10 indicators you need to pay attention to when operating code inspection rules

[Live broadcast preview] 99 yuan cloud virtual machine × 9 yuan cloud native architecture √

This article is shared from the Huawei Cloud Community " What indicators do code inspection rules generally focus on?" ", author: gentle_zhou.

In the measurement operation dashboard of the code inspection service, in addition to the alarm operation module mentioned earlier (for the indicators, you can refer to this article " What indicators do code inspection alarm operations generally focus on? "), one module that will definitely exist is the rule operation. . This module focuses on the analysis, processing and reporting of code inspection rules. For team project managers, it can monitor and manage the overall status of the rules. For details, please refer to my previous article "Why Code Static Inspection Needs Rules To do operations? 》.

Today we will talk in more detail. In the rule operation module of the dashboard, what indicators do users generally pay attention to? It can be roughly divided into data in the dimension of the rule itself: rule name, rule version, rule content, related languages, related tools and categories, alarm categories, scope of application; and data in the rule association dimension: information about the maintenance person responsible for the rule, rules The associated reference situation, the rule set associated with the rule.

The dimension of the rule itself

Rule name

The name of the rule allows users to roughly understand the meaning and function of the rule, making it easier for users to identify and manage the rule. As one of the most basic indicators in rule operations, it can support users to quickly understand and identify what rules exist under companies, industry lines, and departments, and which rules different departments prefer to use.

Let’s take the Huawei Cloud CodeArts Check code inspection service as an example. The design of the rule names is based on clarity and simplicity:

Rule version

As the rules evolve, there will inevitably be multiple versions, including various major versions (which may be iterated throughout the year or half a year) and minor versions (irregular small optimization improvements). Version is generally an alternative to the version number, and the version number usually also carries a time and date (representing its creation time/modification time/online time, etc.) to reflect the update of the rules.

On the operation dashboard of the code inspection service, there must be a record of the rule version in the rule operation module. Rule version indicators can not only help users distinguish rules in different versions, but also help managers understand the evolution process of rules, evaluate the impact of rules on business in different versions, the evolution history of rule optimization, and the stability of rules.

Rule content

If the rule name can help users roughly understand the meaning of the rule, then the rule content is to allow users to clearly understand what the rule is, the background of the rule, where the rule can be used, correct and incorrect examples of the rule, and rule reference. What norms and so on.

The content of the rules can be said to be a very important indicator to help users understand the rules and help users master the checking methods and standards of the rules. Therefore, whether a rule has complete and detailed content, and whether the content is accurate and detailed, is what operational dashboard users are concerned about.

Taking the Huawei Cloud CodeArts Check code inspection service as an example, the overview is divided into descriptions, correct examples, error examples, and repair suggestions. See the detailed introduction of the rule content:

Related languages

Rule developers will design and develop adapted rules for relevant programming languages and their language characteristics. Especially for some mainstream languages, such as Java, C, C++, Python, etc., the rules in a mature and complete code inspection service should be covered.

In the operation dashboard, classifying rules according to language can improve the readability and maintainability of the rules, allowing users to filter out rules that fit the characteristics of the project and the language habits of developers based on language, and select engine tools that match the rules. , conduct more targeted detection and scanning of business projects.

Related tools and categories

If the rules want to operate in the code inspection service, in addition to the rules themselves, they also need supporting engine tools to execute them. Which engines are used to execute the rules? Whether these engines are self-developed, open source, or commercial are all of concern to the rule users. For example, a common scenario is that a batch of rules itself has been recognized by departments and experts, but during the actual application process, it is found that the effects produced are very different; one of the possibilities is that the engines supporting these rules are different. As a result, some engines are very effective and the effect of the rules is implemented in place, then the effect of inspection and scanning will come out; but if the matching engine itself has average efficiency and performance, the effect of scanning may be greatly reduced.

Let's take the Huawei Cloud CodeArts Check code inspection service as an example. Different rules will correspond to different engine tools, which will be displayed in the label of the rule details interface:

Alarm category

Just like I said in "Why does code static inspection need to operate the rules?" "As mentioned in the article, rules are similar to legal provisions, so does the violated rule belong to civil, traffic or criminal categories? At this time, the alarm category is needed to display.

Generally speaking, alarm categories can be divided into three major categories for display: safety category, quality category, and style category (of course, quality categories and style categories can also be displayed together). If the company's quality department feels that the classification of the three categories is a bit coarse-grained, it can continue to subdivide it.

