In this blog post, we will talk a bit about traditional static analysis - what it is, what it’s used for, and where our vulnerable methods analysis fits in amongst the other kinds of static analysis.
Wikipedia tells us:
Static program analysis is the analysis of computer software that is performed without actually executing programs
Why wouldn’t we want to execute a program in order to analyze it? The main reason is that we gain stronger guarantees about whether our analyses will terminate (modulo bugs in it). Testing a program by executing it can only ever reveal the presence of bugs in paths that are exercised during the execution, on the other hand, static analysis can reason about all possible paths in the program.
A static analysis tells us about the possible runtime behavior of programs. What it computes is essentially an approximation – it cannot have knowledge of the exact inputs a program receives at runtime, for example, so it can only operate based on abstractions of them. This may lead to false positives or false negatives, depending on how conservative or permissive an analysis is. Advancing the accuracy of current analysis techniques is an active area of research.
Static analyses are usually found in compilers, IDEs, linters, and standalone agents (like SourceClear’s CI agent) that run as part of a continuous integration pipeline. They detect errors, discover properties about programs, and help us write better programs in general.