top of page

Tools for good code



Code quality tools are automated tools/programs that would observe the code and point out any common issue/problem which could arise as a result of bad/improperly designed programs. These tools check the code for common issues and mistakes.


For software developers, it’s imperative to follow coding standards and guidelines to create maintainable and long-living code which can be easily readable and understandable by some other developer even if he/she has not created that code.


1) PVS-Studio

Best for not only for finding typos, dead code, but also potential vulnerabilities. A SAST solution that supports integration into popular IDEs CI/CD and other platforms. PVS-Studio is a static code analyzer that detects errors in C, C++, C#, and Java code. Works with Windows, Linux, and macOS environments. Can be run both as a plugin and from the command line. The analyzer works locally and from the cloud.


Features

  • Supports various analysis types (intermodular, incremental, data flow analysis, taint analysis).

  • Can be used offline.

  • Cross-platform

  • Works with false positives.

  • Helps small or large teams maintain code quality.

Pros

  • Quick and high-quality support from the analyzer developers.

  • 900+ diagnostic rules with detailed descriptions and examples.

  • Supports safety and security standards: OWASP TOP 10, MISRA C, C++, AUTOSAR, CWE.

  • Provides detailed reports and reminders to developers and managers (Blame Notifier).

  • Provides convenient work with legacy code and mass suppression of analyzer’s warnings.

  • Checks open-source projects and supports the Open Source Community.

  • Can be integrated into SonarQube.



2) SonarQube

Best for Tracking divergence from security standards & policies and to ensure safer code with a good amount of checks and validations. SonarQube is used for continuous inspection of Code Quality and Security. It is a Commonly used SAST tool and supports 27 languages and integrates with the workflow and can be run as a part of the code build or as a separate step in the code pipeline itself.


Features

  • Helps in identifying security vulnerabilities in the code and highlights them.

  • Supports On-Premise and Cloud (Paid) Setup.

  • Supports Integration with a lot of IDEs as well as Security Detection for 27+ languages.

  • Used as a SAST (Static Application Security Testing) Tool for the application.

Pros

  • Support for multiple languages.

  • Flexible authentication mechanism.

  • Increased team velocity through reduced code maintenance.

  • Support for iDE plugins like – SonarLint for Intellij.

Cons

  • Setup can be challenging at times as the latest version requires/supports Java 11 only.

  • Default rules are restrictive and might need to be changed as required.



3) Crucible

Best for Collaboration across small to midsize teams in the code review process. It supports integration with most commonly used Source code control systems. Crucible is an on-premise code-review tool that helps development teams review each other’s code, catch defects, enforce coding standards, and assist teams in adhering to best practices for development. Owned by Atlassian, supports great integration with most of the Atlassian tools like Jira, BitBucket, etc.


Features

  • Supports workflow-based, quick code reviews.

  • Helps with adherence to processes and code quality standards.

  • Supports real-time notifications like review reminders, etc.

Pros

  • Good integration with Atlassian tools like JIRA and Confluence.

  • Supports Iterative reviews.

  • Supports inline discussions and threaded conversations.

  • Seamless integration with most of the Source code tools like Git, SVN, Perforce etc.

Cons

  • Polling is slow and inefficient.

  • The tool is not free for commercial use.



4) Codacy

Best for Individual freelance developers to large enterprises. Codacy is a Static code analysis tool capable of identifying security issues, code duplication, coding standards violation etc.


Features

  • Supports 30+ programming languages.

  • Integration with Source code tools like Github and Bitbucket.

  • Organization and team management.

  • Supports integration with CI systems like Jenkins.

  • Helps track code coverage.

Pros

  • Ease of use.

  • Keeps code quality and security standards in check.

  • Intuitive UI and dashboard.

Cons

  • The Enterprise version is expensive.

  • Support is not prompt at times.

  • The default rule set is not configurable to a certain extent.


