Improving Software Quality with Static Analysis William Pugh Professor Univ
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Java Programming Standards & Reference Guide
Java Programming Standards & Reference Guide Version 3.2 Office of Information & Technology Department of Veterans Affairs Java Programming Standards & Reference Guide, Version 3.2 REVISION HISTORY DATE VER. DESCRIPTION AUTHOR CONTRIBUTORS 10-26-15 3.2 Added Logging Sid Everhart JSC Standards , updated Vic Pezzolla checkstyle installation instructions and package name rules. 11-14-14 3.1 Added ground rules for Vic Pezzolla JSC enforcement 9-26-14 3.0 Document is continually Raymond JSC and several being edited for Steele OI&T noteworthy technical accuracy and / PD Subject Matter compliance to JSC Experts (SMEs) standards. 12-1-09 2.0 Document Updated Michael Huneycutt Sr 4-7-05 1.2 Document Updated Sachin Mai L Vo Sharma Lyn D Teague Rajesh Somannair Katherine Stark Niharika Goyal Ron Ruzbacki 3-4-05 1.0 Document Created Sachin Sharma i Java Programming Standards & Reference Guide, Version 3.2 ABSTRACT The VA Java Development Community has been establishing standards, capturing industry best practices, and applying the insight of experienced (and seasoned) VA developers to develop this “Java Programming Standards & Reference Guide”. The Java Standards Committee (JSC) team is encouraging the use of CheckStyle (in the Eclipse IDE environment) to quickly scan Java code, to locate Java programming standard errors, find inconsistencies, and generally help build program conformance. The benefits of writing quality Java code infused with consistent coding and documentation standards is critical to the efforts of the Department of Veterans Affairs (VA). This document stands for the quality, readability, consistency and maintainability of code development and it applies to all VA Java programmers (including contractors). -
Command Line Interface
Command Line Interface Squore 21.0.2 Last updated 2021-08-19 Table of Contents Preface. 1 Foreword. 1 Licence. 1 Warranty . 1 Responsabilities . 2 Contacting Vector Informatik GmbH Product Support. 2 Getting the Latest Version of this Manual . 2 1. Introduction . 3 2. Installing Squore Agent . 4 Prerequisites . 4 Download . 4 Upgrade . 4 Uninstall . 5 3. Using Squore Agent . 6 Command Line Structure . 6 Command Line Reference . 6 Squore Agent Options. 6 Project Build Parameters . 7 Exit Codes. 13 4. Managing Credentials . 14 Saving Credentials . 14 Encrypting Credentials . 15 Migrating Old Credentials Format . 16 5. Advanced Configuration . 17 Defining Server Dependencies . 17 Adding config.xml File . 17 Using Java System Properties. 18 Setting up HTTPS . 18 Appendix A: Repository Connectors . 19 ClearCase . 19 CVS . 19 Folder Path . 20 Folder (use GNATHub). 21 Git. 21 Perforce . 23 PTC Integrity . 25 SVN . 26 Synergy. 28 TFS . 30 Zip Upload . 32 Using Multiple Nodes . 32 Appendix B: Data Providers . 34 AntiC . 34 Automotive Coverage Import . 34 Automotive Tag Import. 35 Axivion. 35 BullseyeCoverage Code Coverage Analyzer. 36 CANoe. 36 Cantata . 38 CheckStyle. .. -
Squore Acceptance Provides a Fast and High Return on Investment by Efficiently
Acceptance SQUORE Squoring Technologies delivers an innovative decision-making dashboard dedicated to managing outsourced software development projects. Acceptance represents a key phase of every software development project, whatever the process: Acquisition or Third Party Application Maintenance. Beyond functional suitability, Acceptance must consider all software product dimensions, from quality characteristics such as Reliability, Maintainability and Performance, to work products like source code, requirements and test cases. TREND As required by the CMMI®, Supplier Management INDICATOR implies an objective and impartial assessment of these components, based on quantified measurement criteria adapted to the context and objectives of each project. Squore Acceptance provides a fast and high return on investment by efficiently: Contractualizing non- Increasing confidence Securing deployment functional, technical between customer and and operation. requirements. supplier. Defining common and Demonstrating compliance Reducing acceptance shared acceptance of deliverables with costs and efforts. criteria. quality requirements. Visit www.squore-acceptance.com Innovative features dedicated to the management of outsourced software projects. “Out-of-the-box” standardized control points, metrics and rules using best industry standards, and still customizable to fit in-house practices. Predefined software product quality models based on international standards: ISO SQuaRE 25010, ISO/IEC 9126, ECSS Quality Handbook, SQUALE . Standardized evaluation process in accordance with ISO/IEC 14598 and ISO/IEC 15939 standards. Squore covers all software product quality characteristics under a standard breakdown Quantified acceptance criteria for every type of deliverable, from requirements to documentation, via source code and test cases. Comprehensive overview of software product compliance through Key Performance Indicators and trend analysis. Unrivaled in-depth analysis where at-risk components are immediately identified, down to the most elementary function or method. -
