Rationale
The sophistication of the analysis performed by tools varies from those that only consider the behavior of individual statements and declarations, to those that include the complete source code of a program in their analysis. Uses of the information obtained from the analysis vary from highlighting possible coding errors (e.g., the lint tool) to formal methods that mathematically prove properties about a given program (e.g., its behavior matches that of its specification).
Software metrics and reverse engineering can be described as forms of static analysis. Deriving software metrics and static analysis are increasingly deployed together, especially in creation of embedded systems, by defining so called software quality objectives.
A growing commercial use of static analysis is in the verification of properties of software used in safety-critical computer systems and locating potentially vulnerable code. For example the following industries have identified the use of static code analysis as a means of improving the quality of increasingly sophisticated and complex software:
- Medical software: The U.S. Food and Drug Administration (FDA) has identified the use of static analysis for medical devices.
- Nuclear software: In the UK the Health and Safety Executive recommends the use of static analysis on Reactor Protection Systems.
A recent study by VDC Research reports that 28.7% of the embedded software engineers surveyed currently use static analysis tools and 39.7% expect to use them within 2 years.
In application security industry the name Static Application Security Testing (SAST) is also used.
Read more about this topic: Static Program Analysis