An Analysis of the Usage and Impact of Static Code Analysis Tools

Abstract: Traditionally, static code analysis tools alert developers on possible defects in the code. In recent years, the tools have improved and can generate suggestions to fix the defects found. However, studies from the last two decades indicate that the fix rate of alerts from static code analysis tools has been relatively constant; it shows that developers ignore many alerts. As such, it is relevant to investigate the impact of the defects in practice. Furthermore, related work has primarily investigated the usage in open-source projects. To further develop static code analysis tools, it is relevant to get insights into the usage and awareness of these tools in an industrial setting. In this thesis, the usage of static code analysis tools at a company is investigated. The research includes a survey to get the developers’ perspectives. Complementary to this, we retrieve and examine data from SonarQube. Furthermore, this study attempts to connect code changes (commits) fixing incidents with their respective ticket reporting the issue. The data from the commits and the software management ticketing system are also analyzed to gain insights from these data sets. The results show that the general usage of static code analysis tools in an industrial setting aligns with open-source projects. The general use based on the survey is 82%, the average fix rate of all projects being 10.68%, and the average life span of fixed issues being 109.53 days. The results indicate a trend towards using static code analysis tools earlier in the software development life cycle. This study did not find a connection between the incidents and the commits. However, analysis of the commit data indicates that on average, 10% of total commit messages contain the keyword “fix”. Further analysis of these commits provides good insights and can be used as training data in tools using a machine learning approach to generate fix suggestions to defects.