Why does code static inspection need to operate on alarms?

From data to large model application, on November 25th, Hangzhou Yuanchuang Conference was held to share development tips.

This article is shared from Huawei Cloud Community " Why does code static inspection need to operate alarms?" ", author: gentle_zhou.

Code inspection SAST technical support refers to static inspection of the style, quality and safety of the code to discover defects and loopholes in the code and improve the readability, reliability and maintainability of the code. The alarms scanned by the code inspection refer to the code problems discovered by the SAST inspection tool. Usually the alarms will give the corresponding alarm level, type, description, reason, positive and negative examples, and repair suggestions.

As for why we need to operate alarms? Because alarms are not an indicator that can be easily compared, their number cannot comprehensively and directly reflect the quality of the code. The number of alarms depends on many factors, such as the use of different checking tools and the selection of different rules and standards, which will lead to different types and different numbers of alarm results; of course, in addition to factors during the scanning period, the size and complexity of the code before scanning Factors such as degree and business logic will also affect the generation of alarms. In addition to the number of alarms, we also need to pay attention to indicators such as alarm severity, impact scope, processing level, manual screening, and false alarm rate.

What is alarm operation?

Alarm operation of code inspection refers to the process of analyzing, processing and reporting the alarm results of code inspection. The purpose of alarm operation is to make statistics from the alarms that have been generated, solve the problems that have been discovered by scanning, and ensure the normal and healthy operation of projects and businesses; at the same time, these alarm data can also support operational analysis from multiple dimensions as a follow-up improvement basis to prevent similar defects and loopholes from appearing again.

In alarm operations, what do users generally pay attention to?

In alarm operations, users generally pay attention to the following aspects:

The number and type of alerts are used to understand the overall quality and risk status of the code in the project.
The distribution, severity and responsibility of the alarms in the project are used to determine who is responsible for the defect alarms and their priority.
The reason for the alarm is used to find out the root cause of the problem and support the team to evaluate the solution.
The impact caused by the alarm is used to evaluate the scope and extent of the impact of the defect on the project business.
Alarm processing progress and user feedback are used to track whether the alarm has been processed, and support regular analysis of user opinions and suggestions.

What types of users generally focus on alarm operations?

Users who generally pay attention to alarm operations include the following types:

Code developers and programmers generally need to check and repair the code they write. They will naturally pay attention to the number, type, severity, responsible person, and reason of the alarms.
Code reviewers, usually in the role of committer, need to review the code written by the team and ensure the standardization and consistency of the team's output code. The number, type, severity, responsible person's attribution, cause, impact, and processing progress of the alarms are all important. Need to pay close attention.
Project managers are generally managers of the entire team, industry line or even the entire company. They need to monitor and manage the overall status of large and small projects at different levels, including the number, distribution, impact and processing progress of alarms. , user feedback will be focused on.

What are the benefits to users of paying attention to these indicators?

Paying attention to various indicator information of alarms can help users promptly discover and repair code defects, understand and optimize the performance and efficiency of project code, learn and improve code specifications and techniques, establish and improve the project monitoring and management system; let the project Code quality, security, readability, maintainability, controllability, credibility, functional availability and stability are qualitatively improved and controlled.

How do users obtain the data they care about?

Users who pay attention to alarm operations will choose appropriate alarm analysis and monitoring tools based on their different roles and responsibilities and different attention dimensions.

For code developers and reviewers, because they are directly responsible for project development and have the most direct responsibility for code quality, obtaining first-hand code alarm information faster and in more detail is the core of concern. Therefore, a code inspection service with detailed alarm information and defect alarm reports is very necessary for the project developer team.

For project managers, because they are concerned about the overall health of the project at a higher level, they are not so concerned with details. High-level and clearer presentation of each alarm operation indicator of the project is the focus. The code inspection service itself focuses more on the details of task-dimensional alarm information. Alarm operations at the project, product line, and company levels require a dedicated alarm operation dashboard to carry them.

Let's take a look at the alarm operation information that comes with Huawei Cloud CodeArts Check code check itself .

Alarm operation overview:

Export task alarm detailed information:

Code issues tab (supports generating defect reports):

Code metrics tab:

Click to follow and learn about Huawei Cloud’s new technologies as soon as possible~