IT conferences and meetings on programming languages see a growing number of speakers talking about static code analysis. Although this field is quite specific, there is still a number of interesting discussions to be found here to help programmers understand the methods, ways of use, and specifics of static code analysis. In this article, we have collected a number of videos on static analysis whose easy style of presentation makes them useful and interesting to a wide audience of both skilled and novice programmers.

What is Static Analysis?

Author: Matt Might

Static analyzers allow programmers to bound and predict the behavior of software without running it. Once used exclusively for program optimization, they have rapidly risen in prominence for areas like software security and automatic parallelization. The author takes you on a tour of the landscape of static analysis through the lens of abstract interpretation.

Static code analysis used for code clean up

Author: PVS-Studio team

The report gives information about ways to detect bugs, methodology of static analysis, correct and incorrect use of analysis tools. The author also provides myths about static analysis that may lead to erroneous understanding among the developers. The presentation shows errors in Open Source projects, detected by such tools as ReSharper, PVS-Studio, Visual Studio SCA.

Static Code Analysis: Scan All Your Code For Bugs

Author: Jared DeMott

The author discusses static code analysis and how it is used in bug elimination. The talk covers a discussion of pattern matching, procedural, data flow, and statistical analysis, and also includes examples of common software vulnerabilities such as memory corruption, buffer overflow and over reads, script injection, XSS and CSRF, command injection, and misconfigurations.

Static Code Analysis: Preventing Bugs and Lag Before They Happen

Author: Vinny DaSilva

A Unit 16 Los Angeles forum session. The author discusses how to use static code analysis tools to improve code quality throughout the development process, how to customize static code analysis to fit teams’ specific needs and workflows, and how to integrate with continuous integration systems to give developers continuous feedback.

Make more Secure Code! — Overview of Security Development Lifecycle and Static Code Analysis

Author: Jason Cohen

Despite the exponential growth in security products, security services, security companies, security certifications, and general interest in the security topic, we still see security vulnerability disclosures happening on a regular basis. Implementing Security Development Lifecycle best practices and principles can go a long way to reducing the potential for common security flaws. Input sanitization issues, Cross-Site-Scripting, buffer overflows, and many other known issues still represent the bulk of security issues present. Static Code Analysis can help catch many of these unnoticed issues before code makes it out of the developer’s hands. In this video, the author discusses some common best practices of the Security Development Lifecycle theory and how this can be integrated into modern code.

Bug Hunting with Static Code Analysis

Author: Nick Jones

A BSlidesLondon 2016 conference video. This talk covers a number of automated analysis techniques for spotting bugs and security flaws in applications at the source code level, ranging from quick and dirty bash scripts through open source and commercial analyzers to custom implementations. The video also discusses how these techniques can be used in continuous integration systems to catch bugs as early in the development cycle as possible.

The Current State of (free) Static Analysis

Author: Jason Turner

A CPPCON2015 conference video. The author discusses the currently available free static analysis software available for C++ and explains what kinds of errors these tools can catch, what kinds they miss, and why static analysis should be a part of a normal build process.

Static Analysis and C++: More Than Lint

Author: Neil MacIntosh

A CPPCON2015 conference video. Static analysis can find not only trivial bugs but also subtle, complex bugs early, identify opportunities to improve performance, encourage consistent style and appropriate usage of libraries and APIs. This talk looks at the different purposes static analysis tools can be used to meet all these different goals. Specific examples are presented from the author’s experience working with sophisticated analysis tools on large, commercial codebases.

Make Friends with the Clang Static Analysis Tools

Author: Gabor Horvath

A CPPCON2016 conference video. This talk is an overview of the open source static analysis tools for C++ with the emphasis on Clang based tools. Understanding these methods can be really useful as it helps write more static analysis friendly code and understand the cause of false positive results. It also helps to understand limitations of the currently available tools. The author gives a short tutorial on how to use these tools and how to integrate them into the workflow.

Finding Bugs with Clang at Compile and Run Time

Author: Bernhard Merkle

An ACCU 2016 conference video. Code analysis and verification gain more and more importance within programming and quality assurance of software projects. Especially in languages like C/C++, undefined behavior and memory leaks can cause great problems. Static analysis tools help a lot but often hard to detect problems happen at runtime. This session shows how to use clang’s features to find bugs at both compile time (via static analysis) and runtime (via sanitizers). The combination of both approaches can improve software quality a lot.

Static Source Code Analysis, The Next Generation

Author: James Croall

A Devoxx 2016 conference video. Gone are the days of “linters” and glorified spell checkers. Today’s static source code analysis is accurate and trustworthy, and can find complex inter-procedural coding defects that our human eyes would never see. The video discusses how open-source developers have used Coverity’s Software Testing Platform to find and fix critical, crash causing bugs and security defects in the Java language.

Static Analysis Saved My Code Tonight

Author: Damien Seguy

A PHP UK Conference 2017 video. Static analysis tools check PHP code without running it. Fully automated, they bring expertise to review the code, enforce good practices when programming, keep code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code -thanks to AST and return types, it is possible to go deeper and prevent more bugs. In this video, the author reviews the current state of static analysis tools and shows what they can find and how to integrate them in the development cycle.

Static Code Analysis with Python

Author: Andrew Wolfe

Auditing a code base for code formatting mistakes, potential security vulnerabilities or defects can be time consuming. Static code analysis will let the computer do that for you. The video discusses how to use code static analysis to catch errors early and improve code quality in Python codebases.

Augmenting Static Analysis Using Pintool: Ablation

Author: Paul Mehta

A BH USA 2016 conference video. Ablation is a tool supplementing static analysis built to extract information from a process as it executes. This information is then imported into the disassembly environment where it used to resolve virtual calls, highlight regions of code executed, or visually diff samples. The goal of Ablation is to augment static analysis with minimal overhead or user interaction. Ablation makes it simple to diff samples by and highlight where the samples diverge. This is achieved by comparing the code executed rather than just comparing data. The video also compares a heavily mutated crash sample and the source sample.

Conclusion

You may find that some of the videos cover the same aspects, but each codebase is unique and one developer’s experience may be different from that of another. The authors share their knowledge of the static analysis methodology and experience of using static analysis tools with the audience to prevent them from making the same mistakes, straining their nerves and wasting their time on finding and fixing these mistakes. The static analysis field is intensively developing; some diagnostic rules inevitably become obsolete, whereas new diagnostics and standards appear. That’s why attempts to compare analyzers based on what defects they can detect or running them on synthetic tests make no sense. The only way to compare tools is to run them on your code and see which of them meets your needs and expectations the most.

Other materials

You are welcome to send us the links to videos on static code analysis that you find interesting, and we will add them to the article.