Product development is a delicate balancing act of delivering new features and investing in architecture and technology, all while trying to focus on building the right product.
Have you ever experienced one of these scenarios?
-
It takes longer and longer to implement new features
-
Confidence that the product will perform as expected decreases
-
Onboarding new developers seems to take more and more time
These can be signs that a project could benefit from more of a focus on code quality.
What is code quality?
Code quality is the set of requirements that are common to all software projects. Properties like readability, maintainability, modularity, performance, and security are all important aspects of software, whether in a social media app or financial clearing house software.
Automatable code quality
Many factors play into code quality: architecture, API design, coding style, library choice, and following coding best practices are just a few examples. While some of these like architecture and design require human insight, others can be automated using code analysis tooling. Tooling for code analysis can be a great way to ensure uniform standards and incorporate analysis tools into the development process and is an easy first step down the road of prioritizing quality.
Here are five of the code quality factors that can be checked automatically:
Readability
In development, it is estimated that "the ratio of time spent reading versus writing is well over 10 to 1," according to Robert C. Martin in Clean Code: A Handbook of Agile Software Craftsmanship. This makes readability of code a critical aspect of development productivity. Some aspects of readability, like variable naming, are very situational and even subjective. But others can be automated. Here are some examples of easy-to-automate checks that enhance readability and code quality:
While profiling and stress testing a system are required to fully understand application performance, there are performance anti-patterns that can be detected using static code analysis. Examples:
Reliability
For system-scale reliability tests, site reliability engineering has emerged as a useful practice. However many reliability issues within individual components can be detected with static code analysis techniques. Some examples:
Security
Red teaming and bug bounty programs can help improve code quality and find vulnerabilities in deployed systems, but security starts with the code and automated static scanning can detect many types of security weaknesses, including the following:
Dependency management
Open source dependencies make up 90% of software applications, on average, developed by third parties as part of the software supply chain. This means most of the performance, reliability, security, and other quality attributes of your application are inherited from these third-party dependencies. Because of this, it's critical to carefully consider what libraries you utilize and to monitor your application's dependencies for security issues and to ensure code quality is up to par.
Software composition analysis (SCA) is the general term for technology that can extract a full list of dependencies – a software bill of materials (SBOM) – and check to see if there are known issues with any of these components. SCA tooling can help detect:
Code quality analysis tools include Infer, ErrorProne, and FindSecBugs – all open source tools that can scan Java code for the issue types mentioned above. These can be incorporated into build systems, IDEs, or CI pipelines to provide automated protection.
