CSC/ECE 517 Spring 2014/ch1 1w1f mj

From Expertiza_Wiki
Revision as of 00:32, 24 February 2014 by Mjain2 (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Code review is the process of evaluation of computer source code, with the intention of finding and fixing faults and design errors neglected in the initial development phase. Code review helps in improving the overall quality of software and maintains the consistency in software design and implementation. The reviewer examines the code and reports the findings to the author, which helps in improving the developer’s skill.


Introduction

Code review is a phase in the software development process in which the authors of code, peer reviewers, and perhaps quality assurance (QA) testers get together to review code.<ref>http://searchsoftwarequality.techtarget.com/definition/code-review </ref> It facilitates systematic examination of source code for vulnerabilities such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review can also help in looking for security breaches to the software which requires higher security.

Types of Code review

Code review practices can be divided into the following categories.

Formal inspections

Formal inspections refers to a heavy process with several participants sitting together to review code. The defects discovered in this process are usually recorded in great detail.

Lightweight code review

  • Over the shoulder: An “over-the-shoulder” review is the most common and informal code review technique where the developer stands over the author’s workstation while the author walks the reviewer through a set of code changes.
  • Email pass around: The author bundles up all source code and sends it to reviewers. Reviewers examine the code, communicate with other developers and suggest changes via e-mail.
  • Pair Programming: In Pair Programming, two developers write code at the same workstation and there is continuous free-form discussion and review.

Code Review Tools for Ruby

Brakeman

Brakeman is an open source vulnerability scanner tool explicitly designed for Ruby on Rails applications. It can be used at any stage of the development to statically analyze Rails application code and find out the security issues.<ref>http://brakemanscanner.org/ </ref> Brakeman carefully inspects the source code of your application and you do not need to set up your whole application stack to use it. Brakeman scans through the application code and produce a summary of all security issues it has found. Brakeman is extremely suspicious and hence sometimes it provides “false positives.” It does not finds security vulnerabilities in web server or other software as it just scans the source code and not the entire application stack.

Advantages

  • No Configuration Necessary: Brakeman does not require any setup or configuration once it is installed.
  • Run It Anytime: As it’s working is based on just the source code, Brakeman can be used at any stage of the development process.
  • Ruby Specific: Brakeman is especially built for applications developed in Ruby on Rails, so it can easily check configuration settings for best practices.
  • Flexible Testing: Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.
  • Speed: Brakeman is much faster than other “black box” website scanners. Even large applications do not take more than a few minutes to scan.

Example

Here's one example of warnings Brakeman reports: SQL injection.

  • A Rails 3.x code segment looks like this :
username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")
  • Brakeman would produce a warning like this:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

Barkeep

Barkeep is one of the friendly Code Review System which can be used by developers to keep high quality standard of code. Users can attend commits made to any Git repository, see diffs, write comments, and have those comments emailed to your fellow committers. Barkeep is unopinionated. It can be used with pre-commit or post-commit workflows, and also script tools<ref>http://getbarkeep.org/</ref>. It comes with a command line client and REST APIs.

Barkeep is a small codebase written in Ruby. It's easy to add new features and APIs as per the requirement.

Advantages

  • Naturally supports post-commit workflows: Barkeep supports post-commit code review workflow. Here, once the part of the code of the developer is ready, he pushes it to the master, so that it becomes available to other developer to begin integrating it. Code review happens when it's conducive for the team (within 1-2 days), and any comments are addressed in future commits.
  • Hackable: The codebase of barkeep is small, obtainable and fun to hack on. It can be easily extended and improved with time<ref>http://getbarkeep.org/</ref>.

Flog

Flog gives feedback about the quality of Ruby code by scoring using the ABC metric: assignments, branches, calls, with particular attention placed on calls. The ABC metric is a neat measurement since it combines a lot of information in a way that we can easily understand. But this leads to one important feature of Flog, that is the score reported is very opinionated. This score is custom built to apply commonly accepted design patterns for Ruby. Therefore, we can think of Flog as a modified ABC measurement.<ref>http://www.sitepoint.com/code-metrics-and-you/</ref>

Flog takes the following branching terms into consideration: and, case, else, if, or, rescue, until, when and while. There are other rules that add to branch total, but these are the most important. Assignments are much more simple, Flog add one to the score per assignment. Calls are defined as any instance method call that takes the flow out of the current scope.

