CSC/ECE 517 Spring 2014/ch1 1w1f mj: Difference between revisions

From Expertiza_Wiki
Jump to navigation Jump to search
(Created page with "[http://en.wikipedia.org/wiki/Code_review Code review] is the process of evaluation of computer source code, with the intention of finding and fixing faults and design errors neg...")
 
No edit summary
Line 5: Line 5:


Code review is a phase in the software development process in which the authors of code, peer reviewers, and perhaps quality assurance (QA) testers get together to review code.<ref>http://searchsoftwarequality.techtarget.com/definition/code-review </ref>  It facilitates systematic examination of source code for vulnerabilities such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review can also help in looking for security breaches to the software which requires higher security.
Code review is a phase in the software development process in which the authors of code, peer reviewers, and perhaps quality assurance (QA) testers get together to review code.<ref>http://searchsoftwarequality.techtarget.com/definition/code-review </ref>  It facilitates systematic examination of source code for vulnerabilities such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review can also help in looking for security breaches to the software which requires higher security.


== Types of Code review ==
== Types of Code review ==
Line 24: Line 25:
*    Tool assisted code review: Reviewers use specialized tools in different stages of the code review, which includes collecting files, transmitting and displaying files, commentary, and defects among all participants, collecting metrics, etc.
*    Tool assisted code review: Reviewers use specialized tools in different stages of the code review, which includes collecting files, transmitting and displaying files, commentary, and defects among all participants, collecting metrics, etc.


== Tools for Code Review ==


There are a lot of automated code review tools available for different programming languages. A few tools for Java Python and Ruby are listed below.  
== Code Review Tools for Ruby ==
 
=== Brakeman ===
 
Brakeman is an open source vulnerability scanner tool explicitly designed for Ruby on Rails applications. It can be used at any stage of the development to statically analyze Rails application code and find out the security issues. Brakeman carefully inspects the source code of your application and you do not need to set up your whole application stack to use it. Brakeman scans through the application code and produce a summary of all security issues it has found. Brakeman is extremely suspicious and hence sometimes it provides “false positives.”  It does not finds security vulnerabilities in web server or other software as it just scans the source code and not the entire application stack.
 
: '''Advantages'''
 
* No Configuration Necessary: Brakeman does not require any setup or configuration once it is installed.
 
* Run It Anytime: As it’s working is based on just the source code, Brakeman can be used at any stage of the development process.
 
* Ruby Specific: Brakeman is especially built for applications developed in Ruby on Rails, so it can easily check configuration settings for best practices.
 
* Flexible Testing: Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.
 
* Speed: Brakeman is much faster than other “black box” website scanners. Even large applications do not take more than a few minutes to scan.
 
=== Barkeep ===
 
Barkeep is one of the friendly Code Review System which can be used by developers to keep high quality standard of code.Users can attend commits made to any Git repository, see diffs, write comments, and have those comments emailed to your fellow committers. Barkeep is unopinionated. It can be used with pre-commit or post-commit workflows, and also script tools. It comes with a command line client and REST APIs.
 
Barkeep is a small codebase written in Ruby. It's easy to add new features and APIs as per the requirement.
 
:'''Advantages'''
 
* Naturally supports post-commit workflows: Barkeep supports post-commit code review workflow. Here, once the part of the code of the developer is ready, he pushes it to the master, so that it becomes available to other developer to begin integrating it. Code review happens when it's conducive for the team (within 1-2 days), and any comments are addressed in future commits.
 
* Clean User Interface: Barkeep is designed with a basic UI. The general actions, like leaving a quick comment and approving a commit, are low-friction. Also it provides various keyboard shortcuts for ease of use.
 
* Hackable: The codebase of barkeep is small, obtainable and fun to hack on. It can be easily extended and improved with time.
 
===Flog===
 
Flog gives feedback about the quality of Ruby code by scoring using the [http://c2.com/cgi/wiki?AbcMetric ABC metric]: assignments, branches, calls, with particular attention placed on calls. The ABC metric is a neat measurement since it combines a lot of information in a way that we can easily understand. But this leads to one important feature of Flog, that is the score reported is very opinionated. This score is custom built to apply commonly accepted design patterns for Ruby. Therefore, we can think of Flog as a modified ABC measurement.
 
