May 2016 - NDepend

Managing Risk in your Project with Static Analysis

When software developer talk about static analysis, it’s often in the context of craft improvement. Ask most developers in a group about static analysis tools and you’ll get a range of responses, many of which will be fueled by some degree of passion, resulting from past experience. From here, the conversation will tend to dive into the weeds for any non-technical stakeholder that might be listening; if you’re not a programmer, you probably don’t have much of an opinion as to whether or not cyclomatic complexity of 5 is acceptable for a method.

As a result, static analysis tends to get pegged heavily as a purely a matter of shop. The topic tends to be pretty opaque to management because developers present it to them in terms of “this will make us better and the code better.” Management that trusts the developers will tend to agree to the purchase with a sentiment of, “okay, I’ll take your word for it.” Management that is more skeptical says, “maybe next year if our numbers are good.”

I find this to be a shame because it’s a lost opportunity, even when management agrees.

Static analysis most certainly is a way for developers to improve their craft and their codebases. But, in the hands of an architect or team lead that truly understands the business and works well with management, static analysis can be an excellent tool for managers, even if the use has to be a management-architect team effort.

How so? Well, there are a lot of ways, but the one I’d like to mention today is risk management. As the title would imply, managing risk tends to be the purview of people whose title is manager. Sure, the developers have responsibility for this, but their primary charter is to build stuff — management exists specifically to engage in planning activities, including the crucial concern of risk management.

How does this work? Well, I’ll show you, and I’ll do it by explaining the sort of highly technical things that static analysis could catch in highly non-technical and readable ways. These are all going to be operational risks — static analysis can’t help you if you’re building the wrong product or badly under-staffing your projects. But it can help you avoid landmines in your software. If you’re a manager, allow me, for the moment, to serve as your “business-savvy architect.”

Continue reading Managing Risk in your Project with Static Analysis

Static Analysis and The Other Kind of False Positives

A common complaint and source of resistance to the adoption of static analysis is the idea of false positives. And I can understand this. It requires only one case of running a tool on your codebase and seeing 27,834 warnings to color your view on such things forever.

There are any number of ways to react to such a state of affairs, though there are two that I commonly see. These are as follows.

Sheepish, rueful acknowledgment: “yeah, we’re pretty hopeless…”
Defensive, indignant resistance: “look, we’re not perfect, but any tool that says our code is this bad is nitpicking to an insane degree.”

In either case, the idea of false positives carries the day. With the first reaction, the team assumes that the tool’s results are, by and large, too advanced to be of interest. In the second case, the team assumes that the results are too fussy. In both of these, and in the case of other varying reactions as well, the tool is providing more information than the team wants or can use at the moment. “False positive” becomes less a matter of “the tool detected what it calls a violation but the tool is wrong” and more a matter of “the tool accurately detected a violation, but I don’t care right now.” (Of course, the former can happen as well, but the latter seems more frequently to serve as a barrier to adoption and what I’m interested in discussing today).

Is this a reason to skip the tool altogether? Of course not. And, when put that way, I doubt many people would argue that it is. But that doesn’t stop people from hesitating or procrastinating when it comes to adoption. After all, no one is thinking, “I want to add 27,834 things to the team’s to-do list.” Nor should they — that’s clearly not a good outcome.

With that in mind, let’s take a look at some common sources of false positives and the ways to address them. How can you ratchet up the signal to noise ratio of a static analysis tool so that is valuable, rather than daunting?

Continue reading Static Analysis and The Other Kind of False Positives

4 Ways Custom Code Metrics Improve A Development Team

One of the things that has surprised me over the years is how infrequently people take advantage of custom code metrics. I say this not from the perspective of a geek with esoteric interest in a subject, wishing other people would share my interest. Rather, I say this from the perspective of a business man, making money, and wondering why I seem to have little competition.

As I’ve mentioned before, a segment of my consulting practice involves strategic code assessments that serve organizations in a number of ways. When I do this, the absolute most important differentiator is my ability to tailor metrics to the client and specific codebases on the fly. Anyone can walk in, install a tool, and say, “yep, your cyclomatic complexity in this class is too high, as evidenced by this tool I installed saying ‘your cyclomatic complexity in this class is too high.'” Not just anyone can come in and identify client-specific idiosyncrasies and back those findings with tangible data.

But, if they would invest some up-front learning time in how to create custom code metrics, they’d be a lot closer.

Being able to customize code metrics allows you to reason about code quality in very dynamic and targeted terms, and that is valuable. But you might think that, unless you want a career in code base assessment, value doesn’t apply to you. Let me assure you that it does, albeit not in a quite as direct way as it applies to me.

Custom code metrics can help make your team better and they can do so in a variety of ways. Let’s take a look at a few.

Continue reading 4 Ways Custom Code Metrics Improve A Development Team

The Biggest Mistake Static Analysis Could Have Prevented

As I’ve probably mentioned before, many of my clients pay me to come do assessments of their codebases, application portfolios and software practice. And, as you can no doubt imagine, some of my sturdiest, trustiest tools in the tool chest for this work are various forms of static analysis.

Sometimes I go to client sites by plane, train or automobile (okay, never by train). Sometimes I just remote in. Sometimes I do fancy write-ups. Sometimes, I present my findings with spiffy slide decks. And sometimes, I simply deliver a verbal report without fanfare. The particulars vary, but what never varies is why I’m there.

Here’s a hint: I’m never there because the client wants to pay my rate to brag about how everything is great with their software.

Where Does It All Go Wrong?

Given what I’m describing here, one might conclude that I’m some sort of code snob and that I am, at the very least, heavily judging everyone’s code. And, while I’ll admit that every now and then I think, “the daily WTF would love this,” mostly I’m not judging at all – just cataloging. After all, I wasn’t sitting with you during the pre-release death march, nor was I the one thinking, “someone is literally screaming at me, so global variable it is.”

I earnestly tell developers at client sites that I don’t know that I’d have done a lot better walking a mile in their shoes. What I do know is that I’d have, in my head, a clearer map from “global variable today” to “massive pain tomorrow” and be better able to articulate it to management. But, on the whole, I’m like a home inspector checking out a home that was rented and subsequently trashed by a rock band; I’m writing up an assessment of the damage and not judging their lifestyle.

But for my clients, I’m asked to do more than inspect and catalog – I also have to do root cause analysis and offer suggestions. So, “maybe pass a house rule limiting renters to a single bottle of whiskey per night,” to return to the house inspector metaphor. And cataloging all of these has led me to be a veritable human encyclopedia of preventable software development mistakes.

I was contemplating some of these mistakes recently and asking myself, “which was the biggest one” and “which would have been the most preventable with even simple analysis in place?” It was interesting to realize, after a while, that the clear answer was not at all what you’d expect.

Continue reading The Biggest Mistake Static Analysis Could Have Prevented