Static Analysis in Software Testing
Static analysis or static code analysis is used by developers and software testers to detect coding defects. Static analysis in software testing is not new, at least not for software testers with coding knowledge or experience. Static analysis involves reviewing the code similarly to performing a code or peer review.
Static analysis helps software testers fully understand how the code functions and its structure. Software testers can execute code in isolation and review for errors. Static analysis reviews by software testers also help ensure code meets organizational and industry standards.
This guide describes the types of static code analysis in software testing, how it’s performed, and its benefits for software testing coverage.
Table Of Contents
- 1 How is static code analysis done?
- 2 Types of static analysis
- 3 Benefits and drawbacks of static analysis
- 4 Static verification vs. dynamic verification
- 5 Static analysis tools and vendors
- 6 Summary
- 7 Frequently Asked Questions
How is static code analysis done?
Static analysis like other software testing can be done either manually or by using automation. Static analysis in software testing typically occurs early in the development process. Static code analysis can fulfill testing responsibilities when it’s not possible to test a feature fully in the application.
If static analysis is performed manually it is done either by using pair testing with a developer or by stepping through the code line by line in a formal setting similar to a code review. In either case, the software tester must follow along and ask any questions necessary to understand the functionality. It’s important to consider the individual code under review as well as its impact on the application functionality as a whole. The code is executed manually to verify no errors exist.
When static analysis is performed using automated tools, testers typically use a static code analyzer tool. Static code analyzer tools check the code against defined rules and any related standards. Most tools allow users to determine what standards are checked and to set custom guidelines as well. The code is executed by the tool, and any issues are flagged for review.
Types of static analysis
Static analysis in software testing is not all the same. There are several different types of static analysis to fit various testing needs.
Typical static analysis methods include:
- Tests the control flow in a calling structure.
- Verifies data properties and types.
- Error or Fault
- Verifies error processing and identifies failures in components.
- Confirms interface compatibility often using mocked or faked dependencies.
Benefits and drawbacks of static analysis
Static code analysis in software testing provides benefits including:
- Improved code quality throughout the development cycle
- Provides expanded test code coverage
- Helps to find defects before the code is in production
- Prevention of costly common issues
- Reduces costs by finding issues before code is in test or production
- Improves developer and QA collaboration
Static verification vs. dynamic verification
Static analysis verification testing differs from the more common dynamic verification testing. The differences are around the test objective and include:
|Test Objective||Static Analysis Testing||Dynamic Testing|
|Identifying defects early in the software development process||x|
|Code review, unit testing||x|
|Full application test coverage||x|
Static analysis tools and vendors
Numerous effective static analysis tools exist. Using an automated tool for static analysis saves significant time and can increase the number of early issues detected especially in coding standards.
The following is a partial list of tools, there are more options:
- Intelligent software analytics platform that can detect and prioritize code issues.
- Includes visual indicators of issues.
- Detects design patterns used within the code.
- Focuses on security testing supporting approximately 25 security standards.
- Engineered for use by DevOps teams and is integrated with Jenkins.
- Useful for code bases built in Python.
- Includes enhanced code navigation for easier analysis.
- Provides an automatic refactoring tool.
Static code analysis in software testing provides testing coverage at the early stages of development as well as throughout the development cycle. Software testers benefit from learning the internal code structure and function which can help create functional and regression tests that execute defined code components in full.
For fuller and deeper test cover, consider including testing using static code analysis manually or by using an automated tool.
Frequently Asked Questions
What is an example of static analysis?
In the example below, the OWASP Lapse+ tool provides a typical interface for viewing and analyzing code components:
Why is it called static code analysis?
Because the testing is performed outside the application UI. Since the code is not being executed dynamically as required, it is static. Testers are reviewing and stepping through code components that are not active.