Tech moves fast! Stay ahead of the curve with Techopedia!
Join nearly 200,000 subscribers who receive actionable tech insights from Techopedia.
Source code analysis is the automated testing of a program’s source code with the purpose of finding faults and fixing them before the application is sold or distributed.
Source code analysis is synonymous to static code analysis, where the source code is analyzed simply as code and the program is not running. This removes the need for creating and using test cases, and may separate itself from feature-specific bugs like buttons being a different color than what the specifications say. It concentrates on finding faults in the program that may be detrimental to its proper function like crash-causing lines of code.
Source code analysis is basically automated code debugging. The aim is to find bugs and faults that may not be obvious to a programmer. It is meant to find faults like possible buffer overflows or untidy use of pointers and misuse of garbage collection functions, all of which may be exploitable by a hacker.
Code analyzers work using rules that tell it what to look for. With too little precision, an analyzer might spew out too many false positives and flood the user with useless warnings, while too much precision might take too long to finish; therefore, has to be a balance.
There are two kinds of analyzers:
Interprocedural analyzers are more modern and more complex. Good examples of this are Coverity, Fortify and Microsoft’s own centralized tool PREfix.