Flog takes the following branching terms into consideration: and, case, else, if, or, rescue, until, when and while. There are other rules that add to branch total, but these are the most important. Assignments are much more simple, Flog add one to the score per assignment. Calls are defined as any instance method call that takes the flow out of the current scope.
 
:'''Advantages'''
 
* Keep track of code complexity: Flog reports code complexity of each method. In this way, developer is able to know what code segment in the project is different to follow.
 
* ABC metric: Flog reports ABC metric which is an easily understood measurement of code complexity.
* Ruby support: It support different version of Ruby including 1.8 and 1.9 syntax.
* Speed: Flog executes quite fast, which makes it perfect for a githook. A pre-commit hook which checks code complexity and returns non-zero for any score higher than 61 works quite well.
 
=== Saikuro===
 
Saikuro is mainly designed to analyze cyclomatic complexity, which is a graphical measurement to indicate the complexity of a program, on Ruby program. Given a source project, Saikuro will find each instance method in it, calculate its cyclomatic complexity and generate a report listing all the result according to each method found. In addition, Saikuro also counts the number of lines per method as well as the number of tokens on each line, and generate another report on that.
 
Saikuro measures complexity, but as we all know, Ruby is a tricky language. Saikuro adds a branch when it encounters conditional statements like if, unless, while, until, for, elsif and when, but it also adds a branch if the code uses a block. This is because using a block in Ruby very often changes the control flow. Keeping the cyclomatic complexity at a low number is very essential, it ensures your code is simple to test and debug.
 
: ''Advantages''
 
* Cyclomatic complexity: Saikuro calculates cyclomatic complexity in a more 'Ruby' way so that it is more concise on Ruby projects.


=== Ruby ===
* Different kind of targets: Saikuro can be recursively used on a dir or a specific troublesome class.


* Lightweight and quick: It is very similar to the code evaluation tool Flog we covered before. It is a quick reporting tool that can help users understand where they have excess complexity in their projects.


===
== References ==
== References ==
<references/>
<references/>
----
----

Revision as of 20:09, 9 February 2014

Code review is the process of evaluation of computer source code, with the intention of finding and fixing faults and design errors neglected in the initial development phase. Code review helps in improving the overall quality of software and maintains the consistency in software design and implementation. The reviewer examines the code and reports the findings to the author, which helps in improving the developer’s skill.


Introduction

Code review is a phase in the software development process in which the authors of code, peer reviewers, and perhaps quality assurance (QA) testers get together to review code.<ref>http://searchsoftwarequality.techtarget.com/definition/code-review </ref> It facilitates systematic examination of source code for vulnerabilities such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review can also help in looking for security breaches to the software which requires higher security.


Types of Code review

Code review practices can be divided into the following categories.

Formal inspections

Formal inspections refers to a heavy process with several participants sitting together to review code. The defects discovered in this process are usually recorded in great detail.

Lightweight code review

  • Over the shoulder: An “over-the-shoulder” review is the most common and informal code review technique where the developer stands over the author’s workstation while the author walks the reviewer through a set of code changes.
  • Email pass around: The author bundles up all source code and sends it to reviewers. Reviewers examine the code, communicate with other developers and suggest changes via e-mail.
  • Pair Programming: In Pair Programming, two developers write code at the same workstation and there is continuous free-form discussion and review.
  • Tool assisted code review: Reviewers use specialized tools in different stages of the code review, which includes collecting files, transmitting and displaying files, commentary, and defects among all participants, collecting metrics, etc.


Code Review Tools for Ruby

Brakeman

Brakeman is an open source vulnerability scanner tool explicitly designed for Ruby on Rails applications. It can be used at any stage of the development to statically analyze Rails application code and find out the security issues. Brakeman carefully inspects the source code of your application and you do not need to set up your whole application stack to use it. Brakeman scans through the application code and produce a summary of all security issues it has found. Brakeman is extremely suspicious and hence sometimes it provides “false positives.” It does not finds security vulnerabilities in web server or other software as it just scans the source code and not the entire application stack.