5) Upsource

Best for Small to medium-sized teams looking for an integrated review tool. Upsource is a smart review tool and repository browser that offers static code analysis through a web-based UI and dashboard.


Features

  • Clean and beautiful Interface.

  • Streamlined reviews.

  • Ability to perform efficient code reviews through automated workflows.

Pros

  • Integration with tools like CI servers.

  • Supports most of the Source code management tools like Github, Bitbucket, SVN etc.


6) Review Board

Best for Teams looking for a very basic code review tool that is free and can be hosted on premise. It’s a web based code review tool from Apache.


Features

  • Review code, documentation, PDF and Graphics

  • Supports multiple repositories.

  • Automated review and customizable extensions.

  • Can be hosted on Premise.

Pros

  • Simple UI

  • Integration with multiple source code management tools like Git, Github, SVN, and Perforce.

  • Supports Integration with CI servers like Jenkins, CircleCI, and other tools like Slack.

Cons

  • Doesn’t have advanced features like IDE integration which makes it fall behind many other such tools.


7) Phabricator

Best for Freelance Software developers or small teams to manage projects, code reviews and as a hosting repository as well. It’s an all-in-one tool for project management as well as for code review.


Features

  • It can pull up a lot of contextual info like tests, comments etc for the code file being reviewed.

  • Simple and intuitive UI/dashboard.

  • Lightweight code review tool.

Pros

  • Integration with multiple Source code management tools – SVN, Git, Mercurial etc.

  • Can be used for hosting repositories locally.

  • Easy to use browser-based dashboards.

  • Secure, open-source, and multi-functional.

Cons

  • The support/maintenance of the tool is no longer active since June’21.

  • The on-premise setup is complicated.


8) DeepScan

Best for Javascript developers for static code quality and code reviews. DeepScan is an advanced static analysis tool for supporting Javascript-based languages like – Javascript, TypeScript, React, and Vue.js. All these languages which can compile to Javascript are supported by DeepScan which helps in maintaining code quality standards and checks.


Features

  • Supports Bug tracking and build automation.

  • Integration with standard CI tools like Jenkins and CircleCI.

  • Supports dataflow analysis.

Pros

  • Support for cutting edge technology – ES7, ECMAScript, React.

  • Effective rule sets.

  • Plugin integrations for commonly used IDEs – like VS Code and Atom.

Cons

  • Language support is limited to Javascript and Javascript-based platforms like React, Vue etc.


9) Gerrit

Best for Teams of all sizes looking for an open source code review tool. Gerrit Code review is a web-based review tool that follows Git Version control. It’s a framework that can be used by teams of all sizes to review code before it’s merged to the main branch.


Features

  • Clean Interface

  • Supports managing and serving Git Repositories.

  • Supports workflows.

Pros

  • Can be extended through plugins.

  • Free and open sourced for use.

  • Patch sets can be rebased automatically.

  • Integration with Git.

Cons

  • Feature set limited to code review without any project or defect management integration.

  • Doesn’t support in-built integration with popular IDEs.

  • Searching on web-UI is not very efficient.

  • Requires to be hosted on-premise.


10) Embold

Best for Teams across multiple domains and of different sizes who are looking to use a robust static code checking tool. Embold is a great tool for analyzing, diagnosing, and transforming your application code efficiently. It finds issues as well as suggests solutions for the identified problems.


Features

  • Supports 15+ languages ranging from Java, C#, HTML, SQL etc.

  • Great Customer Support for premium and enterprise versions.

  • Fine grained ACLs.

  • AI powered recommendation engines to support decision making processes.

Pros

  • Clean and easy UI.

  • Detailed static analysis around code quality, design patterns, duplicate code, etc.

  • Support for Reporting and Analytics.

Cons

  • License is expensive and is dependent on the number of lines of code in the repository.

  • Multi-language repositories are not supported.


11) Veracode

Best for Teams looking for a one-stop solution for all application security code quality needs through different types of analysis. It’s an application security tool platform that can perform different types of code analysis like – static & dynamic code analysis, software composition analysis, interactive application security testing, etc.


