Cargando…
Test Coverage and Static Code Analysis in CI-CD of Root
The predominant challenge observed in extensive, long-lived code bases resides in the increasing difficulty of detecting software defects and security vulnerabilities over time, due to their intricate architectural structures and inter-dependencies across multiple programming languages. Consequently...
| Autor principal: | |
|---|---|
| Lenguaje: | eng |
| Publicado: |
2023
|
| Materias: | |
| Acceso en línea: | http://cds.cern.ch/record/2871983 |
| Sumario: | The predominant challenge observed in extensive, long-lived code bases resides in the increasing difficulty of detecting software defects and security vulnerabilities over time, due to their intricate architectural structures and inter-dependencies across multiple programming languages. Consequently, such complexity renders the software susceptible to malicious activities. To mitigate these risks, preemptive identification of these defects can be accomplished through various methodologies, including code reviews, utilization of static code analysis tools, automated testing frameworks, vulner- ability scanning protocols, and penetration testing procedures. One notable software exemplifying the characteristics described herein is ROOT which has been in opera- tion for 25+ years. It constitutes binding between more than 3 programming languages namely C, C++, and Python. Used across the world by several thousand people in the field of high-energy physics. With a substantial code base of over 500k lines written over the course of 2 decades, ROOT provides a perfect use case for this analysis. By analyzing the test coverage of ROOT, we were able to get critical information regard- ing the presence of code lines that have never been executed, essentially representing untested and potentially vulnerable areas within the code base. Our coverage analysis revealed that approximately 70% of ROOT’s code-base had never been touched by test cases, leaving a substantial portion of the software unchecked and exposed to lurking issues. Delving deeper into our analysis, we employed static code analysis tools to scrutinize the intricate web of dependencies and potential code smells hidden within ROOT. Astonishingly, these tools claimed to find over 300 instances of violations of best practices and more than 500 security vulnerabilities. These potential vulnera- bilities ranged from memory leaks to data corruption issues, each posing a significant threat to the stability and reliability of ROOT if deemed correct. |
|---|