Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Do you use bug finding tools?
7 points by remyb on Sept 14, 2018 | hide | past | favorite | 4 comments
I'm interested in developers opinions about current bug finding tools and static analysis tools, about their usability and usefulness in everyday software development.

So, do you use static analysis tools or bug finding tools, either yourself as a developer or in your company? If so, do you find them useful? How well are they integrated into your workflow? What kind of information or diagnostics would like them to give you? If not, have you ever used this kind of tools in the past and what was your main concern?



I used to do a lot of security-auditing of C/C++ code. In those days I started off using RATS, and other automated scanners.

Generally though I found they produced more noise than value, so these days when I audit code I do it from start to finish, though I'll certainly have a quick-glance at any code that involves:

* fopen

* popen

* getenv

* or bind/accept

I guess that means "no", not really, and despite that I've reported (security) bugs in applications as diverse as Emacs, Firefox, and GNU Readline.


For Third party libraries I use https://github.com/jeremylong/DependencyCheck


sonarQube (for Java)

The bug and fatal errors should cover most low hanging potential bugs.

Every other type (code smell/code style) should be taken with a grain of salt and configured in such a way that it suits your teams need.

SonarQube is executing static analysis on pushes to each branch.

Currently only used as a guide, not as a gate.

During the first few weeks of using it i found it to be obnoxious, until certain rules were adjusted/removed

Now i find it being more on the helpful side of things


SonarQube ( executing on CI ) + SonarLint ( running on local IDE ) mostly helpful, after the ruleset were adjusted.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: