Video about static code analysis
At IT conferences and meetings devoted to various programming languages, more and more speakers appear with reports on static code analysis. And although this is a fairly highly specialized field, many interesting speeches can be found here that help to understand the methodology, use and features of static code analysis. This article contains videos of this topic, which, thanks to the easy form of presentation of the material, can be useful and interesting to a wide audience, both professional programmers and beginners.
→ https://youtu.be/nz1ZmHArPX4
Author: Artem Koshelev
')
The components of a quality code are clarity, simplicity, architecture. The video tells what static analysis is, what device it is and what tools it uses. Questions are raised about the features, strengths and weaknesses of dynamic and static analysis. Considered popular static analysis tools, in particular SonarQube.
→ https://youtu.be/YNrr_mMgEDU
Author: Andrey Karpov
Video from the conference DotNext 2015 Moscow. The report discusses error detection methods, static analysis methodology, and the correct and incorrect use of code analysis tools. The author also cites myths about static analysis, which can be misleading for developers. Examples of errors in Open Source projects that are identified using tools such as ReSharper, PVS-Studio, Visual Studio SCA are shown.
→ https://youtu.be/6m1KcWxWDNg
Authors: Alexander Nezhelsky, Evgeny Bushtyryov, Nikita Kakuyev, Nikolay Dyakonov.
Record of the report, voiced in the framework of the event CoLaboratory at the headquarters of Kaspersky Lab. The video discusses static analysis of C ++ code and analysis of program performance. Among other things, the authors tell how to make the code suitable for static analysis, how to deal with false positives, and how to extend the functionality of the Clang Static Analyzer through their own checks.
→ https://youtu.be/aQaJs7PcJao
The author: Pavel Belikov
Video from the C ++ CoreHard Winter 2017 conference. The author shows what static analyzers have learned from their appearance until today. Various methods of analysis are considered, how they appeared and what errors can be found with their help. The video analyzes errors found in Open Source projects and explains how a static analyzer differs from linters and some other tools, as well as which problems, in addition to analyzing the code, it solves.
→ https://youtu.be/nrQUpGM9vYQ
The author: Pavel Belikov
Video from the conference CoreHard Spring 2018. Data Flow Analysis (data flows) is a technology for analyzing the source code of programs, widely used in various development tools: compilers, linters, IDE. We will talk about it on the example of the development of a static analyzer. Consider the classification and various types of Data Flow analysis, related technologies that complement each other and the problems that arise during its development, and the surprises that C ++ presents to us when we try to analyze it. During the report, we will examine several errors found in real projects using this technology.
→ https://youtu.be/k9zjmg7spEA
The author: Valery Ignatiev
A report from the SPB .NET meeting, where the author considers scenarios for using a static analyzer and warns against possible errors. It also briefly discusses commercial static analysis tools.
→ https://youtu.be/6azelG0PbAs
Author: Yuri Efimochev
Video from the conference CoreHard Summer Conf 2016. The Clang library family provides developers with the greatest opportunity to implement various tools based on parsing and analyzing the abstract syntax tree (AST). In particular, the authors of Clang release a tool like Clang-Tidy, which is a powerful static code analyzer. The video discusses how this tool is used in the development process for C ++ and how to supplement it with your own checks. Along the way, some interesting features of AST for C ++ are being analyzed.
→ https://youtu.be/axwoBjT3R-M
Author: Vladimir Koshelev
Video from the conference DotNext 2016 Spb. The report will discuss popular tools that look for violations of Guidelines, copy-paste errors and typos in the source code. The results of the work of these tools on a set of Open Source projects, as well as the methodology used when comparing, are discussed. The following are more complex errors, such as the occurrence of a NullReferenceException or a resource leak, and how to detect them. Both purely static analysis, for example, Coverity Prevent, and static-dynamic, such as IntelliTest (Pex), can help detect such errors.
→ https://youtu.be/30re90uJSjc
The author: Ivan Yolkin
Video from forum PHDays VI. The leading fast track talks about the experience of implementing the Static Analysis Security Tool in QIWI, and the difficulties that developers have encountered. He examines such questions as writing “crutches” or refactoring code, as well as what to do when client and developer opinions diverge. It will tell you how many lines of code you had to read and write before and after launching the scanner, and offer a brief overview of the found and missing vulnerabilities.
→ https://youtu.be/F7FtAxUHd54
Author: Anton Khlynovsky
Many developers had to work with linders, minifiers or bundlers. All of them somehow work with the code, not running it. The magic that works under the hood of such tools is called static code analysis and it’s about the author in this video: how and what to parse the JS code; how then to collect it back; what possibilities it gives and what jambs you can run into when there is a desire to write your own JS code, working with JS code.