Advantages
  • No Configuration Necessary: Brakeman does not require any setup or configuration once it is installed.
  • Run It Anytime: As it’s working is based on just the source code, Brakeman can be used at any stage of the development process.
  • Ruby Specific: Brakeman is especially built for applications developed in Ruby on Rails, so it can easily check configuration settings for best practices.
  • Flexible Testing: Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.
  • Speed: Brakeman is much faster than other “black box” website scanners. Even large applications do not take more than a few minutes to scan.

Barkeep

Barkeep is one of the friendly Code Review System which can be used by developers to keep high quality standard of code.Users can attend commits made to any Git repository, see diffs, write comments, and have those comments emailed to your fellow committers. Barkeep is unopinionated. It can be used with pre-commit or post-commit workflows, and also script tools. It comes with a command line client and REST APIs.

Barkeep is a small codebase written in Ruby. It's easy to add new features and APIs as per the requirement.

Advantages
  • Naturally supports post-commit workflows: Barkeep supports post-commit code review workflow. Here, once the part of the code of the developer is ready, he pushes it to the master, so that it becomes available to other developer to begin integrating it. Code review happens when it's conducive for the team (within 1-2 days), and any comments are addressed in future commits.
  • Clean User Interface: Barkeep is designed with a basic UI. The general actions, like leaving a quick comment and approving a commit, are low-friction. Also it provides various keyboard shortcuts for ease of use.
  • Hackable: The codebase of barkeep is small, obtainable and fun to hack on. It can be easily extended and improved with time.

Flog

Flog gives feedback about the quality of Ruby code by scoring using the ABC metric: assignments, branches, calls, with particular attention placed on calls. The ABC metric is a neat measurement since it combines a lot of information in a way that we can easily understand. But this leads to one important feature of Flog, that is the score reported is very opinionated. This score is custom built to apply commonly accepted design patterns for Ruby. Therefore, we can think of Flog as a modified ABC measurement.

Flog takes the following branching terms into consideration: and, case, else, if, or, rescue, until, when and while. There are other rules that add to branch total, but these are the most important. Assignments are much more simple, Flog add one to the score per assignment. Calls are defined as any instance method call that takes the flow out of the current scope.

Advantages
  • Keep track of code complexity: Flog reports code complexity of each method. In this way, developer is able to know what code segment in the project is different to follow.
  • ABC metric: Flog reports ABC metric which is an easily understood measurement of code complexity.
  • Ruby support: It support different version of Ruby including 1.8 and 1.9 syntax.
  • Speed: Flog executes quite fast, which makes it perfect for a githook. A pre-commit hook which checks code complexity and returns non-zero for any score higher than 61 works quite well.

Saikuro

Saikuro is mainly designed to analyze cyclomatic complexity, which is a graphical measurement to indicate the complexity of a program, on Ruby program. Given a source project, Saikuro will find each instance method in it, calculate its cyclomatic complexity and generate a report listing all the result according to each method found. In addition, Saikuro also counts the number of lines per method as well as the number of tokens on each line, and generate another report on that.

Saikuro measures complexity, but as we all know, Ruby is a tricky language. Saikuro adds a branch when it encounters conditional statements like if, unless, while, until, for, elsif and when, but it also adds a branch if the code uses a block. This is because using a block in Ruby very often changes the control flow. Keeping the cyclomatic complexity at a low number is very essential, it ensures your code is simple to test and debug.

Advantages
  • Cyclomatic complexity: Saikuro calculates cyclomatic complexity in a more 'Ruby' way so that it is more concise on Ruby projects.
  • Different kind of targets: Saikuro can be recursively used on a dir or a specific troublesome class.
  • Lightweight and quick: It is very similar to the code evaluation tool Flog we covered before. It is a quick reporting tool that can help users understand where they have excess complexity in their projects.

=

References

<references/>