I need to setup SonarQube for static analysis of my code. There is also a requirement of profiling of the code. I am new to this area and have questions on these.
As I have learned that,
SonarQube is a central server that processes full analyses (triggered by the various SonarQube Scanners). Its purpose is to give a 360° vision of the quality of your code base. For this, it analyzes all the source lines of your project on a regular basis.
Code profilers are used by developers to help identify performance problems. Profilers also track things like memory allocations and garbage collection.
In Visual Studio there are two separate functionalities for code profiling (in debug section) and code analysis (Analyze section).
I think code profiling and static code analysis are different. I might be wrong also. Can anyone please let me know on this?
Can SonarQube be used as a code profiler in parallal as static code analysis?
Any guidance on this is really appreciable.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
Is there a fundamental difference between these tools? After all, klocwork is relatively expensive and the other ones are free? Both do static code analysis after some rules.
Are there differences in the quality of rules? Does it only depend on the rules? What is your experience?
You get what you pay for, both in the depth of the checkers, and in defect tracking and false-positive suppression. cppcheck and the Clang static analyzer are worth running, and find a reasonable number of shallow but serious bugs, even in a good codebase. (We run the Clang analyzer first, with the settings file turned to the max with help from https://github.com/jonreid/XcodeWarnings. cppcheck occasionally finds some bugs missed by it, but similar in character.)
Klocwork, and its rival Coverity, both find much deeper bugs in C/C++, sometimes breathtaking in their depth of analysis. Coverity, though, has been taken over, and made little progress in its C/C++ checkers in the last decade; but they are still worth running. (Their JVM checkers are not.) I haven’t used Klocwork recently, but they also are no longer independent. (See my Dr Dobbs article for more detail, http://www.drdobbs.com/testing/deploying-static-analysis/240003801)
(pablo285, both Klocwork and Coverity have well-documented APIs to let you write your own checkers.)
LLVM has a tool for static analysis called Clang static analyzer.
Clang static analyzer and cppcheck are open-source (allowing you to write your own checks/modify existing ones) vs klockwork being proprietary (has an API to write your own checks).
As for the quality of the checks - you'll have to try for yourself, I'm trying to base this answer on facts, not opinions. Nothing prevents you from using more than one static analysis tool though.
Clang-tidy is a little different, it calls itself a "linter" tool and while it can be used for static analysis it also provides automated fixes for some of the defects it can find. Internally clang-tidy uses an abstract syntax tree to represent your code. In order to build this AST the code has to be compile-able by clang which can be a (possibly major) drawback in some codebases.
For list of clang-tidy checks that provide automated fixes see this answer.
I believe clang-tidy or cppcheck engine does line by line analysis. Klocwork engine in other hand, does inter procedural analysis. Klocwork can detect file dependent issues as well what most of other tool cant detect. Klocwork is very powerful in finding critical detects like memory leaks, Buffer Overflow, NULL exceptions, Dead Lock, concurrency issues, etc..,
we have evaluated multiple Static code analysers and ended with Klocwork.
I will tell you why we have chosen Klocwork than any other SCA tools,
Number of Checkers to detect possible vulnerabilities. Klocwork has
more than 1000+ checkers to detect coding defects/issues.
Klocwork can work at developer desktop. So it makes the code bug
free at the time of development. (It has post check-in capability as
well)
klocwork has direct plugin available for Visual Studio, Eclipse,
Intellij IDEA, Wind River, CCS and Eclipse based IDEs. Klocwork has
its own IDE as well. (If you are using any other IDEs than what
Klocwork plugin supports, you can use Klocwork IDE. Klocwork IDE can
work with any Editor or IDE you have)
Klocwork supports checking almost all industry standards like Misra,
Autosar, CERT, CWE, DISA-STIG, OWASP, etc..,
You can write your own checkers in Klocwork to maintain/check your
internal coding guidelines.
Effectiveness in finding the Vulnerabilities issues .
Reporting and Metrics (100+ reporting formats and 400+ metrics)
Filtering the issues – remove 3rd party code in report, create
module report, team report, etc..,
Fast – Though they create AST based on your native build settings
still Klocwork engine is fast and effective.
Automation – Automation – Automation. Klocwork build can be
automated as it has rich command line tools. Plus, Klocwork has
direct plugin available for Jenkins and Teamcity.
Simple Deployment – Client server architecture
Documentation – Documentation and Demo videos of Klocwork is
available online (Open). You just open google and say, “Klocwork C
and C++ checker list” you will get the list of Klocwork checkers
with proper explanation.
Support – Klocwork support team is very user friendly.
Licensing – Simple licensing. No hidden charges.
I would say, take up a free evaluation of Klocwork and test it on your project. I am sure you will love it.
yes, there is a fundamental difference between the clang-tidy or cppcheck compare to klocwork.
Klocwork wrapper will watch your build and creates build specification file based on your compiler name build settings including customized system calls. using this build spec file Klocwork does interprocedural analysis and creates abstract syntax three in back end. then it will try to cover 100% code and 100% path. So Klocwork analysis will be more accurate and it can detect the real defects in the code.
Klocwork can detect data flow issues as well.
I have written a sequential code of the algorithm. I am going to parallelize it, but I have to determine which parts of the sequential code are worth to be parallelized. How I can find these parts? Are there any tools to do it?
You can use a profiler such as VisualVM or JProfiler (paid) to figure out which parts of the code are consuming most of the CPU time.
Although you did not specify your programming language or IDE, I will shoot a guess.
Intel Parallel Studio has great tools on this topic. Also Visual Studio IDE has different profiling tools. If you dont want to use any tools..You can profile your functions manually by using QueryPerformance functions for C/C++.