Features

  • Supports analysis for different types of applications like DLLs, Android packages, iOS packages, Java code, etc.

  • Available as SaaS models which are scalable as per the requirements.

Pros

  • Detailed and customizable scan reports.

  • Ability to scan mobile apps.

  • Integration with CI/CD pipelines.

Cons

  • Scanning is network consuming and it totally depends on bandwidth.

  • Can cover or add more types of vulnerabilities.

  • IDE integrations are available but at an extra cost.


12) Reshift

Best for Small to medium sized teams looking to enhance code security and identify vulnerabilities in code at earlier stages. It’s the ultimate SaaS based tool for NodeJS developers for securing code.


Features

  • Supports Asset Tagging and Web scanning.

  • Support for IDE integration like Intellij.

  • Supports Integration with source code tools like Git, BitBucket and GitLab.

  • Integrates with CI/CD tools like Jenkins, Teamcity, etc.

  • Support for Differential Scans.

Pros

  • One click auto fix feature allows users to quickly add fixes for identified vulnerabilities.

  • Developers are 4x more likely to fix issues before code is deployed to production.

  • Lightweight tools with good integrations available.

  • Scans are fast – 9 ms / line of code.

Cons

  • No or limited support with iOS and MacOS.

  • Private repos are supported only in paid versions.


13) ESLint

Best for Teams working on Javascript stacks and looking for a basic linting tool for identifying code issues early in the development cycle. Pluggable lint tool to identify syntax errors and code quality issues in your Javascript code.


Features

  • It’s a node-based package that can be installed as a part of any Javascript codebase.

  • It’s completely pluggable i.e., all the rules come as plugins and these can be added or removed as per requirements.

Pros

  • Supports most of the Javascript-based frameworks like Angular, React, Vue, etc.

  • Offers preset along with a lot of customizations being possible.

Cons

  • Supports only Javascript.

  • Since it’s a free tool/package – Only community support is available.


14) Codestriker

Best for Small teams looking to implement a basic code review setup. Codestriker is an open-source tool that is used mostly for code reviews & document reviews.


Features

  • Free and open-source

  • Comments and decisions are recorded in a database.

  • Supports configurable metrics systems that can help enforce code inspection metrics as a part of the review process.

Pros

  • Lightweight review tool.

Cons

  • Old and is rarely used by any newer teams.

  • Lacks support for popular SCM systems like Git and Bitbucket.


15) JSHint

Best for Teams mostly working on Javascript-based frameworks and those looking for a free tool to identify problems with their code during build/compile time. JSHint is a tool that can help in detecting errors and a lot of other potential problems in the Javascript code.


Features

  • Comes in as an NPM module that can be easily added to any JS-based project.

  • Rules & Warnings can be extended and customized.

Pros

  • Configurable through a config flag or a special config file named .jshintrc

  • Available as a free node-based module.

Cons

  • Supports only Javascript.

  • Limited community support.


16) Klocwork

Best for Enterprise teams looking for a Static Code Analysis solution across different languages. Klockwork supports static code analysis for C, C++, C#, Java and Javascript. It helps identify Software security, quality and reliability issues by enforcing and complying with configured standards.


Features

  • Supports a wide range of checkers with issues segregated appropriately.

  • Supports Commands/APIs to automate scans.

  • Integration with widely used CI/CD tools.

  • Supports testing and validation against Security Standards such as CEW, OWASP, DSS, etc.

Pros

  • Nice Reporting and dashboard.

  • Supports integration with IDEs.

  • Checker warnings are easy to understand.

  • Few default checkers that come out of the box are like Divide by Zero, array out of bounds etc.

Cons

  • More languages like Go, Python, etc could be supported.

  • Creating custom checkers is not straightforward.




Resource: Softwaretestinghelp.com


The Tech Platform

0 comments

Recent Posts

See All

Comments


bottom of page