Static code analysis: Benefits, and how to use it in Studio

Introduction

In this article, we will have a quick overview of what static code analysis is and why it is beneficial to use it in general, and with regards to ObjectScript in particular.

We will introduce CachéQuality, and how to use it in what is currently the main development environment for ObjectScript developers, that is Studio.

Static code analysis in a nutshell

Static code analysis parses source files directly, without compiling or running the code, and finds potential defects. The types of defects are very diverse. They range from, say, enforcing coding guidelines up to spotting language constructs which may not do what the user expects, potential security issues and so on.

It is particularly useful for a project in which many people participate (you want to maintain some level of cohesiveness in your source code), all the more so with languages such as ObjectScript whose history has made it possible that those two snippets do the same:

    // This...
    if x = 1 {
        write x
    }
    // does the same as this
    w:x=1 x

Typically, you can use static code analysis to warn users to "please use the first form".

Using CachéQuality in Studio

In order to use CachéQuality in Studio, you will need to download the "CachéQuality for Studio" package here. Please see here for installation.

Once installed, any file(s) that you compile will run through CachéQuality and the issues spotted will appear in the status screen.

Now, create a class named, say, Sketchy.Code and fill in this code:

Class Sketchy.Code
{
ClassMethod foo(x) as %Integer
{
	set x = x + 1  w x
    quit
}
}

If you then compile the code, this will appear in the compilation window:

-------------  SonarLint  -------------

    6 major
       2 Undocumented class/method
Sketchy.Code.cls(+1): Class Sketchy.Code Extends %RegisteredObject
Sketchy.Code.cls(+4): ClassMethod foo(x)
       1 Usage of QUIT to exit a method
Sketchy.Code.cls(+7): 	quit
       1 Method argument with no type
Sketchy.Code.cls(+4): ClassMethod foo(x)
       1 Reassignment to a method argument passed by value
Sketchy.Code.cls(+4): ClassMethod foo(x)
       1 Several statements on a single line
Sketchy.Code.cls(+6): 	set x = x + 1  w x

-------------------------------------------

Here, six issues have been detected, as you can see:

  • neither the class nor the method are documented;
  • a QUIT command is used to exit the method instead of the more modern RETURN;
  • the x argument of the foo method has no declared type;
  • the x argument is reassigned in the method even though it is passed by value (no Output or ByRef keyword);
  • finally, line 6 contains two statements on a single line.

Other remarks:

  • issues are treated by severity; in this example, all six are deemed major, which is the third level out of five. From the highest to the lowest, we have: blocker, critical, major, minor, info;
  • all issues are located in the file by line number, and the corresponding line is also displayed.

So, what's missing here?

Well, there are several things, which is why, in the next installment, we shall use CachéQuality within SonarQube. Here is a quick overview of what SonarQube allows you to do which SonarLint doesn't.

More details on each issue

In SonarLint, you only see a general text about the issue. In SonarQube, the issue is explained with more details.

For instance, the message associated with the "Usage of QUIT to exit a method" issue is this:

This QUIT invocation exits the current method; consider using RETURN instead

Similarly, many messages mention the actual name of implied variables, methods, etc, which you cannot see in SonarLint messages.

Source code highlighting

SonarQube allows you to see the whole code and highlights the line where the issue is; this is not the case with SonarLint, where you need to go back and forth between the code window and compilation window to locate the issues.

Issues filtering

CachéQuality is, at the start, a SonarQube plugin, and it not only allows you to filter the issues, but also create profiles (which issues you want to raise, which you don't; the severity, etc). You cannot do this with SonarLint.

And more...

Stay tuned for the next installment!