Static code analysis

in an Agile world

ESTABLISHING A REPEATABLE PROCESS TO ACHIEVE

WORKING SOFTWARE WITH EACH ITERATION
To keep pace with ever-increasing customer demands on software
functionality and time-to-market expectations, software developers are
having to develop higher quality code faster.

As a result, Agile development is becoming more common. However,

to fully realize the benefits of Agile, a repeatable process for ensuring
code is free of defects and security vulnerabilities is critical. This paper
examines how static code analysis can enhance the Agile development
process and empower Agile teams.
STATIC CODE ANALYSIS IN AN AGILE WORLD

To keep pace with ever-increasing customer demands on software functionality and time-to-market
expectations, software developers have had to evolve the way they develop code to be both faster and
higher quality. As part of this trend, the Waterfall method of software development began to give way in the
late 1990s to a more lightweight method of software development: Agile.

And as the use of Agile has continued to grow in the last decade, it continues to mature as well. Software
organizations are constantly looking for ways to improve their Agile environments, and minimizing software
bugs is one area of focus. This paper will demonstrate that several of the core principles of Agile cannot be
fully realized without implementing a repeatable process for ensuring code that is as bug-free as possible.
The approach recommended in this paper is the use of automated static code analysis (SCA) technology to
locate and describe areas of weakness in software source code, such as security vulnerabilities, logic errors,
implementation defects, concurrency violations, rare boundary conditions, or any number of other types of
problemcausing code.

After providing a brief overview of Agile and discussing some of the barriers to achieving agility, this paper
discusses how key capabilities of SCA technology can enhance the Agile development process and empower
Agile teams.

Agile development — A brief history

Simply put, Agile software development is an approach that provides flexibility to accommodate continuous
change throughout the software development cycle. It stresses rapid delivery of working software,
empowerment of developers, and emphasizes collaboration between developers and the rest of the team,
including business people.

Agile contrasts with the still-popular Waterfall development approach, which is front-end loaded with
comprehensive scope and requirements definitions, and which employs clear, consecutive hand-offs from
requirements definition to design to coding and then to quality assurance. In contrast, Agile incorporates a
continuous stream of requirements gathering that flows throughout the development process. Business people
are involved throughout the release cycle, ensuring that the software being developed meets the true needs of
both the end-user and the business. Change to the requirements and to the overall feature set is expected to
occur as outside opportunities or threats arise.

In short, Agile fully embraces change and Agile teams are structured in such a way that they can receive and
act on constant feedback provided by the build process, by other developers, from QA, and from business
stakeholders.

Agile is based upon a number of guiding principles that all Agile teams follow. For the purposes of this
discussion, four principles — or values — are of particular interest:

• Quality software development

• Iterative flexibility
• Continuous improvement
• Collaboration and communication

roguewave.com 2
STATIC CODE ANALYSIS IN AN AGILE WORLD

Quality software development

The primary focus of Agile development is to enable the development of quality software that satisfies a
customer need — i.e. provides a functioning feature or capability — within a specific period of time (typically no
more than a few weeks) called an “iteration” or “sprint” in a Scrum context. In theory, a product developed in an
Agile environment could be market-ready after each iteration.

Delivering a series of market-ready products, each in just weeks, demands that a rigorous quality process be
built into the Agile development cycle. Deliverables in each iteration must be fully developed — meaning tested,
defect-free, and complete with documentation.

Iterative flexibility
With a focus on speed and nimbleness, Agile is open to changes that inevitably arise throughout the
development cycle. The iterative process is flexible, based on an understanding that original requirements may
(or will likely) need to change due to customer demand, market conditions, or other reasons. Because business
users are involved throughout the process, and because each iteration is short, new requirements can be
introduced and prioritized very quickly.

Continuous improvement
An Agile environment provides developers with an opportunity to learn new skills and to exercise greater
autonomy to do their jobs. The iterative framework is empowering because it enables continuous improvement,
with testing/quality assurance occurring as part of the iterative process, rather than only periodically or at the
end of a long process when it is often difficult or not cost effective to fix coding defects or to incorporate lessons
learned along the way. Agile also makes the testing and QA process transparent to the developers who originate
the code, further contributing to their learning and facilitating future improvements and coding efficiencies.