→ https://youtu.be/POvX4hYIoxg
By Matt Might
Static analyzers allow developers to evaluate and predict the behavior of a program without starting it. Once used exclusively for optimization, they quickly grew and became known in areas such as security and automatic parallelization. The author conducts a tour of acquaintance with static analysis through the prism of abstract interpretation.
→ https://youtu.be/Heor8BVa4A0
Posted by: Jared DeMott
The author conducts a discussion of static code analysis and considers how to detect and eliminate errors with its help. The report raises questions of pattern matching, analysis of procedures and data flow, as well as statistical analysis. Also included are examples of common software vulnerabilities, such as: memory corruption, buffer overflow and overruns when reading a buffer, implementation of commands, XSS and CSRF scripts, and incorrect configuration.
→ https://youtu.be/VxeC7WFfg3Q
Posted by: Vinny DaSilva
Meeting with the Forum Unit 16 Los Angeles. The author explains how to use static analysis tools to improve the quality of the code during the development process, how to configure static code analysis to meet the specific needs and workflows of the development team, and how to integrate with continuous integration systems to give developers constant feedback.
→ https://youtu.be/DyWpRmhGnRI
Posted by: Jason Cohen
Despite the exponential growth of products, special services, companies, security certificates and a general interest in this topic, new security vulnerabilities are still being made public every day. Implementing best practices, development life cycle principles, and static code analysis in this area can significantly reduce the likelihood of common security issues. Input processing, cross-site-scripting, buffer overflow, and other tasks continue to pose a major security problem. Static code analysis can help find many of these subtle vulnerabilities before the code leaves the developer’s hands. The video discusses general best practices for security life cycle development and how to integrate them into modern code development schemes.
→ https://youtu.be/Sb011qfbMkQ
Posted by: Nick Jones
Video from the BSlidesLondon 2016 conference. The author talks about a number of possibilities for using automated analysis methods to detect errors and flaws in application security at the source code level, ranging from quick scenarios, moving to commercial analyzers and open source tools, and ending with custom solutions. It discusses how these methods can be used in a continuous integration system and how errors can be detected at the very beginning of the development cycle.
→ https://youtu.be/sn1Vg8A_MPU
Posted by: Jason Turner
Video from the CPPCON2015 conference. The currently available free static analyzers available for C ++ are discussed. The author tells what errors these tools can catch and which ones miss and why static analysis should be part of the normal build process.
→ https://youtu.be/rKlHvAw1z50
Posted by: Neil MacIntosh
Video from the CPPCON2015 conference. Static analysis can find not only simple, but also hidden complex errors at an early stage of development, identify opportunities for increasing productivity, improve the style of unified coding and the correct use of libraries and APIs. This video discusses static analysis tools for this purpose. Concrete examples from the experience of working with complex analysis tools on large commercial code bases are presented.
→ https://youtu.be/AQF6hjLKsnM
Posted by: Gabor Horvath
Video from the CPPCON2016 conference. This report provides an overview of open source static analysis tools for C ++. The focus is on Clang based tools. Understanding the various methods of developing such tools can be very useful, as it helps to create a more friendly static code analyzer and understand the cause of false positives, and also shows the limitations of the currently available tools. The author gives a brief training material on how to use and integrate them into the work flow.
→ https://youtu.be/kkokHPKlhzQ
By Bernhard Merkle
Video from the conference ACCU 2016. Code analysis and verification are becoming increasingly important in programming and ensuring the quality of software projects. Especially in languages ​​like C / C ++, errors can cause undefined behavior and memory leaks. Static analysis tools do a good job with this, but it can be difficult to detect problems that arise during program execution. This report shows how to use Clang to find bugs, both during compilation (using static analyzers) and during execution (using sanitizers). The combination of both approaches can improve the quality of the software.
→ https://youtu.be/W_xIm5Djnpk
Posted by: James Croall
Video from the conference Devoxx 2016. Gone are the days of "linter" and famous spell checks. Today, static source code analysis is accurate and reliable, and can find complex coding defects in parallel programs that are imperceptible to the human eye. The report describes how, in Open Source projects, developers, using the Coverity software, found and eliminated critical errors leading to program crashes and security defects in the Java language.
→ https://youtu.be/TelqURPdQmQ
Posted by: Damien Seguy
Video from the PHP UK Conference 2017. Static analysis tools check the PHP code without running it. Fully automated, they bring in experience to view code, ensure adherence to advanced programming techniques, and maintain code readiness for the next version of PHP. PHP 7 has greatly enhanced the ability to audit code - thanks to AST and return types, you can conduct a deeper analysis and prevent more errors. In this video, the author will review the current state of the static analysis tools, show what they can find, and also demonstrate how to integrate them into the development cycle.
