Where is the best time and place to find bugs in an application?
According to code analysis vendor Klocwork, the best place is the source: the developer that writes the code. The best time is before they actually check the code in. IDE pluginsThen again, Klockwork has a reason to say that. The firm’s new Insight application provides a full view of an application and the code that goes into it so that developers can find flaws beyond their own desktop code boundaries.
“This new release is all about moving over the line in the sand, which is code check-in, and letting developers do code analysis before they check in,” Klocwork’s CTO, Gwyn Fisher, told InternetNews.com. “So developers can check in code that works instead of applying more techniques over the line in the sand at the integration build level.”
Fisher argued that Klocwork Insight is different than traditional IDE plugins for bug detection in that plugins are limited by boundaries. The boundaries are what Fisher referred to as the locality of reference and could include method, file or project boundaries.
“Whatever the case they have a locality of reference, which is bound by the sandbox in which the developer is operating,” Fisher explained. “So whatever the developer has on their desktop that is what will get analyzed.”
The totality of modern software development, however, extends beyond the developers’ code. As such, Fisher noted, the value of high-end source code analysis entails an understanding of how the whole system is built and how different components can create bugs.
The Klocwork Insight system uses a project knowledge base to map how an application is organized and the behaviors of any particular entity within that organization. Insight then takes the overall view and maps that to what a developer is doing in their own particular code sandbox.
Fisher explained that Insight knows when a developer is stepping outside the boundaries of their sandbox and knows where the developer is going.
“Insight understands the context of what the developer is calling so we can reflect back to him bugs that occur because of the developer’s use of code that the developer doesn’t have locally,” Fisher commented.
Fisher was quick to note that Klocwork insight isn’t just about code quality but includes check for security vulnerabilities as well. In his view the two issues are closely related.
“We follow the mantra that a security vulnerability is just a bug that happens to be exploitable,” Fisher said. “And a bug is a security vulnerability that no one has managed to exploit yet.”
Klocwork competes primarily against Coverity in the source code analysis space.