspectives include analysis capabilities by default, but you can add analysis capabilities to any other perspective if you want to run a static analysis on resources other than Java source code files.

Customizing perspectives for static analysis

Simply follow these steps:

  1. From the Rational Application Developer menu bar, choose the Window > Open Perspective > Customize Perspective option.
  2. When the dialog appears, select the Commands tab, and click the Analysis check box.
  3. Accept the change by clicking OK (see Figure 2).
Figure 2. Customizing the perspective
Customizing the perspective

Creating and editing a static analysis configuration

When you create an Analysis configuration, you determine the type of analysis that you want to perform, the scope, and the particular rules to apply to your resources. To create an Analysis configuration, you must be working in a perspective that supports analysis capabilities.

  1. Select the Run > Analysis menu option to display the main analysis configuration dialog. You will see a dialog very much like the one used to run or debug code from the Rational Application Developer workbench.
  2. The first step in creating an analysis configuration is to determine the default range of resources on which the analysis will be performed. Do this by selecting the desired range under the Scope tab. The currently available options analyze the entire workspace, a working set, or a set of projects. For the purposes of this article, create a new configuration (MyStaticAnalysis), and under the Scope tab, select the Analyze entire workspace option (see Figure 3).
Figure 3. Configuration for static analysis
Configuration for static analysis

The Rules tab determines the forms of analysis that will be performed. Notice that it displays a tree structure where you can select or deselect analysis elements. It also includes additional buttons. The top-most nodes of the domain tree are analysis providers that represent the type of analysis tools that are known to the analysis framework. Providers contain categories, which are loose organizations of rules or other categories, or both. Rules perform all of the heavy lifting by defining the conditions that generate results during the analysis process (Figure 4).

Figure 4. Analysis rules
Analysis rules

Notice that each node in the tree includes a check box that controls the enabling state of the element. When an element is selected or deselected, all of its children nodes are set to the same state, which allows for quick selection of entire categories or even the entire tree. You can also select a collection of rules by typing or clicking a defined rule set. and then clicking Set to configure the providers, rule categories, and rules to perform a specific analysis.

  1. For the purposes of this article, set the Java Complete Code Review rule set (Figure 5).
Figure 5. Java Complete Code Review setting
Java Complete Code Review setting

When a rule is selected in the tree, the Details button becomes enabled. Clicking this button invokes a secondary dialog to show any configuration and additional information that exists for a rule. Within this dialog, you can change the severity rating of the selected rule, along with any other parameters that it defines. Depending on the rule, the Details dialog may also show other details (See Figure 6).

Figure 6. Analysis rules shown in the Details dialog
screen capture

If you want to share the selected rules across your team, you can export them as a file by using the Export button (Figure 7).

Figure 7. Exporting the analysis rules
screen capture

The Import and Export tools can help you create project-specific rules and rule configurations. Your team members can import a file that describes a custom rule set by clicking Import button (Figure 8). The next section explains how to customize your analysis.

Figure 8. Importing a custom rule set
screen capture

Creating custom rule categories and rules

In addition to the rules that Rational Application Developer supplies, it is also possible to create custom categories and custom rules from templates. A Java development team might use a specific set of providers, rule categories, and rules defined in a custom rules file to analyze source code.

  1. To create new custom rules and categories. select Window > Preferences.
  2. Then, in the Preferences view, select the Analysis > Custom Rules and Categories page (Figure 9).
Figure 9. Custom Rules And Categories
screen capture
  1. Click Add Category to add a new custom category. This takes you through a simple wizard where you can choose the parent category and a name for the new one. The tree control for custom categories will show the complete path of categories for any custom category (Figure 10).

Note:
Only previously defined custom categories can be deleted.