→ https://youtu.be/mfXIJ-Fu5Fw
Posted by: Andrew Wolfe
Checking the code base to find errors, possible vulnerabilities or defects can take a long time. Static analysis will allow the computer to do it for you. This video describes how to use static code analysis to catch errors in the early stages and improve the quality of the code in Python.
→ https://youtu.be/wHIlNRK_HiQ
By Paul Mehta
Conference BH USA 2016. Ablation is an additional static analysis tool created to extract information from the process being performed. This information is then imported into the disassembly environment, where it is used to resolve virtual calls, highlight areas of executable code, and visually distinguish scenarios. The goal of Ablation is to extend static analysis with minimal cost or user involvement. Ablation makes it easy to compare scenarios and highlight different ones. This is achieved by comparing the executable code, and not just data mapping. Also in the video is a comparison of the confusing scenario of the fall and the original script.
Perhaps in some videos the subject of static analysis will overlap, but each code base is unique and the experience of one developer may differ from the experience of another. The authors convey their knowledge of the methodology and experience of using static analysis tools to the listeners so that they in turn do not make the same mistakes, wasting their nerves and time for finding and correcting them. The field of static analysis is actively developing, inevitably some rules become obsolete and new diagnostics and standards appear. Therefore, it makes no sense to try to compare analyzers on the basis of lists of detectable defects or on synthetic tests. The only way to compare tools is to run them on your code and see which of the analyzers best meets your needs and expectations.
You can send links to videos about static code analysis that you found interesting, and we will add them to the end of this article.
If you want to share this article with an English-speaking audience, then please use the link to the translation: Ekaterina Milovidova. Videos about static code analysis
Russian videos
Static code analysis
→ https://youtu.be/nz1ZmHArPX4
Author: Artem Koshelev
')
The components of a quality code are clarity, simplicity, architecture. The video tells what static analysis is, what device it is and what tools it uses. Questions are raised about the features, strengths and weaknesses of dynamic and static analysis. Considered popular static analysis tools, in particular SonarQube.
Static analysis, like hygiene code
→ https://youtu.be/YNrr_mMgEDU
Author: Andrey Karpov
Video from the conference DotNext 2015 Moscow. The report discusses error detection methods, static analysis methodology, and the correct and incorrect use of code analysis tools. The author also cites myths about static analysis, which can be misleading for developers. Examples of errors in Open Source projects that are identified using tools such as ReSharper, PVS-Studio, Visual Studio SCA are shown.
Static analysis in C ++ and performance analysis
→ https://youtu.be/6m1KcWxWDNg
Authors: Alexander Nezhelsky, Evgeny Bushtyryov, Nikita Kakuyev, Nikolay Dyakonov.
Record of the report, voiced in the framework of the event CoLaboratory at the headquarters of Kaspersky Lab. The video discusses static analysis of C ++ code and analysis of program performance. Among other things, the authors tell how to make the code suitable for static analysis, how to deal with false positives, and how to extend the functionality of the Clang Static Analyzer through their own checks.
Modern static code analysis: what it can do, what the linters did not know how
→ https://youtu.be/aQaJs7PcJao
The author: Pavel Belikov
Video from the C ++ CoreHard Winter 2017 conference. The author shows what static analyzers have learned from their appearance until today. Various methods of analysis are considered, how they appeared and what errors can be found with their help. The video analyzes errors found in Open Source projects and explains how a static analyzer differs from linters and some other tools, as well as which problems, in addition to analyzing the code, it solves.
How Data Flow Analysis Works in a Static Code Analyzer
→ https://youtu.be/nrQUpGM9vYQ
The author: Pavel Belikov
Video from the conference CoreHard Spring 2018. Data Flow Analysis (data flows) is a technology for analyzing the source code of programs, widely used in various development tools: compilers, linters, IDE. We will talk about it on the example of the development of a static analyzer. Consider the classification and various types of Data Flow analysis, related technologies that complement each other and the problems that arise during its development, and the surprises that C ++ presents to us when we try to analyze it. During the report, we will examine several errors found in real projects using this technology.
Static Analyzer Usage Scenarios
→ https://youtu.be/k9zjmg7spEA
The author: Valery Ignatiev
A report from the SPB .NET meeting, where the author considers scenarios for using a static analyzer and warns against possible errors. It also briefly discusses commercial static analysis tools.