Collaboration and communication

Communication and collaboration is critical in software development in general, but in an Agile development
environment, it’s paramount. In fact, the Agile Manifesto (widely recognized as the de facto definition of Agile)
emphasizes individuals and interactions as a key concept. Ultimately, its open communication and collaboration
that facilities efficiencies in the development process. Having access to the right individuals, data, and feedback
when needed allows the team to deliver working software in short iterations, as the Agile process demands.

Greasing Agile’s wheels

As development teams work to embrace the core principals set out in the Agile Manifesto, they are inevitably
encountering roadblocks including bug debt, varying developer skill sets, and code complexity. Development
teams need to acknowledge these barriers and employ effective strategies that will help ‘grease the wheels’ to
achieving a truly Agile development process.

Managing bug debt

One of the development principles put forth in the Agile Manifesto states that “working software is the
primary measure of progress.” Working software implies software that is free of issues that break builds,
cause unexpected behavior, or which do not meet the product’s requirements, as well as mundane
programming defects (a.k.a. “bugs”).

roguewave.com 3
STATIC CODE ANALYSIS IN AN AGILE WORLD

This principle is not unique to Agile — many software development processes, including formal ones such as
CMMI and Six Sigma, encourage the creation of bug-free code as a fundamental principle. These processes
encourage in-phase bug containment — the practice of preventing bugs from being passed downstream from
the phase in which they are created (Figure 1). Agile also implicitly emphasizes in-phase bug containment.
Given its focus on short iterations, Agile processes must ensure that any potential software degradations are
quickly identified and corrected so that the whole team can move on to the next iteration — all while creating
functionally complete, working software.

Figure 1: The costs of bug containment.

Even within an iteration, Agile teams apply this philosophy through continuous integrations and regressions.
While this practice effectively addresses defects that can break builds or regression test suites, it is not as
effective in cleaning up many of the most common types of programming bugs, which generally fall into these
broad categories:

• Memory and resource management

• Program data management
• Buffer overflows
• Un-validated user input
• Vulnerable coding practices
• Concurrency violations
• A variety of longer term maintenance issues

roguewave.com 4
STATIC CODE ANALYSIS IN AN AGILE WORLD

Bug-filled code creates downstream risk both within an iteration and in subsequent iterations, in the form of bug
debt. If code flaws are not addressed within the iteration, they pass from one milestone to the next, and the bug
debt accumulates downstream. Bug debt can kill Agile projects by reducing development velocity which leads to
poor implementation results and fewer impactful changes being delivered per iteration. Additionally, bugs that
are saved up (or which go completely undetected until further downstream) are more expensive and often more
difficult to fix, and can lead to products that fail in the field, disappoint customers, and damage the brand.

It is for these reasons that in-phase bug containment is vital to the Agile process. Developers must take control
of the bug identification and removal process while enhancing collaboration amongst themselves to resolve
bugs as early in the process as possible.

Accommodating varying skill sets

Ideally, your development team is made up of the best and brightest software engineers who enjoy talking to
each other and getting feedback from the customer on a frequent basis. Unfortunately, this doesn’t always
match reality. Typical development teams are made up of a heterogeneous talent pool, combining a mix
of less experienced developers with the rock stars; natural collaborators with those that prefer anonymity,
etc. Balancing out the team by providing opportunities for less experienced developers to learn from more
experienced teammates and providing ways to make communication and collaboration easier will help
maximize the output of working code.

Restraining code complexity

Code bases are becoming increasingly complex, due in part to the following factors:

• Code base size

Expanding capabilities and the demand for more sophisticated features and functionality is increasing
the size of code bases which leads to more variables and control paths as well as varying language
constructs.

• Code reuse
Accepted as an industry best practice, code reuse speeds time to market by increasing development
efficiencies while minimizing the costs associated with net-new development. It also enables development
organizations to leverage the lessons learned from an existing code base. However, merging that code
with new systems can lead to unexpected results.

• Multiple coders
Code bases don’t live and die within a single version or a single iteration, and in an Agile process it is
quite likely that a developer will be editing code that they did not originally create. Inheriting modules
means developers are unfamiliar with the original intent of the code, its variables, and the language
constructs used.