Using Findbugs in Anger
Making Static Analysis Part Of Your Build Process William Pugh Professor, Univ. of Maryland Visiting Scientist, Google Learn how to effectively use FindBugs on large software projects (100,000+ lines of code), and make effective use of the limited time you can schedule/afford for static analysis 2 Agenda FindBugs and static analysis Using FindBugs effectively Running FindBugs Scaling up FindBugs Historical Bug results 3 Static Analysis Analyzes your program without executing it Doesn’t depend on having good test cases • or even any test cases Doesn’t know what your software is supposed to do • Looks for violations of reasonable programming practices • Shouldn’t throw NPE • All statements should be reachable • Shouldn’t allow SQL injection Not a replacement for testing • Very good at finding problems on untested paths • But many defects can’t be found with static analysis 4 Common (Incorrect) Wisdom about Bugs and Static Analysis Programmers are smart Smart people don’t make dumb mistakes We have good techniques (e.g., unit testing, pair programming, code inspections) for finding bugs early I tried lint and it sucked: lots of warnings, few real issues So, bugs remaining in production code must be subtle, and finding them must require sophisticated static analysis techniques 5 Can You Find The Bug? if (listeners == null) listeners.remove(listener); JDK1.6.0, b105, sun.awt.x11.XMSelection • lines 243-244 6 Why Do Bugs Occur? Nobody is perfect Common types of errors: • Misunderstood language features, API methods • Typos (using wrong boolean -
Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform
Parasoft Static Application Security Testing (SAST) for .Net - C/C++ - Java Platform Parasoft® dotTEST™ /Jtest (for Java) / C/C++test is an integrated Development Testing solution for automating a broad range of testing best practices proven to improve development team productivity and software quality. dotTEST / Java Test / C/C++ Test also seamlessly integrates with Parasoft SOAtest as an option, which enables end-to-end functional and load testing for complex distributed applications and transactions. Capabilities Overview STATIC ANALYSIS ● Broad support for languages and standards: Security | C/C++ | Java | .NET | FDA | Safety-critical ● Static analysis tool industry leader since 1994 ● Simple out-of-the-box integration into your SDLC ● Prevent and expose defects via multiple analysis techniques ● Find and fix issues rapidly, with minimal disruption ● Integrated with Parasoft's suite of development testing capabilities, including unit testing, code coverage analysis, and code review CODE COVERAGE ANALYSIS ● Track coverage during unit test execution and the data merge with coverage captured during functional and manual testing in Parasoft Development Testing Platform to measure true test coverage. ● Integrate with coverage data with static analysis violations, unit testing results, and other testing practices in Parasoft Development Testing Platform for a complete view of the risk associated with your application ● Achieve test traceability to understand the impact of change, focus testing activities based on risk, and meet compliance -
Email: [email protected] Website
Email: [email protected] Website: http://chrismatech.com Experienced software and systems engineer who has successfully deployed custom & industry-standard embedded, desktop and networked systems for commercial and DoD customers. Delivered systems operate on airborne, terrestrial, maritime, and space based vehicles and platforms. Expert in performing all phases of the software and system development life-cycle including: Creating requirements and design specifications. Model-driven software development, code implementation, and unit test. System integration. Requirements-based system verification with structural coverage at the system and module levels. Formal qualification/certification test. Final product packaging, delivery, and site installation. Post-delivery maintenance and customer support. Requirements management and end-to-end traceability. Configuration management. Review & control of change requests and defect reports. Quality assurance. Peer reviews/Fagan inspections, TIMs, PDRs and CDRs. Management and project planning proficiencies include: Supervising, coordinating, and mentoring engineering staff members. Creating project Software Development Plans (SDPs). Establishing system architectures, baseline designs, and technical direction. Creating & tracking project task and resource scheduling, costs, resource utilization, and metrics (e.g., Earned Value Analysis). Preparing proposals in response to RFPs and SOWs. Project Management • Microsoft Project, Excel, Word, PowerPoint, Visio & Documentation: • Adobe Acrobat Professional -
Survey of Verification and Validation Techniques for Small Satellite Software Development
