Peer code reviews have been proven to be a cost-effective software defect detection technique. This is because defects are detected early in the stage of a project when it is less expensive to fix them. We think code reviews can be even more powerful when they are assisted by tools — i.e. by static code analysis tools. Meanwhile, these tools are very good in finding common defect patterns which reduces the effort code reviewers have by allowing them to focus on the verification of the application logic instead of hunting trivial coding bugs.
While these tools are very useful on their own, we think that integrating them in the pull request process of Atlassian Stash has various advantages over the common integrations in build tools like Bamboo/Jenkins or locally in the developers IDE:
- Enforcement of quality rules is possible in Stash where we can disallow merging of a pull request if configurable quality thresholds (e.g., a maximum increase in technical debt) are exceeded in the branch a developer wants to merge in.
- Issues found by static code analysis tools are sometimes false positives or just wrong in the given context. By allowing code reviewers to discuss and judge found issues with Stash’s pull request comments, the wrong application of suggested fixes of these tools can be prevented.
- Showing code issues only in the changed and new code lines of a pull request allows the code reviewers to stay focused on changed and new code and not being overwhelmed by potentially thousands of issues found in a code base.
- Coding rules and quality guidelines can be easier shared when applied in a central system.
- Issues found can be better tracked and conveniently assigned to developers in a central integrated system like Stash where we can create a Stash task or a JIRA issue automatically.
In the next couple of weeks, we will go into details of how we want to achieve a deeper integration of static code analysis tools into the Atlassian product suite. Stay tuned!