We have a struts application and there are concerns regarding its performance. We are using Tomcat6 and Java6 for our application.
Could anyone please suggest an easy to use analysis tool to analyze the performance of the JAVA code. It would really be helpful if we can get the step by step method to integrate our application with the analyzer and then get the output in a graphical and data format.
We actually need to know the exact time consumption in method level so that we can work on that method to increase the performance.
We need it urgently. Please help. Many many thanx in advance.
There are several profiling tools out there for java that suit your needs. Just google for java and profiler...
But you should have in mind only improve your performance if you have figured out a problem. To figure out if there is a real performance problem setup a test-environment that mimics the actual production environment (generate data you would expect in an production environment). So it is possible for you to do some testing and figure out if the response of the app is too slow and therefore unacceptable for an end-user. Afterwards do some analytical work and only do performance improvements if there is a need to do this.
Right now we are maintaining some old project written in VB6 we are planning to implement continuous integration server for it. We would like to implement some code analysis as well to track that maintanability at least not getting worse. Basically there is only one requirement - the tool should be command line so we can call it from continuous integration server and it should work with VB6 projects. I will really appreciate any recommendations regards tools to try.
Thank you, Maksym
You could look at SourceMonitor as this says that it can produce metrics for VB6, and can be made to work from the command line.
I've only used it for C++ myself.
Have you looked at the recommendations in this question about tools for analysing VB6 source code?
I don't know whether any of these tools can be run from the command-line.
The Code Advisor for Visual Basic 6 is an add-in used to review your code to ensure that it meets predetermined coding standards.
The coding standards are based on best practices developed by Microsoft to produce robust and easy-to-maintain code.
http://www.microsoft.com/en-us/download/details.aspx?id=1222
You can use VBDepend for VB6 and VBA code, static analysis tool based on CQL, here is some of its functionality:
Compare Builds, 60 code metrics, manage Complexity and Dependencies
However VBDepend does not have a rule to check for duplicate/repeated code in the project. This was the most important rule that I was looking for.
Our SD Source Code Search Engine is a tool for lightning-fast search across large code bases.
It words by breaking the text into language atoms, indexing all those atoms, and then executing queries using the indexes to guide the search. The SCSE has a VB6-specific front end (as well as front ends for a wide variety of other languages).
As a side effect of the indexing process, it produces metrics: SLOC, number of comments, Cyclomatic Complexity, Halstead measures, deepest-nested conditionals, etc. These metrics are emitted to an XML file that can be formatted/interrogated any way you like.
The indexing process is a command-line step, so you can integrate it into your scripts.
We also have a clone detector for VB6 that finds exact and near-miss duplicate blocks of code across large systems of source code.
I have a Visual Studio 2005 Solution workspace which in turn has 8 projects included in it. I want to profile the complete code(all the projects) and get some measure about the absolute cycles taken by each function to execute, or at least percentage cycle consumptions.
I checked out help for VS 2005, and also the project setiings options but could not find any pointers on hwo to get the profile info.
Any help regarding this would be beneficial.
-AD.
If your application is not particularly processor intensive, redgate ANTS Profiler is a good choice - the line-by-line stats can come in quite handy, and the whole product is clean and well-designed.
If your app needs a lot of CPU to operate normally, however, most of the .NET profilers on the market won't be able to handle it. The only two that I have ever found that will work for a really heavy-weight application are JetBrains dotTrace and YourKit. The two are very similar, which is not surprising, given that YourKit seems to have been started by a former JetBrains employee. I personally prefer dotTrace, but that may just be because that is what I used first, and there has never been any good reason to switch.
I have tested ANTS, AQTime, DevPartner, GlowCode, Borland OptimizeIt and Intel VTune, and all of them have too much overhead to handle a demanding application. (VTune is a possible exception, but it is so horribly complex to configure and use that I was never able to figure out exactly what it could handle. It is also very expensive.)
I guess the inbuilt profiler of Visual Studio 2005 comes onyl with the Developer Edition and Team Edition. I have a Professional edition which, it seems doesnot have the inbuilt profiler tool.
-AD
I've used both the profiler in Compuware’s DevPartner (I like to still call it “TrueTime”) and Rational's Quantify. I always liked Quantify better, but as I've moved between companies DevPartner is usually already the “standard”.
Both are expensive, but they (seem to) add so much value that any commercial shop should have no problem investing in some seats.
Quantify didn’t require special rebuilds of the project – which was GREAT. It also crashed less (that’s not saying much, it had its own issues). DevPartner also tends to break as each new version of Visual Stuido was release (maybe this is better now?). Buy the yearly maintenance agreement if you go this way.
That said, I’ve often just write a class remembers the time at construction and spits out (log file) the elapsed time in its destructor. I used QueryPerformanceCounter. I’d stick this class at the top of the function I’d want to time. You could get fancy with making it a macro, use the preprocessor to include this class only under a special build…
I recommend you EQATEC profiler which also includes in its site a tracer.
Also it's free and easy to use.
alt text http://www.eqatec.com/tools/profiler/profiler-logo.gif
We use DevPartner with Visual Studio 2005. It gives you performance analysis of the specific projects in your solution you want to look at. We also use it for memory management analysis, and error analysis. Is commercial tool, so it's not free.
Red-gate's Profiler is great for this.
I use Jebrains profiler is very easy to use and performs very well too.
If your app needs a lot of CPU to operate normally, however, most of the .NET profilers on the market won't be able to handle it.
I have used a trial version of RedGate Ant's profiler on an optimizing algorithm that normally uses up to 100% CPU on a single core machines and though slow it managed to get through and report all I needed to know. Extremely helpfull tool. I wonder what kind of algorithms have you run on the Ant's profiler.
Has anyone used the VS profiler ?