Advantages

  • Keep track of code complexity: Flog reports code complexity of each method. In this way, developer is able to know what code segment in the project is different to follow.
  • ABC metric: Flog reports ABC metric which is an easily understood measurement of code complexity.
  • Ruby support: It support different version of Ruby including 1.8 and 1.9 syntax.
  • Speed: Flog executes quite fast, which makes it perfect for a git hook. A pre-commit hook which checks code complexity and returns non-zero for any score higher than 61 works quite well.

Example

  • Original code
class Test
  def blah
    a = eval "1+1"
    if a == 2 then
      puts "yay"
    end
  end
end
  • What we see in Flog
class Test
  def blah         # 11.2 =
    a = eval "1+1" # 1.2 + 6.0 +
    if a == 2 then # 1.2 + 1.2 + 0.4 +
      puts "yay"   # 1.2
    end
  end
end
  • Report generated
Test#blah: (11.2)
     6.0: eval
     1.2: branch
     1.2: ==
     1.2: puts
     1.2: assignment
     0.4: lit_fixnum

Saikuro

Saikuro is mainly designed to analyze cyclomatic complexity, which is a graphical measurement to indicate the complexity of a program, on Ruby program. Given a source project, Saikuro will find each instance method in it, calculate its cyclomatic complexity and generate a report listing all the result according to each method found. In addition, Saikuro also counts the number of lines per method as well as the number of tokens on each line, and generate another report on that.

Saikuro measures complexity, but as we all know, Ruby is a tricky language. Saikuro adds a branch when it encounters conditional statements like if, unless, while, until, for, elsif and when, but it also adds a branch if the code uses a block. This is because using a block in Ruby very often changes the control flow. Keeping the cyclomatic complexity at a low number is very essential, it ensures your code is simple to test and debug.<ref>http://www.sitepoint.com/code-metrics-and-you/</ref>

Advantages

  • Cyclomatic complexity: Saikuro calculates cyclomatic complexity in a more 'Ruby' way so that it is more concise on Ruby projects.
  • Different kind of targets: Saikuro can be recursively used on a dir or a specific troublesome class.
  • Lightweight and quick: It is very similar to the code evaluation tool Flog we covered before. It is a quick reporting tool that can help users understand where they have excess complexity in their projects.

Example

  • A report generated by Saikuro looks like this:

  • More examples can be viewed here.

PullReview

PullReview is an Automated Code Review Tool for Ruby developers using GitHub. PullReview is “SAAS” solution. It requires no servers to install, no extra software. Setup is very easy - Click the button, link to GitHub, and PullReview can start reviewing your branches. It provides feedback very quickly, without having to sit and wait for a colleague to come and have a look. Another important feature is that it does not keep to static analysis.<ref>http://blog.8thcolor.com/2013/09/pullreview-reach-your-ruby-code-skill-walhalla/</ref> It aggregates several analysis results, and points out the problems at hand – in order of impact. It also tells you ways to make your code better.

Advantages

  • Telling You Where to Go Next: PullReview make your coding more robust, it improves you as a coder. It tells you why best practices are what they are – and where to apply them. PullReview analyzes your branches using all important metrics. It tells you what you are doing wrong and what the impact is.
  • Ruby Specific: Like Brakeman, Roodi is specifically built for Ruby on Rails which helps in checking composition and structure settings for best practices.
  • Quick Setup: No setting up of servers or installing a plethora of tools is required. Pullreview sets up quickly and saves time.

Example can be viewed here.

Roodi

Roodi stands for Ruby Object Oriented Design Inferometer. It parses the Ruby code and warns about the design issues from the list configured for example Class line count check, for loop check, parameter number check, cyclomatic checks, etc. It helps in breaking down complex and long methods.<ref>http://blog.martyandrews.net/2008/09/roodi-checkstyle-for-ruby.html</ref>

Advantages

  • Extendable: One advantage of Roodi is that the shipped checks can also be easily configured with a YAML file, which is easy to manipulate. In that way, users are able to write customized class to add new checks. A checker class registers the types of AST nodes it’s interested and then handle the matched subtrees.

Example Usage

  • Check all ruby files recursively under the current directory:
$ roodi
  • Check all ruby files in a rails app:
$ roodi "rails_app/**/*.rb"
  • Check one controller and one model file in a rails app:
$ roodi app/controller/sample_controller.rb app/models/sample.rb
  • Check all ruby files in a rails app with a custom configuration file:
$ roodi -config=my_roodi_config.yml "rails_app/**/*.rb"
  • For more details, please refer to here.


Code Review Tools for Java

Crucible

Crucible is a collaborative code review application developed by software company Atlassian, tailored to distributed teams, and facilitates asynchronous review and commenting on code<ref>http://en.wikipedia.org/wiki/Crucible_(software)</ref>. Crucible also articulates with prominent source control tools, such as Git and Subversion. Crucible is a flexible application that caters for a wide range of team sizes and work styles<ref>https://www.atlassian.com/software/crucible/overview </ref>. Crucible also supports integration with JIRA which is Atlassian's issue tracking and project management application.

Workflow

1. Creating a Review.

2. Adding content to the review.

3. Performing the review

4. Summarising and closing the review<ref>https://confluence.atlassian.com/display/CRUCIBLE/The+Crucible+workflow</ref>.

Advantages

  • Flexible Code Review: Crucible provides configurable options to track and complete reviews - Defined workflow, Moderator, One or more participants. It also supports in-line code discussions.
  • Pre-commit support: It allows code review before check in which ensures that any code going into production has been reviewed. It allows code review from command line.During the pre-commit review process code is re-factored, changed, and updated. Crucible takes this into account and makes sure all files you are reviewing are easily updated and current.
  • Traceability: Developers have a unified view that shows all the activity in their code for commits and reviews. It supports creating filters which provides notification of code committed by new team members. The review coverage report provides information about which parts have already been reviewed and which are currently in review.
  • Notifications: It provides automatic or manual way of notifying reviewers who have not completed your code reviews. Crucible provides multiple features to help team stay on top of their workload.

Jupiter

Jupiter is an open source collaborative Eclipse code review tool.<ref>http://code.google.com/p/jupiter-eclipse-plugin/wiki/UserGuide</ref> It uses a simple, lightweight code review process that is easy to learn and adopt. The result of a research project by the Collaborative Software Development Laboratory at the University of Hawaii, the Jupiter plug-in stores code reviews in an XML file format and maintains them in the project configuration management system alongside the source code.<ref>http://whiteboxqa.com/StudentMaterial/Books/IP-WBT-01-JavaPowerTools.pdf</ref>

Workflow

The code review process implemented in Jupiter is relatively simple, and it should suffice for most projects. In Jupiter, you conduct a code review in the following four stages:

Configuration: The reviewer initiator sets up the review, specifies the files to be reviewed and what issues can be raised.

Individual code review: Each reviewer examines the code individually, using a review checklist and raising issues as they encounter them. Jupiter saves the issues you create in XML form directly in the project directory.

Team review: The review team (including the author) meet to discuss issues and decide on actions to take. This generally involves a face-to-face meeting, using Jupiter to help work through all the review issues.

Rework: The developer goes through the raised issues and fixes them.

Throughout the whole process, the review files are stored and updates in the source code repository, providing a history of raised issues and how they have been corrected.

Jupiter is an innovative and flexible tool that helps automate peer code reviews and track issues. Until recently, it was quite unique in this domain. Of late, however, it does have a commercial competitor, Crucible, which we mentioned before.

Advantages

  • Free: It is open source and free. Jupiter uses the CPL License.
  • Cross-platform Jupiter is based upon the Eclipse plug-in architecture. It is available for all platforms supported by Eclipse.
  • More simply data reuse and sharing: Jupiter stores data in XML format as well as CM repository. Users of Jupiter share their data files the same way they share their code using CVS or some other CM repository.
  • Sorting and Filtering: Jupiter provides filters and sorting to facilitate going over the code

review issues.

  • File integration: Jupiter has the capability to easily jump back and forth between specific review comments and the corresponding source code.

Other Tools

  • Gerrit is a web based code review system, facilitating online code reviews for projects using the Git version control system.
  • JCR is a web application for performing and managing formal code reviews. It can be used for reviews of any type of source code, although it has some special smarts for reviewing Java projects. It has special features to make large-scale reviews not only practical but easy and fast.
  • Sonar is an open platform to manage code quality.


