What Is Static Analysis? (Static code analysis)

TechJuly 19, 2021

What Is Static Analysis? (Static code analysis)

Just as a quick review, static code analysis (SCA) is

the process of using software tools to analyze source code without needing to compile the code. Static code analysis can be used in any language, but some languages make it easier than others. Static code analysis for Apex falls into this second category.

As a quick illustration, Static Code Analysis can provide

information that is otherwise hard to obtain with an approved code-generation tool such as ApexSQL Generate or Static Security Checker. For example, Static Code Analysis can inform you of the existence of variables whose names suggest that they could be used in SQL injection attacks (because they contain characters such as ‘ in them).

Static Code Analysis can also identify template fragments that could cause code-generation breakage if they are modified. Static Code Analysis for Apex does not automatically remove these types of problems. Instead, it provides detailed information on their existence so you know the issues to look out for and can search, using other tools such as ApexSQL Search, for the specific

fragments in question. Static Code Analysis can also highlight where parameters are passed directly to a static method call where the same parameter could have been passed as an object reference (effectively using ‘this’).

Static Code Analysis can indicate this is happening because it will flag any methods that take more than one parameter in a similar way to how it does for parameters that are passed directly to Static method calls.

Static Code Analysis can also highlight where static class methods are being overloaded in exactly the same way as non-static methods which is not useful in many cases. Static Code Analysis however cannot catch where different combinations of Static and Instance methods (like ‘new’ and Static Method) are misused, for example where an instance method is called as a Static Method.