These factors are each contributing to the overall complexity of code bases, which in turn complicates the
software development process. This complexity can lead to slipped release schedules, increased defect rates,
and decreased productivity as more time is taken to accomplish simple, everyday tasks. Development teams
should be vigilant in watching for these signs which indicate code complexity is becoming an issue.

roguewave.com 5
STATIC CODE ANALYSIS IN AN AGILE WORLD

With software, you can monitor the complexity of software builds using industry known metrics. For example,
you can start monitoring your McCabe’s Cyclometic complexity every build. This measurement shows you how
“off” you are from the standard. (McCabe’s complexity dictates anything over a value of 20 as very complex.)
More importantly, teams should be monitoring the trend of that metric. Seeing a large spike with one version
versus the previous might be evidence that complexity issues are impacting your process.

Tracking these metrics in order to identify opportunities to reduce complexity and make code more
maintainable (regardless of who is working on it) should be considered. Not addressing code complexity will
have a negative impact on the velocity of a software project — which can spell disaster in an Agile development
environment.

Figure 2: Monitoring key software metrics, such as the complexity of software builds, helps teams identify and correct
issues impacting the development process.

Adapting traditional process approaches

Traditional development processes become recognized as best practices because they bring value to the
process — by speeding development, helping to produce cleaner code, etc. Unfortunately, not all of these
practices are Agile-friendly.

Take peer code review, for example. The value of code review is unarguable, which explains why they’re
mandated by 53 percent of today’s software development teams.1 However, in an Agile context, traditional
code reviews — scheduling in-person meetings with senior development staff — are highly ineffective and time
consuming. These types of traditional processes need to be adapted so that development teams can continue
to benefit from them without sacrificing development velocity.

1
The Value and Importance of Code Reviews, a commissioned study conducted by
Forrester Consulting on behalf of Klocwork, February 2010.

roguewave.com 6
STATIC CODE ANALYSIS IN AN AGILE WORLD

Adopting tools and processes to achieve Agile

While the Agile Manifesto’s principle of “individuals and interactions over processes and tools” seems to
de-emphasis the need for tools, Agile teams use many tools to support their development — including software
configuration management tools, build management tools, requirements tracking tools, testing tools, project
management tools, and more.

Unfortunately, most of the tools being used are for managing some aspect of the production process and
are not targeted at helping developers overcome the obstacles they face during the coding phase. Deploying
a properly-selected set of developer-focused tools can help ensure high-quality code is output early in the
development process. The latest evolution of source code analysis technology — combining sophisticated bug
detection with collaborative peer code review and automated code refactoring — can help development teams
avoid bug debt and code maintainability issues, greasing the wheels to achieving an effective Agile process.

Automating bug detection

Static code analysis (SCA) is a bug-detection solution that requires no test cases, is fully automated, and fits well
with milestones typically found in an Agile process. SCA technology has grown in popularity and is becoming a
mainstream option for professional software developers to reduce the number of bugs in their code while also
reducing costs and keeping software development on track.

The underlying technology associated with SCA is called static analysis and the current generation of technology
solutions are capable of providing sophisticated, high-value analysis that will locate and describe areas of
weakness in software source code — such as memory and resource management, program data management,
buffer overflows, un-validated user input, vulnerable coding practices, concurrency violations, and a variety
of longer term maintenance issues. SCA is distinct from traditional dynamic analysis techniques, such as unit
or penetration tests, because the work is performed at build time using only the source code of the program
or module in question. The results reported are therefore generated from a complete view of every possible
execution path, rather than some aspect of a limited, observed runtime behavior.

Since SCA is essentially a build-time analysis, it is most effectively used as a build milestone activity when
individual developers or development teams run their builds — either at the integration-build level or the
developer-build level.

Integration build (a.k.a. system build, project build)

Today’s SCA tools go well beyond the syntactical and semantic analyses commonly associated with source code
analysis. Good SCA technology today can be expected to include sophisticated inter-procedural control and
data-flow analysis with advanced approaches for pruning false paths, estimating the values that variables will
assume, and simulating potential runtime behavior. The complexity of this type of analysis across a large system
with millions of lines of code and an essentially unlimited number of potentially feasible code paths to consider
is not trivial.

