What Does Source Code Analysis Mean?
Source code analysis is the automated testing of a program’s source code with the purpose of finding faults and fixing them before the application is sold or distributed.
Source code analysis is synonymous to static code analysis, where the source code is analyzed simply as code and the program is not running. This removes the need for creating and using test cases, and may separate itself from feature-specific bugs like buttons being a different color than what the specifications say. It concentrates on finding faults in the program that may be detrimental to its proper function like crash-causing lines of code.
Techopedia Explains Source Code Analysis
Source code analysis is basically automated code debugging. The aim is to find bugs and faults that may not be obvious to a programmer. It is meant to find faults like possible buffer overflows or untidy use of pointers and misuse of garbage collection functions, all of which may be exploitable by a hacker.
Code analyzers work using rules that tell it what to look for. With too little precision, an analyzer might spew out too many false positives and flood the user with useless warnings, while too much precision might take too long to finish; therefore, has to be a balance.
There are two kinds of analyzers:
- Interprocedural - Detects patterns from one function to the next, and these patterns are correlated so that the analyzer can create a model and simulate execution paths.
- Intraprocedural - Focuses on pattern matching and depends on what kinds of patterns the user is looking for.
Interprocedural analyzers are more modern and more complex. Good examples of this are Coverity, Fortify and Microsoft’s own centralized tool PREfix.