Fog Creek Software
Discussion Board




Tools for Code Auditing

Code Auditing takes place when code is critically examined by someone other than its author to check that it conforms to standards announced and agreed in advance.

Automatic code auditing takes place when that examination is carried out by a suitable program.

I raise this topic to discover what expectations other people have about such automatic code auditing.

Have you tried it? 
Which tools did you use?
How successful were you?
How did you assess your success?

How much did you benefit?
How could you have benefited more with better tools?

Keith Paton
Thursday, December 27, 2001

If you want examples of how a project acutally _does_ an audit, I'd suggest lurking on some OpenBSD mailing lists. Not sure about tools or books.

Alex Russell
Monday, December 31, 2001


I don't know, I just cannot trust in automatic code auditing. Perhaps you can use it to check some less useful practices, like variable name compliance, indenting, comments, etc.

I believe the best code auditing are periodic code reviews with peers. Sure, this can be a time consuming process, but like any other process should be considered in the schedule for the current project.

Leonardo Herrera
Tuesday, January 01, 2002

In reply to:

Have you tried it?
Which tools did you use?
How successful were you?
How did you assess your success?

How much did you benefit?
How could you have benefited more with better tools?

In the VB context, I have used Project Analyzer ( http://www.aivosto.com/vbcatalog.html ). All in all an excellent tool. I have used it mainly for identifying dead code, but it also has support for checking code against notation standards etc etc.

For me, the main benefit was greater ease of maintenance. Whenever I am given a new app to maintain, I run Project Analyzer through it to remove non-essential code. Less code to understand =  get up to speed quicker.

I believe there are other similar tools around as well, but I have only used Project Analyzer...

Matthew Wills
Wednesday, January 02, 2002

The value of automatic code auditing depends on what you use the tools to look for.  If you just look for indentation then you won't get much value.  However ....
How about ...

  memory leaks
  uninitialized variables
  failing to test for null pointers
  breaches of the Scott Meyers' rules for C++

All of these defects can cause show stopping crashes.
All of them can be found by automatic code auditing tools that I use regularly for my customers.

My take:
there are two main types of code fault
mismatch: the code does not do what the requirements call for
misuse: the developer misuses the language.

Automatic tools find misuse and do it very cheaply
Only manual review can find mismatch but it is expensive.

I shall be glad to supply more details of the misuse faults  found by automatic tools.

Keith Paton
Thursday, January 03, 2002

*  Recent Topics

*  Fog Creek Home