To make it all work, and to reduce the number of “false positives” (bugs that the tool incorrectly reports) and
false negatives (bugs that the tool misses), vendors naturally provide integration with a project’s system
build — whether it is make, ant, Visual Studio, or other continuous integration tools such as Electric Cloud

roguewave.com 7
STATIC CODE ANALYSIS IN AN AGILE WORLD

and BuildForge — to generate a complete view of the entire source code base. Of course, the downside to
running SCA exclusively at the integration build level is that bugs created at the desktop are exposed to the
main code stream and can impact other members of the team — both fellow developers and the QA team.
When bugs are found downstream — even in a continuous integration context where integration builds are run
much more frequently — an additional bug triaging process needs to be put in place to notify the developer of
the error (by email, web reports, etc.). This adds more workflow and process, which is contrary to the spirit of
Agile development.

Clearly, the solution is to push SCA to the developer desktop so that it can run in conjunction with a developer’s
build, even prior to him/her running unit tests.

Developer build (a.k.a. personal build, sandbox build)

SCA at the developer desktop offers a big payoff for any organization adopting this technology, in particular
an Agile team. If most bugs can be found prior to code check-in, organizations will achieve in-phase bug
containment, reducing the number of bugs in the main code stream or integration build. This allows QA to
be more efficient by focusing on being a customer advocate and ultimately producing higher quality software
— earlier.

For SCA to operate at the developer desktop, it must be delivered within the developer’s natural work
environment (i.e. a favorite IDE, text editor, or command line) and the analysis must be every bit as accurate
and intelligent as the centralized analysis that benefits from a view of the entire code stream. Code check-in (or
commit) is an important milestone in Agile and many organizations operating in a continuous integration context
have a series of gates (smoke tests, unit tests, etc.) that the developer must pass in order for him/her to check-in
code. SCA should be added to this series of pre check-in quality gates.

If organizations embrace SCA with the goal of in-phase bug containment, the key principles of Agile outlined at
the beginning of this paper will be fully realized.

Facilitating collaborative peer code review

Peer code review is a necessary evil in the software development process. Often mandated by management
before code can go live, the code review process is time-consuming and usually not a pleasant experience for
the person whose code is being reviewed. However, the benefits are plentiful:

• Code reviews create consistency and a culture of quality for a development team. Identifying bugs and
design flaws while ensuring coding standards and best practices are met means a higher quality product
goes out the door.
• Developers learn from code reviews by having more experienced team members review their code and
provide feedback.

In an Agile context, these benefits are important. However, the traditional method of conducting code reviews
— scheduling in person meetings — is not effective in an Agile context. Agile teams wanting to make code
review part of their process should consider SCA tools with built-in code review capabilities. These tools facilitate
simple, web-based peer review that allows code to be reviewed asynchronously. This approach avoids the need
to get a specific group of people in a conference room at a set time to review code. Instead, code is available

roguewave.com 8
STATIC CODE ANALYSIS IN AN AGILE WORLD

to a variety of team members — regardless of geographic location, calendar availability, and title — to review
and provide feedback on at their convenience. When peer code review capabilities are combined with source
code analysis, coding defects are identified so that reviewers can see them, comment on them, and assign
actions as required.

Simplifying complex refactoring

Refactoring — the process of simplifying and clarifying code without changing the program’s behavior — can be
a difficult and time-consuming activity, especially for those developing in often-used languages like C and C++.
With a lack of tools capable of automating the refactoring process, many developers who want to refactor simply
choose not to. However, implementing a process that facilitates refactoring code early and often offers some
important benefits to an Agile team.

Martin Fowler, one of the original authors of the Agile Manifesto, describes refactoring as a series of small,
almost negligible changes to code, that when combined, result in a significant end result. Some of the areas
that refactoring has an impact on include:

• Adapting to change
Ongoing change is a fundamental aspect of Agile. By incorporating frequent refactoring into the
development process, code becomes easier to work with which allows teams to adapt to change
more effectively.

