The difference between static analysis and code review


Both static analysis and code review are methods to find errors and vulnerabilities in source code without explicitly executing the program being examined.

Code review is usually understood as a relatively regular examination of a source code fragment performed jointly by two or more developers, which may take place both in a semi-formal way or as a formal certification. Code review may also be a part of pair programming.

Static code analysis in most cases implies usage of special tools that automatically scan the source code to find out if it contains any of the known formal bug patterns that may need to be inspected by a developer. Unlike code review, automation makes static analysis in fact unlimited by the size of the code to be checked. However, static analysis results still need to be studied by developers to distinguish between genuine errors and false positives which are inevitable with this analysis approach.

Although the notions of code review and static analysis are usually separated, they may sometimes intersect and even be viewed as mutually-derivative methods that complement each other. An example of this is joint code review performed by several developers for separate code fragments pointed out in the report of a static analyzer that has carried out analysis of the whole project before.

References



Use PVS-Studio to search for bugs in C, C++, C# and Java

We offer you to check your project code with PVS-Studio. Just one bug found in the project will show you the benefits of the static code analysis methodology better than a dozen of the articles.

goto PVS-Studio;



Bugs Found

Checked Projects
355
Collected Errors
13 303