A New Way of Implementing Shift-left

Mon, 05/16/2022 - 15:50

Shift-left is not a new idea.  In an article dated September 1st 2001 appeared on the Dr. Dobb's Journal, Larry Smith wrote

"Shift-left testing is how I refer to a better way of integrating the quality assurance (QA) and development parts of a software project.  By linking these two functions at lower levels of management, you can expand your testing program while reducing manpower and equipment needs — sometimes by as much as an order of magnitude."

Nowadays, the notion of "testing" has to be interpreted in a broad sense, including all sorts of static and dynamic analysis techniques. SAST (Static Application Security Testing) is a frequently used acronym, which could stand for Static Application Safety Testing equally well. The general idea is that software issues are better discovered earlier rather than later.  To quote Larry Smith again

"Bugs are cheap when caught young."

Let us consider the MISRA C/C++ coding standards: the most authoritative sets of guidelines for the development of safe and secure systems in C/C++. Everybody knows that the highest payoff from the adoption of the guidelines is achieved when they are adopted at the very beginning of a project and systematically enforced, as development progresses, with the help of a high-quality tool. This can be done in a cost-effective way thanks to the use of Continuous Integration (CI) systems, such as Jenkins, GitLab CI and Bamboo. With the help of these systems, whenever a change is committed into the source code repository, static analysis is triggered, and developers will have access to the analysis results via the web.

 

Variations of this idea allow implementing quality gates on the submitted patches.  Here is a common use-case:

  • the project selects a subset of the MISRA guidelines for which no change to the codebase should increase the number of existing violations;
  • developers commit to a "triage area" and this triggers execution of the static analysis tool;
  • if the number of violations for the selected set does not increase, then the change is automatically merged into the development branch, otherwise an email alert is sent to the developer who has submitted the change.

 

BUGSENG is at the forefront of this new way of implementing the not-so-new concept of shift left.  You can see the last version of ECLAIR running in CI, on a number of open-source projects by accessing eclairit.com,  BUGSENG's online public platform (no registration is required).

 

Explore eclairit.com

 

Born under Jenkins, eclairit is now available for GitLab too,  thanks to a collaboration with BUGSENG engineering partner Bluewind.  Bluewind is known to provide innovative product design solutions in the fields of Electronics, Energy Efficiency, and Connected Devices. Within its partnership with BUGSENG, the team at Bluewind usually works along with the customer team to integrate and deploy ECLAIR suite to obtain high reliability code in all mission critical and safety related projects. 

 

TrustedFirmware.org chooses ECLAIR to enhance its Open CI

ECLAIR has recently been chosen as the solution for static analysis in Continuous Integration systems of Trusted Firmware. TrustedFirmware.org is an open source project providing a reference implementation of secure software for processors implementing both the A-Profile and M-Profile Arm® architecture. Among its members are many notable companies such as Arm, Google, ST Microelectronics, Cypress, Linaro, NXP, and Renesas

 

How TF is using ECLAIR to reinforce safety

 

Meet us at Embedded World 2022

BUGSENG is delighted to  attend Embedded World 2022  in Nuremberg next week, finally live again! This year, we are presenting "A Rationale-Based Classification of MISRA C Guidelines," on June 21, 4.30pm CEST, Session 6.3 - Systems and Software Engineering.

We will introduce a new classification of MISRA C guidelines associating each one of them with their main rationale. This is especially advantageous for projects needing to prioritize their MISRA compliance work as well those not (yet) having MISRA compliance among their requirements.

You can view the full conference program here and register.

Embedded World is also an excellent occasion to meet and weave new opportunities. Let's not miss the chance for a proper face to face chat!

 

Let's set up a meeting

 

Don't forget to join our LinkedIn community to keep up to date with all our news.

 

 
We are a passionate team of experts. Do not hesitate to let us have your feedback:
You may be surprised to discover just how much your suggestions matter to us.