• Defect detection
By simplifying code and improving its overall design, code becomes clearer. Working with clean code
makes spotting quality defects and security vulnerabilities easier. And the sooner defects are found
and fixed, the less impact (i.e. distracting developers, bogging down test teams, slowing down the
overall process) they have on the process.

• Developer productivity
Frequently, different people will end up working on code that they did not originally create. With
refactoring, code becomes easier to inherit, which means developers won’t waste iterations reviewing,
interpreting, and fixing existing code and instead focus more time on writing new code.

Clearly, refactoring has an important role to play in helping teams achieve agility. With today’s source code
analysis tools which offer built-in refactoring capabilities, Agile teams can automate the refactoring process to
reduce the complexity around the process while reaping the rewards it has to offer.

Achieving true agility

By bringing source code analysis technology with its bug-detection, code review, and refactoring capabilities into
the Agile development cycle, development teams can achieve in-phase bug containment while fully realizing the
core Agile principals discussed at the beginning of this paper.

roguewave.com 9
STATIC CODE ANALYSIS IN AN AGILE WORLD

Bug free for security and reliability

Software bugs are more than a nuisance. Serious bugs can cause downstream inefficiencies, product recalls,
or field disasters. SCA can automatically find serious bugs in your code, such as NULL pointer dereferences
and memory management issues that can lead to a system crash; or buffer overflows and un-validated user
inputs that make a system susceptible to exploit by hackers. Removing these issues prior to shipping a product
is critical and the earlier they are identified the better. This prevents critical issues from being passed to QA
within an iteration, or passed from iteration to iteration, both of which greatly increase the risk of shipping buggy
software. In addition, if bugs are dramatically reduced before code check-in, this will ensure they never impact
the main code stream and will facilitate the testing and QA process.

With few bugs to find or report on, testers are able to focus instead on running functional and performance
tests to ensure the product is customer- and market-ready.

Bug free flexibility

To adequately test and assure the quality of software developed in Agile environments, the testing process
must also be iterative and accommodate frequent change in requirements. Thus, there is little room to address
programming bugs in the testing phase. If QA discovers these bugs, unacceptable drag in the development cycle
is created — testers report the bug list back to the developers who must set aside their current work to shift
back to the frame of mind they were in when working on the original code. By enabling developers to check-in
bug-free code, this dramatically reduces or eliminates the time-consuming cycle of check-in, find bugs, debug,
and then rework. By using SCA tools in an Agile environment, developers can spend less time fixing reported
bugs and more time writing new and innovative software. Within this context, developers have the flexibility to
control the reliability and security of the code they create during new development, before the integration build
is performed.

Bug free for continuous improvement

It doesn’t matter how an iteration appears to be progressing from a feature development standpoint — if the
development team’s commitment to quality code cannot be measured, the project is by default accumulating
significant downstream risk with each and every build and iteration. In a fast-paced and fluid development
environment, Agile teams need to have strong, automated measurement capabilities in place, such as:

• Measure and track bug fix rate at the developer build

• Identify what bugs are leaking to the integration build
• Establish nightly build quality milestones (or any other frequency over and above the continuous build
schedule)
• Track which teams or components are improving over time
The answers to these questions allow Agile teams to implement targeted continuous improvement programs
that quickly identify where help or training is needed so that all members of the development team can submit
clean code into the integration build. Measuring and tracking quality from the bottom up is necessary to know if
iteration plans are any good and if a shippable product will be available at the end of an iteration.

roguewave.com 10
STATIC CODE ANALYSIS IN AN AGILE WORLD

Bug free for collaboration and communication

The short iteration process found in Agile development requires constant communication and team collaboration
in order to be successful. This helps ensure rapid resolution of issues encountered, while avoiding duplication
of efforts which creates unnecessary delays. SCA tools provide collaborative mitigation for all reported issues.
Developers, architects, and other team members can change the status of reported issues or add comments,
which are automatically synchronized with other developers. Utilizing this capability, various team members
can collaborate on complex issues, and developers don’t duplicate effort on the same bug. This ongoing
visibility and sharing of data and feedback helps ensure mitigation is achieved early in the process.

