Spazio IT – Code Quality Platforms
SPAZIO IT
Code Quality Platforms
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
Maurizio Martignano
Spazio IT – Soluzioni Informatiche s.a.s
Via Manzoni 40
46030 San Giorgio di Mantova, Mantova
http://www.spazioit.com
1
Agenda
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
2
Agenda
 Code Inspection
 SonarQube
 Spazio IT Quality Platforms
 Quality Platforms – Processes
 Future Activities
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
3
Code Inspection
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
4
Software Crisis 2.0
 Software Crisis (2.0) hasn’t yet disappeared and is here to
stay.
– Implemented features not meeting the
requirements/expectations
– Missed deadlines
– Costs overruns
 The majority of the total cost of software projects is
associated with finding and fixing defects.
 Defects finding and fixing often occur too late in the life
cycle of a project.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
5
No Single Remedy (but…)
 No single remedy for the software crisis has been found.
(but) empirical data gathered on several software projects
have shown that
Code Inspection allows for
– defects prevention
– early defects detection and removal
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
6
What to inspect?
 Dynamic Analysis
– Coverage (has this piece of code been executed?)
– Testing (did it pass its tests)?
 Static Analysis
–
–
–
–
–
–
Architecture and design
Coding Rules / Standards
Duplications
Complexity
Readability
…
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
7
Code, Code and Code
 Static and dynamic analysis are «standard» activities.
What is «new» is the emphasis on Code.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
8
Code Inspection
 Code Inspection is a
human activity but
proper tools
– increase efficiency
– reduce risks.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
9
SonarQube
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
10
SonarQube – What is it?
 SonarQube is an open source Web Application
(http://www.sonarqube.org) which
– Takes in input a set of source code files and a set of
analyses results (produced by external tools).
– Stores both sources and results in a database.
– Makes available the gathered information via a
dynamic website where the results are shown in the
context of the code itself.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
11
SonarQube – What is it?
Source Code
Files
SonarQube
Engine
Analyses
Results
SonarQube
Database
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
12
SonarQube – There’s more
 Analyses on the same code base can be performed at
different moments in time and SonarQube keeps track of
the changes/evolution.
 The problems found during analyses (a.k.a. issues) can be
managed directly from within the system itself, e.g.
– Identifying false positives
– Assigning issues to developers
– Checking their status (if they have been solved)
– …
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
13
SonarQube / Plugins / Sensors
Plugin-1
e.g. Ada
Pre-Processing
e.g. scanning
and parsing
Sensor-1
eg. CppCheck
SonarQube
Plugin-I
Sensor-J
e.g. C/C++
e.g. PC-Lint
Sensor-M
e.g. GCOV
Plugin-M
e.g. Java
Post-Processing
e.g. CPD, Decorators
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
14
Spazio IT – Quality Platforms
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
15
AIRBUS Helicopters
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
16
Spazio IT – Quality Platforms
 Since mid 2012 Spazio IT has been working for AIRBUS
Helicopters and has developed an Ada Plugin supporting
both:
– Adacore GNAT (http://www.adacore.com)
– Atego APEX Ada (http://www.atego.com)
compilation tools chains
 Spazio IT platform has been adopted by the group
maintaining the software of the NH90 and Tiger
helicopters.
 http://www.spazioit.com/pages_en/sol_inf_en/code_qu
ality_en
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
17
European Space Agency
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
18
Spazio IT – Quality Platforms
 Since fall 2013 Spazio IT has been working on the C/C++
community Plugin for SonarQube (modifying and
extending it) to make it suitable for Independent
Validation and Verification activities.
 Spazio IT is currently using its C/C++ Plugin for the
validation of the IXV On-board Software.
 http://www.spazioit.com/pages_en/sol_inf_en/code_qu
ality_en
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
19
Processes
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
20
Who does what?
 All nowadays Integrated Development Environments
(IDEs) like GNAT GPS 2014, Visual Studio 2013, Eclipse
Luna, offer some form of Code Analysis.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
21
Who does what?
 IDE’s analysis tools are to be used by software developers
during their everyday work.
 SonarQube analyses are more for the «quality people»
and they are not supposed to be executed everyday, but
rather at specific /well defined moments in the software
development life cycle.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
22
When?
 SonarQube analyses should be performed after any
«significant» delivery in a software development project,
e.g. using ECSS 40 terminology, at:
– CDR
– QR
– AR
 In maintenance projects SonarQube analyses should be
performed after any «significant» new delivery, e.g.
supposing a versioning like:
major.minor[.build[.revision]]
After every «minor» delivery.
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
23
Future Activities
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
24
Future Activities
 Quality Methodologies, i.e. integrating into the SonarQube:
– SQUALE – Software QUALity Enhancement
(http://www.squale.org - almost there already)
– GQM – Goal, Question, Metric
(http://en.wikipedia.org/wiki/GQM)
 Analyses Tools, i.e. assessing and possibly make interoperate
with SonarQube tools like:
– MATLAB Polyspace – Abstract Interpretation
(http://www.mathworks.it/products/polyspace/)
– CBMC – Bounded Model Checking
(http://www.cprover.org/cbmc )
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
25
Current Research
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
26
Useful Links
 http://ulir.ul.ie/bitstream/handle/10344/2575/Fitzgerald%2cBri
an.pdf
 http://faculty.salisbury.edu/~xswang/Research/Papers/SERelat
ed/no-silver-bullet.pdf
 http://research.ijcaonline.org/volume87/number1/pxc3893251.p
df
 http://www.cs.umd.edu/~basili/publications/proceedings/P95.
pdf
 http://en.wikipedia.org/wiki/GQM
 http://www.squale.org
 http://www.sonarqube.org
 http://www.spazioit.com/pages_en/sol_inf_en/code_quality_en
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
27
Thank you for your time!
December 2014
© 2014 Spazio IT - Soluzioni Informatiche s.a.s.
28