CSC/ECE 517 Spring 2014/ch1 1w1f mj: Difference between revisions
No edit summary |
|||
Line 134: | Line 134: | ||
* A report generated by Saikuro can be viewed [http://saikuro.rubyforge.org/ here]. | * A report generated by Saikuro can be viewed [http://saikuro.rubyforge.org/ here]. | ||
== PullReview == | == PullReview == |
Revision as of 02:10, 11 February 2014
Code review is the process of evaluation of computer source code, with the intention of finding and fixing faults and design errors neglected in the initial development phase. Code review helps in improving the overall quality of software and maintains the consistency in software design and implementation. The reviewer examines the code and reports the findings to the author, which helps in improving the developer’s skill.
Introduction
Code review is a phase in the software development process in which the authors of code, peer reviewers, and perhaps quality assurance (QA) testers get together to review code.<ref>http://searchsoftwarequality.techtarget.com/definition/code-review </ref> It facilitates systematic examination of source code for vulnerabilities such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review can also help in looking for security breaches to the software which requires higher security.
Types of Code review
Code review practices can be divided into the following categories.
Formal inspections
Formal inspections refers to a heavy process with several participants sitting together to review code. The defects discovered in this process are usually recorded in great detail.
Lightweight code review
- Over the shoulder: An “over-the-shoulder” review is the most common and informal code review technique where the developer stands over the author’s workstation while the author walks the reviewer through a set of code changes.
- Email pass around: The author bundles up all source code and sends it to reviewers. Reviewers examine the code, communicate with other developers and suggest changes via e-mail.
- Pair Programming: In Pair Programming, two developers write code at the same workstation and there is continuous free-form discussion and review.
- Tool assisted code review: Reviewers use specialized tools in different stages of the code review, which includes collecting files, transmitting and displaying files, commentary, and defects among all participants, collecting metrics, etc.
Code Review Tools for Ruby
Brakeman
Brakeman is an open source vulnerability scanner tool explicitly designed for Ruby on Rails applications. It can be used at any stage of the development to statically analyze Rails application code and find out the security issues. Brakeman carefully inspects the source code of your application and you do not need to set up your whole application stack to use it. Brakeman scans through the application code and produce a summary of all security issues it has found. Brakeman is extremely suspicious and hence sometimes it provides “false positives.” It does not finds security vulnerabilities in web server or other software as it just scans the source code and not the entire application stack.
Advantages
- No Configuration Necessary: Brakeman does not require any setup or configuration once it is installed.
- Run It Anytime: As it’s working is based on just the source code, Brakeman can be used at any stage of the development process.
- Ruby Specific: Brakeman is especially built for applications developed in Ruby on Rails, so it can easily check configuration settings for best practices.
- Flexible Testing: Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.
- Speed: Brakeman is much faster than other “black box” website scanners. Even large applications do not take more than a few minutes to scan.
Barkeep
Barkeep is one of the friendly Code Review System which can be used by developers to keep high quality standard of code.Users can attend commits made to any Git repository, see diffs, write comments, and have those comments emailed to your fellow committers. Barkeep is unopinionated. It can be used with pre-commit or post-commit workflows, and also script tools. It comes with a command line client and REST APIs.
Barkeep is a small codebase written in Ruby. It's easy to add new features and APIs as per the requirement.
Advantages
- Naturally supports post-commit workflows: Barkeep supports post-commit code review workflow. Here, once the part of the code of the developer is ready, he pushes it to the master, so that it becomes available to other developer to begin integrating it. Code review happens when it's conducive for the team (within 1-2 days), and any comments are addressed in future commits.
- Clean User Interface: Barkeep is designed with a basic UI. The general actions, like leaving a quick comment and approving a commit, are low-friction. Also it provides various keyboard shortcuts for ease of use.
- Hackable: The codebase of barkeep is small, obtainable and fun to hack on. It can be easily extended and improved with time.
Flog
Flog gives feedback about the quality of Ruby code by scoring using the ABC metric: assignments, branches, calls, with particular attention placed on calls. The ABC metric is a neat measurement since it combines a lot of information in a way that we can easily understand. But this leads to one important feature of Flog, that is the score reported is very opinionated. This score is custom built to apply commonly accepted design patterns for Ruby. Therefore, we can think of Flog as a modified ABC measurement.
Flog takes the following branching terms into consideration: and, case, else, if, or, rescue, until, when and while. There are other rules that add to branch total, but these are the most important. Assignments are much more simple, Flog add one to the score per assignment. Calls are defined as any instance method call that takes the flow out of the current scope.
Advantages
- Keep track of code complexity: Flog reports code complexity of each method. In this way, developer is able to know what code segment in the project is different to follow.
- ABC metric: Flog reports ABC metric which is an easily understood measurement of code complexity.
- Ruby support: It support different version of Ruby including 1.8 and 1.9 syntax.
- Speed: Flog executes quite fast, which makes it perfect for a githook. A pre-commit hook which checks code complexity and returns non-zero for any score higher than 61 works quite well.
Example
- Original code
class Test def blah a = eval "1+1" if a == 2 then puts "yay" end end end
- What we see in Flog
class Test def blah # 11.2 = a = eval "1+1" # 1.2 + 6.0 + if a == 2 then # 1.2 + 1.2 + 0.4 + puts "yay" # 1.2 end end end
- Report generated
Test#blah: (11.2) 6.0: eval 1.2: branch 1.2: == 1.2: puts 1.2: assignment 0.4: lit_fixnum
Saikuro
Saikuro is mainly designed to analyze cyclomatic complexity, which is a graphical measurement to indicate the complexity of a program, on Ruby program. Given a source project, Saikuro will find each instance method in it, calculate its cyclomatic complexity and generate a report listing all the result according to each method found. In addition, Saikuro also counts the number of lines per method as well as the number of tokens on each line, and generate another report on that.
Saikuro measures complexity, but as we all know, Ruby is a tricky language. Saikuro adds a branch when it encounters conditional statements like if, unless, while, until, for, elsif and when, but it also adds a branch if the code uses a block. This is because using a block in Ruby very often changes the control flow. Keeping the cyclomatic complexity at a low number is very essential, it ensures your code is simple to test and debug.
Advantages
- Cyclomatic complexity: Saikuro calculates cyclomatic complexity in a more 'Ruby' way so that it is more concise on Ruby projects.
- Different kind of targets: Saikuro can be recursively used on a dir or a specific troublesome class.
- Lightweight and quick: It is very similar to the code evaluation tool Flog we covered before. It is a quick reporting tool that can help users understand where they have excess complexity in their projects.
Example
- A report generated by Saikuro can be viewed here.
PullReview
PullReview is an Automated Code Review Tool for Ruby developers using GitHub. PullReview is “SAAS” solution. It requires no servers to install, no extra software. Setup is very easy - Click the button, link to GitHub, and PullReview can start reviewing your branches. It provides feedback very quickly, without having to sit and wait for a colleague to come and have a look. Another important feature is that it does not keep to static analysis. It aggregates several analysis results, and points out the problems at hand – in order of impact. It also tells you ways to make your code better.
Advantages
- Telling You Where to Go Next: PullReview make your coding more robust, it improves you as a coder. It tells you why best practices are what they are – and where to apply them. PullReview analyzes your branches using all important metrics. It tells you what you are doing wrong and what the impact is.
- Ruby Specific: Like Brakeman, Roodi is specifically built for Ruby on Rails which helps in checking composition and structure settings for best practices.
- Quick Setup: No setting up of servers or installing a plethora of tools is required. Pullreviews sets up quickly and saves time.
Roodi
Roodi stands for Ruby Object Oriented Design Inferometer. It parses the Ruby code and warns about the design issues from the list configured for example Class line count check, for loop check, parameter number check, cyclomatic checks,etc. It helps in breaking down complex and long methods.
Advantages
- Extendable: One advantage of Roodi is that The shipped checks can also be easily configured with a YAML file, which is easy to manipulate. In that way, users are able to write customized class to add new checks. A checker class registers the types of AST nodes it’s interested and then handle the matched subtrees.
Other Tools
Code Review Tools for Java
Crucible
Crucible is a collaborative code review application developed by software company Atlassian, tailored to distributed teams, and facilitates asynchronous review and commenting on code. Crucible also articulates with prominent source control tools, such as Git and Subversion. Crucible is a flexible application that caters for a wide range of team sizes and work styles. Crucible also supports integration with JIRA which is Atlassian's issue tracking and project management application.
