certitudo – Source code Analysis

Source code Analysis

What can source code analyses offer?

Source code analyses collect quality relevant parameters of the source code. Also, code inspections and walkthroughs point out deviations within source code early on and replace non-executable dynamic test cases (or those which can only be executed with considerable effort).


Coding Guidelines

Using coding guidelines enforces uniform programming. For example, there are coding guidelines for the development in programming language C for secure systems such as the SEI CERT Coding Standards. Within the automotive industry standards AUTOSAR and MISRA are a requirement. To check the guidelines tools of the Lint family are used, to name an example. Open source tools (e.g. VisualCodeGrepper, splint) as well as commercial tools (e.g. Polyspace, CodeSonar) are available on the market.

As a first step during the source code analysis, certitudo GmbH with its vast experience will check for the adherence of your software to the coding guidelines.



“A software quality metric is a function which shows a software unit as a numeric value which can be interpreted as a degree of performance of a quality characteristic of the software unit.“ – IEEE Standard 1061, 1998

Metrics provide measured values for certain characteristics of the software. They can be divided into complexity and architecture.

Our experiences employees will apply complexity metrices such as the cyclomatic complexity according to McCabe or the Halstead metric to analyse the programming. These metricens consider individual functions or methods. A high value is an indication of a very high complex functions, which can be difficult to understand and to test. Furthermore, special further measures could be required for quality assurance (e.g. walkthrough). It also possible to estimate the cost and effort for testing using complexity values.

certitudo employees use architecture metrices to consider the entire software of a product, not just individual functions or methods. Measured values for modularity, cohesion and interfacing, amongst others, are determined during this process. The results are used to critically assess the software architecture. This way we establish which parts of the software should be restructured to simplify the software. By simplifying the software it will be easier to understand, maintain, expand and test it.



During a walkthrough source code is being read. Generally the developer and a reviewer would participate in the walkthrough. All code lines are gone through individually and respective review comments are being drawn up. The comments can relate to an incorrect or too complex implementation, as well formal deviations, such as missing code comments. Following the walkthrough the deviations are being addressed and the source code is resubmitted for review. Our employees use this process especially for complex or critical functions, which are important for the correct operation of the product.


Reference Project

An equipment manufacturer’s source code was completely analysed using reviews. The code consisted of approximately 43000 lines. The application starts several threads which had increased the complexity further.

certitudo GmbH detected 455 deviances using the tool VisualCodeGrepper 455 and evaluated them individually. In a second step the implementation of the threads was investigated for competing variables access. To this end the call tree and the use of global variables was evaluated for each thread using the development environment Eclipse. This evaluation enabled the allocation of the use of mutexes to the individually selected functions of the threads. Using code inspections it was checked in how far the access to the variables which needed to be protected was packaged correctly by mutexes. It was also checked that the variables which needed to be protected were always protected by the same mutex.

Using the PMD/CPD tool (Copy/Paste Detector) certitudo GmbH then investigated the source code for copied code lines. Copied code lines pose a risk for maintenance, if the code is modified in one place but not another. There were 84 positions with an identical code.

Within 3 weeks certitudo GmbH had provided the customer with many leads for their software development. The product was reworked and is now in use across the world.