Using the static analysis feature for code review in Rational Application Developer Version 7.0
Easily and quickly detect and fix problems early to improve software quality
Software engineering is a challenging practice that requires focus. Projects are often late, and many defects are discovered only through running the software. Late delivery leads to pressure, and what's the first thing to go? Testing.
When fewer and fewer tests are performed as a result of this pressure, many defects go undiscovered, and the product becomes more and more unstable. As the instability increases, pressure on the development team also grows, and the cycle continues. Therefore, effective testing is essential to the success of a project. The alternative is last-minute discovery of extensive, hard-to-isolate software defects and inevitable poor product quality. Static analysis breaks this insidious cycle by empowering developers and testers with an unobtrusive approach for effective testing without distracting them from their regular development activities.
Overview of the Analysis feature for code review
Static code analysis represents a gradual evolution of tools and tests. Just as the development tools and platforms have evolved to enable developers to create much larger and more complex applications, the analysis features of IBM® Rational® Application Developer enable developers to quickly review, identify, and correct potential problems in the code.
Automated code review does not take the place of the manual code review, however. The code review tools supplement the manual review process. They allow you to bring better code to the manual review and to make better use of your time in review sessions. Rather than spending your time correcting routine faults and inconsistencies, you can concentrate on more complex and creative design decisions that are beyond the scope of an automated review.
In group reviews, you can focus on design issues without being side-tracked by trivial and embarrassing coding errors and inconsistencies. If code changes are worth checking in, then they are worth running through code review first.
Static code analysis allows you to review the code base -- all of it or any part -- for the occurrence of code that meets certain criteria. These may be predefined conditions or conditions that you define. This kind of code review is a prerequisite for component testing and runtime analysis. After you determine that the code passes static code analysis tests, component testing and runtime analysis should yield useful results, thereby enabling you to run the following types of reviews:
Size and complexity matter. Size prevents developers and architects from effectively detecting issues early on. Complexity hides side effects from developers. Performing manual code reviews and inspections can be a highly effective way of identifying defects in code. However, the effectiveness is often limited because of time constraints, leading to a situation where code reviews and inspections are either not conducted or are conducted infrequently.
Because the automated process is quick, you can run code reviews often. The code review findings let you catch and correct problems early, when it is easiest and least expensive to make changes.
The automated code review tool adds value to the software development process in several ways, because it performs these tasks:
- Finds defects in the code
- Prevents typical coding errors
- Explains each finding and provides solutions
- Improves performance and stability through rules based on best practices
- Provides an automated fix for many typical problems
- Enables you to create rules to ensure that you follow application design and standards as you write code
Code review rules
The Analysis feature of Rational Application Developer Version 7.0 and later includes 212 rules grouped into these categories:
- Design Principles (5): Rules for design principles of object-oriented programming
- Globalization (47): Rules based on globalization coding best practices, helping to ensure that code runs correctly in localized environments
- J2EE Best Practices (32): Rules that are based on the best Java™ 2 Platform, Enterprise Edition (J2EE) development practices and that support Web projects targeted to IBM® WebSphere® servers
- J2EE Security (17): Rules that validate code for compliance with the security requirements for J2EE technology
- J2SE Best Practices (71): Rules based on the Java™ 2 Platform, Standard Edition (J2SE) best practices for Java development
- J2SE Security (9): Rules that validate code for compliance with the security requirements for J2SE technology
- Naming (2): Rules regarding naming conventions for elements in Java code
- Performance (26): Rules that enforce suggestions for improving performance and reducing the memory footprint in Java applications
- Private APIs (3): Rules that locate APIs that do not belong in Java code
These rule categories are further organized into reviews. The selected review dictates which rules will be applied against your code. The Analysis feature includes these reviews, or rule sets:
- Java Complete Code Review: All rules from all categories
- Java Globalization Code Review: All rules from the Globalization category
- Java Security Code Review: All rules from the J2EE Security category
- Java Quick Code Review: All rules for the highest-severity problems
- Java Best Practices Code Review: All rules from the J2SE Best Practices category
The static analysis process involves three basic steps (see Figure 1):
- Configure the code review
- Run the code review
- Interpret the code review
Figure 1. Static analysis process
Setting up the sample project
To set up the sample project for this article, import the sample source files from the StaticSampleCodeAnalysis.zip file. (See Download. You will use this sample code for exercises throughout this article.) You may also run the static analysis on your own code. The steps are the same as those described here.