Klocwork for Agile development

Powered by a comprehensive static analysis engine, Klocwork helps developers increase their agility and
development velocity. The key principles of Agile development are supported in the following ways:

On-the-fly desktop analysis

Klocwork desktop analysis is like spell-check for developers, giving instant, accurate, and continuous feedback
on security vulnerabilities and critical defects being introduced into code, as its being written. Highlighting critical
coding issues within the developer’s IDE the instant they’re created makes fixing defects part of the natural
development workflow and ensures the most secure and reliable code is created before check-in. This approach
reduces both the number of problems reported downstream in the dev cycle and the time developers need to
spend going back and fixing those issues. This boost in productivity is important in an Agile environment.

Figure 3: On-the-fly desktop analysis allows developers to find and fix critical coding issues before code check-in
from within their IDEs. This reduces the time developers have to spend going back and fixing issues not
detected until late in the dev process.

roguewave.com 11
STATIC CODE ANALYSIS IN AN AGILE WORLD

Software metrics and reporting

Klocwork provides a robust suite of more than 100 objective and actionable product metrics, which are derived
directly from your software code (Figure 4). With drag and drop reporting capabilities, development team
managers can quickly and easily answer key questions about their organization’s software development process.
For example, a key question for Agile is whether bugs are being found and fixed at the developer desktop, or
whether they are leaking to the integration build. Klocwork automatically aggregates information about what is
being found and fixed at the desktop even though it is never propagated into the source stream. This unique
capability allows teams to better understand the bug reduction activity that is happening before code check-
in, generating a bottom-up view of how well defect containment is working. This — combined with custom
ownership models that allow metrics to be organized by people, groups, geography, components, and any
other attribute that works for your organization — allows teams early in an iteration to identify the areas of
greatest risk within their code base.

Figure 4: Klocwork automatically generates rich reporting that allows Agile teams to monitor the health of their
integration builds, along with tracking desktop bug fix rates.

Automated C/C++ refactoring

As a recommended best practice for Agile development teams, the goal of refactoring is to create a code
design that is clean, easy to understand and modify. Klocwork offers powerful refactoring capabilities that allow
developers to automatically abstract their C/C++ code into reusable and understandable code right from their
editor. This means developers can quickly gauge the state of their code and improve its design without having to
access separate views or dialogues.

roguewave.com 12
STATIC CODE ANALYSIS IN AN AGILE WORLD

Figure 5: With Klocwork, refactoring options are available right within your editor, allowing you to improve code design
without having to access separate views or dialogs.

CONCLUSION
The ubiquitous nature of software today, coupled with the pressure to rapidly develop market-ready features
and products in just weeks, has led to two related phenomena:

• The widespread adoption of Agile software development principles

• The adoption of various tools by Agile teams designed to help streamline and de-risk development
projects

Some of the most important types of tools that an Agile team can deploy are ones that aid in writing better-
quality code. SCA tools provide an automated method to detect a significant number of software bugs and
security vulnerabilities right at the developer’s desktop — before any code is delivered to the integration build
or testing team. Combine that with automated refactoring to ensure more maintainable code, and an Agile
team can minimize project drag and run more efficiently overall. Developers can focus their time writing
innovative code, while testing teams spend their time testing how the features of the project work rather
than uncovering mundane code issues and retesting these again and again.

roguewave.com 13
STATIC CODE ANALYSIS IN AN AGILE WORLD

SCA may be right for your Agile team, particularly if you are finding your process being impacted by quality issues
or security vulnerabilities, non-Agile friendly processes, and hard to maintain code. Implementing source code
analysis within your Agile environment does not have to be disruptive. You can start small and analyze only a
small project or a portion of a project. Compare the results against a similar project where these tools were
not used. You’ll undoubtedly find opportunities to save significant time and money by using SCA in your Agile
development process.

Rogue Wave helps thousands of global enterprise customers tackle the hardest and most complex issues in
building, connecting, and securing applications. Since 1989, our platforms, tools, components, and support have
been used across financial services, technology, healthcare, government, entertainment, and manufacturing, to
deliver value and reduce risk. From API management, web and mobile, embeddable analytics, static and dynamic
analysis to open source support, we have the software essentials to innovate with confidence. roguewave.com

© 2017 Rogue Wave Software, Inc. All rights reserved.

roguewave.com 14