Parasoft’s Development Testing Platform (DTP) performs static analysis either in the IDE or as part of a build or continuous integration.
If DTP is enabled during CI, then “results are round-tripped to the dev in a couple of ways -- email, Web report, direct in IDE as if the analysis were run locally,” Parasoft evangelist Arthur Hicken says. “Our static analysis tools for C/C++, .Net, and Java have about 1,500 rules per platform. The rules have extensive docs with security relevance listed, links to references like common weakness enumeration (CWE), user-controllable severity, parameters, and more.”
Parasoft also offers a tool for creating custom rules called RuleWizard.
Parasoft’s Process Intelligence Engine (PIE) is targeted at defect prevention and exposure. PIE finds defects by correlating observations across the software development lifecycle. With PIE, stricter static analysis rules can be put in place when security vulnerabilities are found during testing. Application risks can be found that dashboards overlook, according to the company.
Information from DTP can be exported to IDEs, including Visual Studio, Eclipse, and IntelliJ Idea.
Parasoft’s view of static analysis has changed over the years.
“We’ve found that [static analysis] can really overwhelm people for a variety of reasons -- things like false positives, legacy code, inappropriate rules, running too late in the process,” Hicken says. “To address these issues we’ve built a DTP around our static analysis.” Doing so has enabled better prioritization and tracking of findings, according to Hicken.