Editorial Note: I originally wrote this post for the NDepend blog. You can check out the original here, at their site. While you’e there, take a look at the other posts and download a trial of NDepend, if you’re so inclined.
As a consultant, one of the more universal things that I’ve observed over the years is managerial hand-waving. This comes in a lot with the idea of agile processes, for instance. A middle manager with development teams reporting into him decides that he wants to realize the 50% productivity gains he read about in someone Gartner article, and so commands his direct reports or consultant partners to sprinkle a little agile magic on his team. It’s up to people in a lower paygrade to worry about the details.
To be fair, managers shouldn’t be worrying about the details of implementations, delegating to and trusting in their teams. The hand-waving more happens in the assumption that things will be easy. It’s probably most common with “let’s be agile,” but it also happens with other things. Static analysis, for example.
If you’ve landed here, it may be that you follow the blog or it may be that you’ve googled something like “how to get started with static analysis.” Either way, you’re in luck, at least as long as you want to hear about how to work static analysis into your project. I’m going to talk today about practical advice for adding this valuable tool to your tool chest. So, if you’ve been meaning to do this for a while, or if some hand-waving manager staged a drive-by, saying, “we should static some analysis in teh codez,” this should help you get started.
What is Static Analysis (Briefly)?
You can read up in great detail if you want, but I’ll summarize by saying that static analysis is analysis performed on a codebase without actually executing the resultant compiled or interpreted code. Most commonly, this involves some kind of application (e.g. NDepend) that takes your source code files as input and produces interesting output by running various analyses on the code in question.
Let’s take a dead simple example. Maybe I write a static analysis tool that simply looks through your code for the literal string “while(true)” and, if it finds it, dumps, “ruh-roh” to the console. I’m probably not going to have investors banging down my door, but I have, technically, written a static analysis utility.