Static Code Analysis in Continuous Integration and Continuous Delivery (CI/CD)

在过去的20年中，移动，智能设备，物联网和云等技术的进步导致创建了数百万个新应用程序。为了更快地使用质量和可预测性开发应用程序，公司正在不断发展其软件开发流程。在2000年代初期，“轻量级”敏捷软件开发开始越来越受欢迎。敏捷是一个迭代软件开发过程，它将重要性放在协作，持续计划和持续测试中。

Continuous integration and delivery (CI/CD) is an extension of agile that is mainly focused on the tools and processes needed to integrate code and automate testing and software delivery. CI/CD is gaining popularity as it enables faster application development and delivery.

什么是连续集成（CI）？

Continuous integration is a development practice where developers integrate their code into a shared mainline several times a day. There are several advantages to developing and integrating code in small increments. Since each code increment has not diverged much from the mainline, the merges are quick, less error-prone, and finding defects is much easier. In a CI workflow, developers first locally test their new or modified code (step 1 in the above diagram), then integrate the code into the mainline (step 2), and lastly, verify that the CI build (step 3) and automated tests (step 4) have passed successfully. The developers address build or test failures before they move on to their next task.

What Is Continuous Delivery (CD)?

Once the CI build and the automated tests complete successfully, the team can decide to automatically release the software into production. This practice of automating the entire release process is called continuous delivery (step 5 in the above diagram). CI is a prerequisite to implementing CD, but based on business needs, teams may decide not to implement CD.

CI/CD的好处

下面是关键的好处dopting CI or CI/CD:

1. 降低风险- 以少量增量开发和交付可降低项目风险。
2. Better Communication- 所有代码更改均在代码的主线上进行，促进代码共享和协作。
3. Fast and Cost Effective– Smaller increments reduce the time and effort required to merge code and defects are easier to detect and fix.
4. Increased Productivity– Processes are fully automated, eliminating time-consuming and error-prone manual activities such as manual testing.
5. 更高的一致性和质量- 自动测试提供了更大的可预测性，可重复性和可靠的输出。

Why Is Static Code Analysis Essential for CI?

Static code analysistools find code defects by examining the code without executing the program. As such, static code analysis has become an essential part of CI because:

1. It is very efficient in identifying hundreds of types of defects such as concurrency, data flow, dynamic memory, and numerical defects.
2. It finds defects early in the development cycle, that is, as soon as code is written or modified.
3. 它验证了遵守Misra C等编码标准^®, MISRA C++, JSF++, and custom naming conventions.
4. 它找到了安全漏洞和使用安全标准（例如证书）的依从性的检查^®C, CERT C++, ISO 17961, and MISRA C:2012 Amendment 1.
5. By using formal methods, it can prove the absence of overflow, divide-by-zero, out-of-bounds array access, and other run-time errors.

Polyspace^®static code analysis products are designed to work in CI and can be easily automated using CI tools such as Jenkins™ and Bamboo.

PolySpace Code Prover™使用正式方法来证明在所有可能的控制流和数据流下都没有关键运行时错误。代码证明可以与CI构建测试（上述CI工作流程图中的步骤4）集成，以测试软件的稳健性。

polyspace错误查找器™ checks for coding rule violations, security vulnerabilities, hundreds of additional classes of bugs, and computes code metrics. Developers can use Polyspace Bug Finder to find defects and check adherence to coding standards before submitting their code (i.e., step 1 in the above CI workflow diagram). Polyspace Bug Finder can also be integrated with CI build testing (step 4 in the above diagram) to analyze the entire application.

For more information on Polyspace products and how to integrate them in CI, please visit:

• PolyspaceCode Prover
• polyspace错误查找器