Take the classification of Huawei Cloud CodeArts Check code inspection service as an example (the "security enhancement feature package" mentioned in the classification column is an expanded branch of the security category and provides deeper scanning of some security problem scenarios):

Scope of application

When it comes to the scope of application, we must first briefly introduce how to use the code inspection tool. In addition to common cloud services, access control level scanning provided by the code warehouse, and version level scanning provided/manually triggered by the pipeline, IDE plug-in scanning required by developers to develop code in the local IDE is also crucial. Let us temporarily call these three usage methods version level, access control level, and IDE plug-in level. Then these three methods can be said to be the scope of application of the service.

For rules, the scope of application is also in effect. The applicable scope of the rules is divided based on the characteristics of the rules themselves, whether compilation is required, whether the supporting engine scan requires a large amount of computing resources, whether taint analysis is required, etc. Some rules that take up less computing resources and do not require compilation can be selected as the scanning scope of the IDE plug-in. In the rule operation module of the operation dashboard, the classification of rules according to the scope of application allows users to understand which rules can be selected for application in different scopes.

Rule association dimensions

Maintenance responsible person information associated with rules

Rules will be continuously updated and optimized with the development of business and the update of vulnerability awareness in the industry. Therefore, a dedicated maintenance department and maintenance responsible person are required to be responsible for the online and offline, modification, release and management of rules.

Generally speaking, there are two reasons for displaying the maintenance responsible person information related to the rules in the operation dashboard:

Generally speaking, whoever designs and develops the rules should maintain them in the future; therefore, displaying the information of the person responsible for maintenance in the dashboard can make it easier for users to understand the source and background of the rules, and improve the credibility and authority of the rules.
It is convenient for users to quickly contact the relevant responsible persons when they find some rule-related issues or suggestions in the dashboard, reducing the communication cost between users and developers.

References associated with rules

Once a rule is developed, as long as it is reasonable and effective, it will be adopted and used by different product lines, departments, and projects within the company. In theory, the more references it has, the more it represents the universal adaptability, effectiveness, and influence of the rule.

Generally speaking, there are three reasons for displaying citation information related to rules in the operation dashboard:

Help users and potential users of rules understand the applicable scenarios and objects of use of rules, support them in choosing appropriate rules, and improve the effect of code inspection.
Provide a platform for the person responsible for the maintenance of rules to understand the scope of application of their development rules and compare them with their inner expected effects; at the same time, they can also timely discover problems and deficiencies of the rules through communication and feedback with relevant stakeholders of these using departments.
It is convenient for managers and supervisors of code inspection services to understand the value and influence of rules, and to compare and evaluate the differences between different rules.

The rule set associated with the rule

When users of the code inspection service use rules, they do not directly select the rules for scanning. Instead, they select some rules and merge them into a set based on their business characteristics, code specifications, security standards or quality requirements that need to be followed. . This set is generally called a rule set, which can facilitate users to manage additions, deletions, and queries.

Displaying rules in the operation dashboard are used by those rule sets, which can help users understand:

The source and basis of the rule allow users of the rule to understand why this rule appears in our department and project, which rule set it comes from, and whether it is appropriate to be referenced by the current project.
The attribution and classification of rules allow the person responsible for maintaining the rules to understand which rule sets the rules will be collected in, whether such usage is consistent with the original intention, and whether the rules can be supplemented and optimized according to this scenario.
The distribution and coverage of rules allows managers and supervisors of code inspection services to evaluate the value and influence of rules, and compare and evaluate the effectiveness and credibility of rules in different rule sets.

By extension, when the company's business volume is large and the number of projects increases, the number of rule sets will inevitably increase uncontrollably. So it is not a good way to blindly display which rule sets are adopted by the rules. We can choose some typical rule sets that are recognized by everyone to evaluate, such as whether the rules are adopted by the company-level rule set; when the influence and effect of a rule are recognized by the entire company, it will definitely be included. Centralized rules at the company level. Therefore, instead of displaying all adopted rule sets, we can try to show whether this rule has been adopted by the company-level rule set. This effect may be more acceptable to users and promote the motivation of those responsible for rule maintenance to improve.

in conclusion

By paying attention to the above indicator information, relevant personnel can obtain key data related to the rules, helping users understand and evaluate the effectiveness, rationality, maintainability and adaptability of the rules. Users can also avoid unnecessary waste of time and resources, help identify unreliable and inconsistent rules from an operation and maintenance perspective, avoid unclearness and confusion, and improve the execution effect of the rules. Of course, the ultimate goal is to ensure user satisfaction. .

Click to follow and learn about Huawei Cloud’s new technologies as soon as possible~