Using the Analysis feature
The Java and Debug perspectives include analysis capabilities by default, but you can add analysis capabilities to any other perspective if you want to run a static analysis on resources other than Java source code files.
Customizing perspectives for static analysis
Simply follow these steps:
- From the Rational Application Developer menu bar, choose the Window > Open Perspective > Customize Perspective option.
- When the dialog appears, select the Commands tab, and click the Analysis check box.
- Accept the change by clicking OK (see Figure 2).
Figure 2. Customizing the perspective
Creating and editing a static analysis configuration
When you create an Analysis configuration, you determine the type of analysis that you want to perform, the scope, and the particular rules to apply to your resources. To create an Analysis configuration, you must be working in a perspective that supports analysis capabilities.
- Select the Run > Analysis menu option to display the main analysis configuration dialog. You will see a dialog very much like the one used to run or debug code from the Rational Application Developer workbench.
- The first step in creating an analysis configuration is to determine
the default range of resources on which the analysis will be
performed. Do this by selecting the desired range under the Scope tab.
The currently available options analyze the entire workspace, a
working set, or a set of projects. For the purposes of this article,
create a new configuration (
MyStaticAnalysis), and under the Scope tab, select the Analyze entire workspace option (see Figure 3).
Figure 3. Configuration for static analysis
The Rules tab determines the forms of analysis that will be performed. Notice that it displays a tree structure where you can select or deselect analysis elements. It also includes additional buttons. The top-most nodes of the domain tree are analysis providers that represent the type of analysis tools that are known to the analysis framework. Providers contain categories, which are loose organizations of rules or other categories, or both. Rules perform all of the heavy lifting by defining the conditions that generate results during the analysis process (Figure 4).
Figure 4. Analysis rules
Notice that each node in the tree includes a check box that controls the enabling state of the element. When an element is selected or deselected, all of its children nodes are set to the same state, which allows for quick selection of entire categories or even the entire tree. You can also select a collection of rules by typing or clicking a defined rule set. and then clicking Set to configure the providers, rule categories, and rules to perform a specific analysis.
- For the purposes of this article, set the Java Complete Code Review rule set (Figure 5).
Figure 5. Java Complete Code Review setting
When a rule is selected in the tree, the Details button becomes enabled. Clicking this button invokes a secondary dialog to show any configuration and additional information that exists for a rule. Within this dialog, you can change the severity rating of the selected rule, along with any other parameters that it defines. Depending on the rule, the Details dialog may also show other details (See Figure 6).
Figure 6. Analysis rules shown in the Details dialog
If you want to share the selected rules across your team, you can export them as a file by using the Export button (Figure 7).
Figure 7. Exporting the analysis rules
The Import and Export tools can help you create project-specific rules and rule configurations. Your team members can import a file that describes a custom rule set by clicking Import button (Figure 8). The next section explains how to customize your analysis.
Figure 8. Importing a custom rule set
Creating custom rule categories and rules
In addition to the rules that Rational Application Developer supplies, it is also possible to create custom categories and custom rules from templates. A Java development team might use a specific set of providers, rule categories, and rules defined in a custom rules file to analyze source code.
- To create new custom rules and categories. select Window > Preferences.
- Then, in the Preferences view, select the Analysis > Custom Rules and Categories page (Figure 9).
Figure 9. Custom Rules And Categories
- Click Add Category to add a new custom category. This takes you through a simple wizard where you can choose the parent category and a name for the new one. The tree control for custom categories will show the complete path of categories for any custom category (Figure 10).