Workflow
1. Creating a Review.
2. Adding content to the review.
3. Performing the review
4. Summarising and closing the review.
Advantages
- Flexible Code Review: Crucible provides configurable options to track and complete reviews - Defined workflow, Moderator, One or more participants. It also supports in-line code discussions.
- Pre-commit support: It allows code review before check in which ensures that any code going into production has been reviewed. It allows code review from command line.During the pre-commit review process code is re-factored, changed, and updated. Crucible takes this into account and makes sure all files you are reviewing are easily updated and current.
- Traceability: Developers have a unified view that shows all the activity in their code for commits and reviews. It supports creating filters which provides notification of code committed by new team members. The review coverage report provides information about which parts have already been reviewed and which are currently in review.
- Notifications: It provides automatic or manual way of notifying reviewers who have not completed your code reviews. Crucible provides multiple features to help team stay on top of their workload.
Jupiter
Jupiter is an open source collaborative Eclipse code review tool. It uses a simple, lightweight code review process that is easy to learn and adopt. The result of a research project by the Collaborative Software Development Laboratory at the University of Hawaii, the Jupiter plug-in stores code reviews in an XML file format and maintains them in the project configuration management system alongside the source code.
Workflow
The code review process implemented in Jupiter is relatively simple, and it should suffice for most projects. In Jupiter, you conduct a code review in the following four stages:
Configuration: The reviewer initiator sets up the review, specifies the files to be reviewed and what issues can be raised.
Individual code review: Each reviewer examines the code individually, using a review checklist and raising issues as they encounter them. Jupiter saves the issues you create in XML form directly in the project directory.
Team review: The review team (including the author) meet to discuss issues and decide on actions to take. This generally involves a face-to-face meeting, using Jupiter to help work through all the review issues.
Rework: The developer goes through the raised issues and fixes them.
Throughout the whole process, the review files are stored and updates in the source code repository, providing a history of raised issues and how they have been corrected.
Jupiter is an innovative and flexible tool that helps automate peer code reviews and track issues. Until recently, it was quite unique in this domain. Of late, however, it does have a commercial competitor, Crucible, which we mentioned before.
Advantages
- Free: It is open source and free. Jupiter uses the CPL License.
- Cross-platform: Jupiter is based upon the Eclipse plug-in architecture. It is available for all platforms supported by Eclipse.
- More simply data reuse and sharing: Jupiter stores data in XML format as well as CM repository. Users of Jupiter share their data files the same way they share their code using CVS or some other CM repository.
- Sorting and Filtering: Jupiter provides filters and sorting to facilitate going over the code
review issues.
- File integration: Jupiter has the capability to easily jump back and forth between specific
review comments and the corresponding source code.
Code Review Tools for Python
Review Board
Review Board is a powerful web-based code review tool that offers developers an easy way to handle code reviews. It works well with small projects as well as large companies. Review Board integrates with various version control systems like Bazaar, ClearCase, CVS, Git, Mercurial, Perforce, and Subversion. It can be installed on any server running Apache or lighttpd and is free for both personal and commercial use. There is also an official commercial Review Board hosting service, RBCommons for Review Board.
Workflow (pre-commit) 1. Make a change to your local source tree.
2. Create a review request for your new change.
3. Publish the review request and wait for your reviewers to see it.
4. Wait for feedback from the reviewers.
5. If they’re ready for it to go in:
- 5.1 Submit your change to the repository.
- 5.2 Click Close ‣ Submitted on the review request action bar.
6. If they’ve requested changes:
- 6.1 Update the code in your tree and generate a new diff.
- 6.2 Upload the new diff, specify the changes in the Change Description box, and publish.
- 6.3 Jump back to step 4.
Advantages
- Easily track your team's review requests: The dashboard provides an up-to-the-minute overview of all the review requests. Provides easy controls to group/ sort your review requests, and see what's left to review.
- Review all kinds of files: Along with code review, Review Board can also be used to review other files by the team members. You can upload screenshots of your feature, or a file showing log output of a unit test run.
- All history at one place: With Review Board, the entire history of development is in one place. Each change's review request shows the entire development discussion and each iteration of the change that people have reviewed.
- Helpful command-line tools and Extensible: The RBTools command line tools make it easy to quickly create review requests based on the changes in your source tree and to keep them up-to-date. The fully-featured REST and Python API provides automation and integration. It prrovides rich extension framework to add features to Review Board.
References
<references/>