Figure 10. Adding a custom category
screen capture
  1. For this example, add a new rule category called My Rule (see Figure 11).
Figure 11. Entering the category name
screen capture
  1. Click Add Rule to start the rule creation wizard. The first wizard screen enables you to select where the rule will be located in the analysis category tree.
  2. On the first wizard page, select a category, and then click Next (Figure 12).
Figure 12. Adding a custom rule
screen capture
  1. On the second wizard page, you will see a list of all known rule templates. You can select the rule template that you want to use as the basis for your new rule. Note that not all forms of analysis support custom rules. However, Rational Application Developer Java Code Review supplies several that you can use (Figure 13). For this example, select Avoid using the package <PACKAGE>.
Figure 13. Select template
screen capture
  1. In the final wizard for rule creation, you will see entries for each parameter defined in the rule template. In this example, the selected rule template defined only two parameters, so you can enter a qualified package name in the field provided and the severity of the rule (Figure 14):
    • Package name: com.ibm.external.pack
    • Severity: Severe
Figure 14. Provide template values
screen capture
  1. Click OK. The template-based rule will be created and placed into the rule tree.
  2. You can now select this rule as part of any analysis configuration (see Figure 15). For this example, select the values indicated for these sections:
    • Current Custom Categories: Select My Rule
    • Current Custom Rules: Select Avoid using the package com.ibm.external.pack
Figure 15. User-defined rule
screen capture

You can find the newly created rule in the configuration wizard, too. It will not be enabled by default. To use this rule, you need to enable this rule by clicking the check box next to the rule (Figure 16).

Figure 16. Custom rule added
screen capture

Running the static analysis and handling results

  1. To start the analysis process, click the Analyze button.
  2. After you do this, you will see the Analysis Results view in the Rational Application Developer workbench. Results will flow into this view as they are created when you run the rules.

Static analysis results

An analysis result is a concise explanation of a rule violation. The result is a line item in the Analysis Results view that shows that the resource does not comply with the rules that you applied. As an analysis configuration runs, the Analysis Results view populates a tree of results that are grouped by the rule categories and severity levels that you defined when you configured the analysis.

The top-level node of the tree displays details about the analysis, such as the name of the analysis configuration, the date and time that the analysis was completed, and the number of results generated. When you expand the tree, each rule category and rule displays the number of results generated and lists the resources that are associated with the rule (see Figure 17).

Figure 17. Analysis results
screen capture

You can view the results of an analysis in the Analysis Results view. A result is not necessarily a problem, mistake, or bug, but be sure to evaluate each result in the list to determine what action, if any, you need to take. If the result is a problem that has a trivial solution, the author of the rule might have provided a quick fix that automatically corrects the resource. If a quick fix is available for a particular result, you can select it using the pop-up menu. When the results are generated, you can filter and view them and, if the rule supplies a quick fix feature, you can repair the source code.

You can filter the results to display results that correspond to each rule in your analysis configuration or only those results that do not conform to a particular rule. From the Analysis Results view, you can also open resources in their associated editors to correct problems or to apply quick fixes, if they are available.

Applying quick fixes to static analysis results

You can correct problems in the results of your analysis automatically if rule authors provided a quick fix. A quick fix is an automated solution for a common or trivial problem. Quick fixes can save time and ensure that problems are corrected consistently (Figure 18)

Figure 18. Fixing problems
screen capture

If you right-click on a result, you can perform special tasks. Correcting the cause of some problems is trivial, so the rule author may provide a "Quickfix" routine. If the Quickfix menu option is enabled, selecting it will walk you through a process to correct the problem (Figure 19).

Figure 19. Analysis result fixed
screen capture
  1. To list the resources associated with each rule, expand the rule categories and rule nodes.
  2. To open a resource in its associated editor, double-click the resource. The editor that displays your resource is determined by the author of the rule and the type of data in the resource.
  3. Double-clicking on the created rule takes you to the line of code in the file that has the problem (Figure 20).
Figure 20. Analysis result for custom rule
screen capture

Downloads

DescriptionNameSize
Sample Code for this articleStaticSampleCodeAnalysis.zip5KB
Demo for this articleviewlet.zip2462KB

Resources

Learn

  • Visit the Rational Application Developer page on IBM® developerWorks® for technical documentation, how-to articles, education, downloads, and product information.
  • Visit the Rational software area on developerWorks for technical resources and best practices for Rational Software Delivery Platform products.
  • Subscribe to the developerWorks Rational zone newsletter. Keep up with developerWorks Rational content. Every other week, you'll receive updates on the latest technical resources and best practices for the Rational Software Delivery Platform.
  • Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Rational software on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational
ArticleID=271743
ArticleTitle=Using the static analysis feature for code review in Rational Application Developer Version 7.0
publish-date=12042007