Slang-Tidy journey inside C ++ Abstract Syntax Tree
→ https://youtu.be/6azelG0PbAs
Author: Yuri Efimochev
Video from the conference CoreHard Summer Conf 2016. The Clang library family provides developers with the greatest opportunity to implement various tools based on parsing and analyzing the abstract syntax tree (AST). In particular, the authors of Clang release a tool like Clang-Tidy, which is a powerful static code analyzer. The video discusses how this tool is used in the development process for C ++ and how to supplement it with your own checks. Along the way, some interesting features of AST for C ++ are being analyzed.
Not all static analyzers are equally useful.
→ https://youtu.be/axwoBjT3R-M
Author: Vladimir Koshelev
Video from the conference DotNext 2016 Spb. The report will discuss popular tools that look for violations of Guidelines, copy-paste errors and typos in the source code. The results of the work of these tools on a set of Open Source projects, as well as the methodology used when comparing, are discussed. The following are more complex errors, such as the occurrence of a NullReferenceException or a resource leak, and how to detect them. Both purely static analysis, for example, Coverity Prevent, and static-dynamic, such as IntelliTest (Pex), can help detect such errors.
Static code analysis in the context of SSDL
→ https://youtu.be/30re90uJSjc
The author: Ivan Yolkin
Video from forum PHDays VI. The leading fast track talks about the experience of implementing the Static Analysis Security Tool in QIWI, and the difficulties that developers have encountered. He examines such questions as writing “crutches” or refactoring code, as well as what to do when client and developer opinions diverge. It will tell you how many lines of code you had to read and write before and after launching the scanner, and offer a brief overview of the found and missing vulnerabilities.
Static JS Code Analysis
→ https://youtu.be/F7FtAxUHd54
Author: Anton Khlynovsky
Many developers had to work with linders, minifiers or bundlers. All of them somehow work with the code, not running it. The magic that works under the hood of such tools is called static code analysis and it’s about the author in this video: how and what to parse the JS code; how then to collect it back; what possibilities it gives and what jambs you can run into when there is a desire to write your own JS code, working with JS code.
English videos
What is static analysis?
→ https://youtu.be/POvX4hYIoxg
By Matt Might
Static analyzers allow developers to evaluate and predict the behavior of a program without starting it. Once used exclusively for optimization, they quickly grew and became known in areas such as security and automatic parallelization. The author conducts a tour of acquaintance with static analysis through the prism of abstract interpretation.
Static code analysis: scan all your code for errors
→ https://youtu.be/Heor8BVa4A0
Posted by: Jared DeMott
The author conducts a discussion of static code analysis and considers how to detect and eliminate errors with its help. The report raises questions of pattern matching, analysis of procedures and data flow, as well as statistical analysis. Also included are examples of common software vulnerabilities, such as: memory corruption, buffer overflow and overruns when reading a buffer, implementation of commands, XSS and CSRF scripts, and incorrect configuration.
Static code analysis: preventing errors and delays before they happen
→ https://youtu.be/VxeC7WFfg3Q
Posted by: Vinny DaSilva
Meeting with the Forum Unit 16 Los Angeles. The author explains how to use static analysis tools to improve the quality of the code during the development process, how to configure static code analysis to meet the specific needs and workflows of the development team, and how to integrate with continuous integration systems to give developers constant feedback.
Let's make the code more secure! - Overview of the life cycle of secure development and static code analysis
→ https://youtu.be/DyWpRmhGnRI
Posted by: Jason Cohen
Despite the exponential growth of products, special services, companies, security certificates and a general interest in this topic, new security vulnerabilities are still being made public every day. Implementing best practices, development life cycle principles, and static code analysis in this area can significantly reduce the likelihood of common security issues. Input processing, cross-site-scripting, buffer overflow, and other tasks continue to pose a major security problem. Static code analysis can help find many of these subtle vulnerabilities before the code leaves the developer’s hands. The video discusses general best practices for security life cycle development and how to integrate them into modern code development schemes.
Hunting bugs using static code analysis
→ https://youtu.be/Sb011qfbMkQ
Posted by: Nick Jones
Video from the BSlidesLondon 2016 conference. The author talks about a number of possibilities for using automated analysis methods to detect errors and flaws in application security at the source code level, ranging from quick scenarios, moving to commercial analyzers and open source tools, and ending with custom solutions. It discusses how these methods can be used in a continuous integration system and how errors can be detected at the very beginning of the development cycle.
Current state of (free) static analysis
→ https://youtu.be/sn1Vg8A_MPU
Posted by: Jason Turner
Video from the CPPCON2015 conference. The currently available free static analyzers available for C ++ are discussed. The author tells what errors these tools can catch and which ones miss and why static analysis should be part of the normal build process.