Only previously defined custom categories can be deleted.
Figure 10. Adding a custom category
- For this example, add a new rule category called
My Rule(see Figure 11).
Figure 11. Entering the category name
- Click Add Rule to start the rule creation wizard. The first wizard screen enables you to select where the rule will be located in the analysis category tree.
- On the first wizard page, select a category, and then click Next (Figure 12).
Figure 12. Adding a custom rule
- On the second wizard page, you will see a list of all known rule templates. You can select the rule template that you want to use as the basis for your new rule. Note that not all forms of analysis support custom rules. However, Rational Application Developer Java Code Review supplies several that you can use (Figure 13). For this example, select Avoid using the package <PACKAGE>.
Figure 13. Select template
- In the final wizard for rule creation, you will see entries for each
parameter defined in the rule template. In this example, the selected
rule template defined only two parameters, so you can enter a
qualified package name in the field provided and the severity of the
rule (Figure 14):
- Package name:
- Package name:
Figure 14. Provide template values
- Click OK. The template-based rule will be created and placed into the rule tree.
- You can now select this rule as part of any analysis configuration
(see Figure 15). For this example, select the values indicated for
- Current Custom Categories: Select My Rule
- Current Custom Rules: Select Avoid using the package com.ibm.external.pack
Figure 15. User-defined rule
You can find the newly created rule in the configuration wizard, too. It will not be enabled by default. To use this rule, you need to enable this rule by clicking the check box next to the rule (Figure 16).
Figure 16. Custom rule added
Running the static analysis and handling results
- To start the analysis process, click the Analyze button.
- After you do this, you will see the Analysis Results view in the Rational Application Developer workbench. Results will flow into this view as they are created when you run the rules.
Static analysis results
An analysis result is a concise explanation of a rule violation. The result is a line item in the Analysis Results view that shows that the resource does not comply with the rules that you applied. As an analysis configuration runs, the Analysis Results view populates a tree of results that are grouped by the rule categories and severity levels that you defined when you configured the analysis.
The top-level node of the tree displays details about the analysis, such as the name of the analysis configuration, the date and time that the analysis was completed, and the number of results generated. When you expand the tree, each rule category and rule displays the number of results generated and lists the resources that are associated with the rule (see Figure 17).
Figure 17. Analysis results
You can view the results of an analysis in the Analysis Results view. A result is not necessarily a problem, mistake, or bug, but be sure to evaluate each result in the list to determine what action, if any, you need to take. If the result is a problem that has a trivial solution, the author of the rule might have provided a quick fix that automatically corrects the resource. If a quick fix is available for a particular result, you can select it using the pop-up menu. When the results are generated, you can filter and view them and, if the rule supplies a quick fix feature, you can repair the source code.
You can filter the results to display results that correspond to each rule in your analysis configuration or only those results that do not conform to a particular rule. From the Analysis Results view, you can also open resources in their associated editors to correct problems or to apply quick fixes, if they are available.
Applying quick fixes to static analysis results
You can correct problems in the results of your analysis automatically if rule authors provided a quick fix. A quick fix is an automated solution for a common or trivial problem. Quick fixes can save time and ensure that problems are corrected consistently (Figure 18)
Figure 18. Fixing problems
If you right-click on a result, you can perform special tasks. Correcting the cause of some problems is trivial, so the rule author may provide a "Quickfix" routine. If the Quickfix menu option is enabled, selecting it will walk you through a process to correct the problem (Figure 19).
Figure 19. Analysis result fixed
- To list the resources associated with each rule, expand the rule categories and rule nodes.
- To open a resource in its associated editor, double-click the resource. The editor that displays your resource is determined by the author of the rule and the type of data in the resource.
- Double-clicking on the created rule takes you to the line of code in the file that has the problem (Figure 20).
Figure 20. Analysis result for custom rule
- Subscribe to a developerWorks newsletter.
- Download a free trial version of Rational Application Developer.