Survey of Verification and Validation Techniques for Small Satellite Software Development Stephen A. Jacklin NASA Ames Research Center Presented at the 2015 Space Tech Expo Conference May 19-21, Long Beach, CA Summary The purpose of this paper is to provide an overview of the current trends and practices in small-satellite software verification and validation. This document is not intended to promote a specific software assurance method. Rather, it seeks to present an unbiased survey of software assurance methods used to verify and validate small satellite software and to make mention of the benefits and value of each approach. These methods include simulation and testing, verification and validation with model-based design, formal methods, and fault-tolerant software design with run-time monitoring. Although the literature reveals that simulation and testing has by far the longest legacy, model-based design methods are proving to be useful for software verification and validation. Some work in formal methods, though not widely used for any satellites, may offer new ways to improve small satellite software verification and validation. These methods need to be further advanced to deal with the state explosion problem and to make them more usable by small-satellite software engineers to be regularly applied to software verification. Last, it is explained how run-time monitoring, combined with fault-tolerant software design methods, provides an important means to detect and correct software errors that escape the verification process or those errors that are produced after launch through the effects of ionizing radiation. Introduction While the space industry has developed very good methods for verifying and validating software for large communication satellites over the last 50 years, such methods are also very expensive and require large development budgets. -
Towards Our Development Environment
Euclid Consortium Towards our development environment 2012, Dec. 4th SDC meeting 1 Euclid External constraints Consortium ● CODEEN (Redmine and http://apceucliddev.in2p3.fr/jenkins/) ● Common tools – Python / C++ – Jira – Eclipse – Sonar – Subversion – Doxygen – Xunit – Goolge talk – Maven – Redmine – Nexus – Adobe Connect – Jenkins 2012, Dec. 4th SDC meeting 2 Euclid Language and architecture Consortium ● Language: Python (C, C++) ● Central svn repository (http://euclid.esac.esa.int/svn/EC/SGS/) ● IDE: Eclipse + PyDev ● Software architecture and packaging – Model the testbed, data trains and taker Gaia concepts – Separate the data handling and algorithmic programming – Data model, Framework, Algo (projects? Modules?) ● Study flexible solutions for – local development, testing and survey data analysis – integration into the IAL – distributing the software? 2012, Dec. 4th SDC meeting 3 Euclid Data model and data handling Consortium ● Data model: first version as XML schema on SVN – PyXB for automatic Python code generation ● Framework with data handling, loading data from – ASCII files : SciPy (loadtxt) – Database : SQLAlchemy ORM – FITS files : PyFits ● Panda : large table ● Pickle : object serialization 2012, Dec. 4th SDC meeting 4 Euclid Dependencies and building managementConsortium ● Nexus, Ivy and Ant used in Gaia ● Maven - Nexus is proposed, is it too Java oriented? – Difference between Ant and Maven? ● How can we used the Python “setup” files ● Hubert proposals – http://zero-install.sourceforge.net/ – http://www.cmake.org/ ● Solution for – local software development and usage – distribution 2012, Dec. 4th SDC meeting 5 Euclid Configuration, testing and doc Consortium ● Solution for handling configuration – model the Gaia XML based solution? (Java “properties” thread unsafe) – Python solution? Init? ● Testing set up and conventions – xUnit and PyUnit? ● Javadoc as an example (look up in Eclipse, automatic doc generation) – Doxygen 2012, Dec. -
An Eclipse Plug-In for Testing and Debugging
GZoltar: An Eclipse Plug-In for Testing and Debugging José Campos André Riboira Alexandre Perez Rui Abreu Department of Informatics Engineering Faculty of Engineering, University of Porto Portugal {jose.carlos.campos, andre.riboira, alexandre.perez}@fe.up.pt; [email protected] ABSTRACT coverage). Several debugging tools exist which are based on Testing and debugging is the most expensive, error-prone stepping through the execution of the program (e.g., GDB phase in the software development life cycle. Automated and DDD). These traditional, manual fault localization ap- testing and diagnosis of software faults can drastically proaches have a number of important limitations. The place- improve the efficiency of this phase, this way improving ment of print statements as well as the inspection of their the overall quality of the software. In this paper we output are unstructured and ad-hoc, and are typically based present a toolset for automatic testing and fault localiza- on the developer's intuition. In addition, developers tend to use only test cases that reveal the failure, and therefore do tion, dubbed GZoltar, which hosts techniques for (regres- sion) test suite minimization and automatic fault diagno- not use valuable information from (the typically available) sis (namely, spectrum-based fault localization). The toolset passing test cases. provides the infrastructure to automatically instrument the Aimed at drastic cost reduction, much research has been source code of software programs to produce runtime data. performed in developing automatic testing and fault local- Subsequently the data was analyzed to both minimize the ization techniques and tools. As far as testing is concerned, test suite and return a ranked list of diagnosis candidates. -