Static analysis and C ++: more than Lint
→ https://youtu.be/rKlHvAw1z50
Posted by: Neil MacIntosh
Video from the CPPCON2015 conference. Static analysis can find not only simple, but also hidden complex errors at an early stage of development, identify opportunities for increasing productivity, improve the style of unified coding and the correct use of libraries and APIs. This video discusses static analysis tools for this purpose. Concrete examples from the experience of working with complex analysis tools on large commercial code bases are presented.
Make friends with the tools of static analysis Clang
→ https://youtu.be/AQF6hjLKsnM
Posted by: Gabor Horvath
Video from the CPPCON2016 conference. This report provides an overview of open source static analysis tools for C ++. The focus is on Clang based tools. Understanding the various methods of developing such tools can be very useful, as it helps to create a more friendly static code analyzer and understand the cause of false positives, and also shows the limitations of the currently available tools. The author gives a brief training material on how to use and integrate them into the work flow.
Search for bugs with Clang at compile time and runtime
→ https://youtu.be/kkokHPKlhzQ
By Bernhard Merkle
Video from the conference ACCU 2016. Code analysis and verification are becoming increasingly important in programming and ensuring the quality of software projects. Especially in languages ​​like C / C ++, errors can cause undefined behavior and memory leaks. Static analysis tools do a good job with this, but it can be difficult to detect problems that arise during program execution. This report shows how to use Clang to find bugs, both during compilation (using static analyzers) and during execution (using sanitizers). The combination of both approaches can improve the quality of the software.
Static source code analysis. Next generation
→ https://youtu.be/W_xIm5Djnpk
Posted by: James Croall
Video from the conference Devoxx 2016. Gone are the days of "linter" and famous spell checks. Today, static source code analysis is accurate and reliable, and can find complex coding defects in parallel programs that are imperceptible to the human eye. The report describes how, in Open Source projects, developers, using the Coverity software, found and eliminated critical errors leading to program crashes and security defects in the Java language.
Static analysis today saved my code
→ https://youtu.be/TelqURPdQmQ
Posted by: Damien Seguy
Video from the PHP UK Conference 2017. Static analysis tools check the PHP code without running it. Fully automated, they bring in experience to view code, ensure adherence to advanced programming techniques, and maintain code readiness for the next version of PHP. PHP 7 has greatly enhanced the ability to audit code - thanks to AST and return types, you can conduct a deeper analysis and prevent more errors. In this video, the author will review the current state of the static analysis tools, show what they can find, and also demonstrate how to integrate them into the development cycle.
Static code analysis for Python
→ https://youtu.be/mfXIJ-Fu5Fw
Posted by: Andrew Wolfe
Checking the code base to find errors, possible vulnerabilities or defects can take a long time. Static analysis will allow the computer to do it for you. This video describes how to use static code analysis to catch errors in the early stages and improve the quality of the code in Python.
Static analysis supplement using Ablation
→ https://youtu.be/wHIlNRK_HiQ
By Paul Mehta
Conference BH USA 2016. Ablation is an additional static analysis tool created to extract information from the process being performed. This information is then imported into the disassembly environment, where it is used to resolve virtual calls, highlight areas of executable code, and visually distinguish scenarios. The goal of Ablation is to extend static analysis with minimal cost or user involvement. Ablation makes it easy to compare scenarios and highlight different ones. This is achieved by comparing the executable code, and not just data mapping. Also in the video is a comparison of the confusing scenario of the fall and the original script.
Conclusion
Perhaps in some videos the subject of static analysis will overlap, but each code base is unique and the experience of one developer may differ from the experience of another. The authors convey their knowledge of the methodology and experience of using static analysis tools to the listeners so that they in turn do not make the same mistakes, wasting their nerves and time for finding and correcting them. The field of static analysis is actively developing, inevitably some rules become obsolete and new diagnostics and standards appear. Therefore, it makes no sense to try to compare analyzers on the basis of lists of detectable defects or on synthetic tests. The only way to compare tools is to run them on your code and see which of the analyzers best meets your needs and expectations.
Other materials
You can send links to videos about static code analysis that you found interesting, and we will add them to the end of this article.
If you want to share this article with an English-speaking audience, then please use the link to the translation: Ekaterina Milovidova. Videos about static code analysis
Read the article and have a question?
Often our articles are asked the same questions. We collected answers to them here: Answers to questions from readers of articles about PVS-Studio, version 2015 . Please review the list.
Source: https://habr.com/ru/post/327388/
All Articles