Code Quality Platforms

Spazio IT – Code Quality Platforms

SPAZIO IT

Maurizio Martignano Spazio IT – Soluzioni Informatiche s.a.s Code Quality Platforms Via Manzoni 40 46030 San Giorgio di Mantova, Mantova http://www.spazioit.com October 2017 1 © 2017 Spazio IT - Soluzioni Informatiche s.a.s. Agenda

 Code Inspection

 SonarQube

 Spazio IT Quality Platforms

 Quality Platforms – Processes

 Future Activities

 Software Crisis (2.0) hasn’t yet disappeared and is here to stay. – Implemented features not meeting the requirements/expectations – Missed deadlines – Costs overruns

 The majority of the total cost of software projects is associated with finding and fixing defects.

 Defects finding and fixing often occur too late in the life cycle of a project.

 No single remedy for the software crisis has been found.

(but) empirical data gathered on several software projects have shown that

Code Inspection allows for – defects prevention – early defects detection and removal

 Dynamic Analysis – Coverage (has this piece of code been executed?) – Testing (did it pass its tests)?

 Static Analysis – Architecture and design – Coding Rules / Standards – Duplications – Complexity – Readability – …

 Static and dynamic analysis are «standard» activities. What is «new» is the emphasis on Code.

 Code Inspection is a human activity but proper tools – increase efficiency – reduce risks.

 SonarQube is an open source Web Application (http://www.sonarqube.org) which

– Takes in input a set of source code files and a set of analyses results (produced by external tools).

– Stores both sources and results in a database.

– Makes available the gathered information via a dynamic website where the results are shown in the context of the code itself.

Source Code Files

SonarQube Engine

Analyses Results

SonarQube Database

 Analyses on the same code base can be performed at different moments in time and SonarQube keeps track of the changes/evolution.

 The problems found during analyses (a.k.a. issues) can be managed directly from within the system itself, e.g. – Identifying false positives – Assigning issues to developers – Checking their status (if they have been solved) – …

Plugin-1 Pre-Processing e.g. scanning e.g. Ada and parsing

Sensor-1 eg. CppCheck

Plugin-I Sensor-J SonarQube e.g. C/C++ e.g. PC-Lint

Sensor-M e.g. GCOV Plugin-M e.g. Java Post-Processing e.g. CPD, Decorators

 Since mid 2012 Spazio IT has been working for AIRBUS Helicopters and has developed an Ada Plugin supporting both: – Adacore GNAT (http://www.adacore.com) – Atego APEX Ada (http://www.atego.com) compilation tools chains  Spazio IT platform has been adopted by the group maintaining the software of the NH90 and Tiger helicopters.  http://www.spazioit.com/pages_en/sol_inf_en/code_qu ality_en

 Since fall 2013 Spazio IT has been working on the C/C++ community Plugin for SonarQube (modifying and extending it) to make it suitable for Independent Validation and Verification activities.  Spazio IT has successfully used its C/C++ Plugin for the validation of the IXV On-board Software.  Spazio IT is currently using its C/C++ Plugin for the validation of the JUICE DPU Boot Software.  http://www.spazioit.com/pages_en/sol_inf_en/code_qu ality_en

 All nowadays Integrated Development Environments (IDEs) like GNAT GPS 2017, Visual Studio 2013, Eclipse Luna, offer some form of Code Analysis.

 IDE’s analysis tools are to be used by software developers during their everyday work.

 SonarQube analyses are more for the «quality people» and they are not supposed to be executed everyday, but rather at specific /well defined moments in the software development life cycle.

 SonarQube analyses should be performed after any «significant» delivery in a software development project, e.g. using ECSS 40 terminology, at: – CDR – QR – AR  In maintenance projects SonarQube analyses should be performed after any «significant» new delivery, e.g. supposing a versioning like: major.minor[.build[.revision]] After every «minor» delivery.

 Quality Methodologies, i.e. integrating into the SonarQube: – SQUALE – Software QUALity Enhancement (http://www.squale.org - almost there already) – GQM – Goal, Question, Metric (http://en.wikipedia.org/wiki/GQM)

 Analyses Tools, i.e. assessing and possibly make interoperate with SonarQube tools like: – MATLAB Polyspace – Abstract Interpretation (http://www.mathworks.it/products/polyspace/)

 http://ulir.ul.ie/bitstream/handle/10344/2575/Fitzgerald%2cBri an.pdf  http://faculty.salisbury.edu/~xswang/Research/Papers/SERelat ed/no-silver-bullet.pdf  http://research.ijcaonline.org/volume87/number1/pxc3893251.p df  http://www.cs.umd.edu/~basili/publications/proceedings/P95. pdf  http://en.wikipedia.org/wiki/GQM  http://www.squale.org  http://www.sonarqube.org  http://www.spazioit.com/pages_en/sol_inf_en/code_quality_en