Code Review Tools for Python

Review Board

Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews.<ref>http://www.reviewboard.org/</ref> It works well with small projects as well as large companies. Review Board integrates with various version control systems like Bazaar, ClearCase, CVS, Git, Mercurial, Perforce, and Subversion. It can be installed on any server running Apache or lighttpd and is free for both personal and commercial use. There is also an official commercial Review Board hosting service, RBCommons for Review Board.

Workflow (pre-commit) 1. Make a change to your local source tree.

2. Create a review request for your new change.

3. Publish the review request and wait for your reviewers to see it.

4. Wait for feedback from the reviewers.

5. If they’re ready for it to go in:

5.1 Submit your change to the repository.
5.2 Click Close ‣ Submitted on the review request action bar.

6. If they’ve requested changes:

6.1 Update the code in your tree and generate a new diff.
6.2 Upload the new diff, specify the changes in the Change Description box, and publish.
6.3 Jump back to step 4<ref>http://www.reviewboard.org/docs/manual/dev/users/getting-started/workflow/</ref>.

Advantages

  • Easily track your team's review requests: The dashboard provides an up-to-the-minute overview of all the review requests. Provides easy controls to group/ sort your review requests, and see what's left to review.
  • Review all kinds of files: Along with code review, Review Board can also be used to review other files by the team members. You can upload screenshots of your feature, or a file showing log output of a unit test run.
  • All history at one place: With Review Board, the entire history of development is in one place. Each change's review request shows the entire development discussion and each iteration of the change that people have reviewed.
  • Helpful command-line tools and Extensible: The RBTools command line tools make it easy to quickly create review requests based on the changes in your source tree and to keep them up-to-date. The fully-featured REST and Python API provides automation and integration. It provides rich extension framework to add features to Review Board.

Rietveld

Rietveld is a web-based collaborative code review tool for use with Subversion to run on Google’s cloud service.<ref>https://developers.google.com/appengine/articles/rietveld?hl=zh-cn</ref> It is written by Guido van Rossum, Python creator. While this web app was primarily written to serve as a showcase for using Django with Google App Engine, the scalable infrastructure for web applications that developer helped build, serves as a useful tool for the open source community, especially the Python community. Rietveld is inspired by Mondrian, which once has been intensively used inside Google to review their code.Part of the Rietveld’s code derived from Mondrian.

Workflow

The feature sets of Rietveld and Review Board are strikingly similar, which is not surprising as they both used Mondrian as a model. van Rossum originally wanted to turn Mondrian into a free software project, but it was too tied to "proprietary Google infrastructure", so he started over, with Rietveld as the result. Both tools are implemented in Python using the Django framework, but one major difference is that Rietveld is written to use Google App Engine.

Advantage

  • Simplified deployment: For free software projects, where code review is purposely done in the open, Rietveld provides a way to quickly try the application out. They don’t need to find a server and run the application, as which would be required with Review Board.
  • Cross platform: It is extremely easy to install Rietveld in a different environment by replacing the App Engine-specific pieces, but that clearly is not where it is targeted.
  • Free and open to public: Anyone can browse the system, but only users who have a Google account can add issues, comments, and conduct reviews using the tool.
  • Introduction to the Google App Engine interface: While Rietveld does not provide much in the way of additional functionality from Review Board, and in fact it lags Review Board in some areas, Rietveld does provide a very nice introduction to the Google App Engine interface. Developers can use the code as a template for their own ideas once Google makes more App Engine accounts available.

Comparison

Comparison of code review tools
Maintainer License Developed In Desktop Client vs Web App Cost
Brakeman brakemanscanner.org Open Source Ruby Desktop Client Free
Barkeep Ooyala Open Source Ruby Web Application Free
Roodi MIT Open Source Ruby Ruby Gem Free
Flog Ruby Sadists Open Source Ruby Ruby Gem Free
Saikuro Ubit Open Source Ruby Ruby Gem Free
PullReview Brussels Open Source Ruby Desktop Client Free
Crucible Atlassian Proprietary Java Web Application Paid
Jupiter code.google.com Open Source Java Desktop Client (Eclipse) Free
Rietveld Google App Engine Open Source Python Web Application Free
Review Board reviewboard.org MIT Python Web Application Free

See Also

References

<references/>