Technologies We Use IT Project Management
SolDevelo Sp. z o.o. is a dynamic software development and information technology outsourcing company, focused on delivering high quality software and innovative solutions. Our approach is a unique mix of highly experienced development team, client-oriented service and passion for IT. This guarantees projects to be completed on time, with the superior quality and precisely the way client imagined it. IT Project Management Requirements Specification Architecture Implementation Detailed Design Testing Integration Validation Maintenance Technologies We Use Software development and Integration Ý Application Servers Languages Web Servers Glassfish, JBOSS, Geronimo Java/JEE, Python, C#/.NET Nginx, Apache HTTP Android, PHP, Objective-C, Swift, Ruby Frameworks Web Technologies Database Environments Hibernate, Datanucleus, J2EE, PHP, XML, JavaScript, Oracle, SQL, PL/SQL, MySQL, OSGi, Spring Integration, SOAP, WSDL, RichFaces, PostgreSQL, HSQLDB, CouchDB, Quartz, Spring Batch, jQuery, JSP, JSF, AJAX, (S)CSS, SQLite3, Hypersonic Android Designer, LESS, XHTML, ASP.NET, Robotium, JBoss Seam Node.js Mobile Technologies Servlet Containers Android, iOS Tomcat, Jetty Web Frameworks AngularJS, Django, Spring WebFlow, Bootstrap, Zend, Ə CMS ǡ Business Intelligence Symfony, Express, Ruby on Rails Drupal, Wordpress, Joomla! DHIS2, Tableau 01 Competence Map Tools we use IDE Wiki < Knowledge Sharing IntelliJ IDEA, Eclipse, Android Confluence, Assembla Wiki, Trac Studio, Xcode, PHPStorm Project Methodology Issue/Bug Tracking Agile/Scrum JIRA, Assembla, -
Write Your Own Rules and Enforce Them Continuously
Ultimate Architecture Enforcement Write Your Own Rules and Enforce Them Continuously SATURN May 2017 Paulo Merson Brazilian Federal Court of Accounts Agenda Architecture conformance Custom checks lab Sonarqube Custom checks at TCU Lessons learned 2 Exercise 0 – setup Open www.dontpad.com/saturn17 Follow the steps for “Exercise 0” Pre-requisites for all exercises: • JDK 1.7+ • Java IDE of your choice • maven 3 Consequences of lack of conformance Lower maintainability, mainly because of undesired dependencies • Code becomes brittle, hard to understand and change Possible negative effect • on reliability, portability, performance, interoperability, security, and other qualities • caused by deviation from design decisions that addressed these quality requirements 4 Factors that influence architecture conformance How effective the architecture documentation is Turnover among developers Haste to fix bugs or implement features Size of the system Distributed teams (outsourcing, offshoring) Accountability for violating design constraints 5 How to avoid code and architecture disparity? 1) Communicate the architecture to developers • Create multiple views • Structural diagrams + behavior diagrams • Capture rationale Not the focus of this tutorial 6 How to avoid code and architecture disparity? 2) Automate architecture conformance analysis • Often done with static analysis tools 7 Built-in checks and custom checks Static analysis tools come with many built-in checks • They are useful to spot bugs and improve your overall code quality • But they’re -
Eclipse Project Briefing Materials
[________________________] Eclipse project briefing materials. Copyright (c) 2002, 2003 IBM Corporation and others. All rights reserved. This content is made available to you by Eclipse.org under the terms and conditions of the Common Public License Version 1.0 ("CPL"), a copy of which is available at http://www.eclipse.org/legal/cpl-v10.html The most up-to-date briefing materials on the Eclipse project are found on the eclipse.org website at http://eclipse.org/eclipse/ 200303331 1 EclipseEclipse ProjectProject 200303331 3 Eclipse Project Aims ■ Provide open platform for application development tools – Run on a wide range of operating systems – GUI and non-GUI ■ Language-neutral – Permit unrestricted content types – HTML, Java, C, JSP, EJB, XML, GIF, … ■ Facilitate seamless tool integration – At UI and deeper – Add new tools to existing installed products ■ Attract community of tool developers – Including independent software vendors (ISVs) – Capitalize on popularity of Java for writing tools 200303331 4 Eclipse Overview Another Eclipse Platform Tool Java Workbench Help Development Tools JFace (JDT) SWT Team Your Tool Plug-in Workspace Development Debug Environment (PDE) Their Platform Runtime Tool Eclipse Project 200303331 5 Eclipse Origins ■ Eclipse created by OTI and IBM teams responsible for IDE products – IBM VisualAge/Smalltalk (Smalltalk IDE) – IBM VisualAge/Java (Java IDE) – IBM VisualAge/Micro Edition (Java IDE) ■ Initially staffed with 40 full-time developers ■ Geographically dispersed development teams – OTI Ottawa, OTI Minneapolis,