Can code audits be considered static analysis?

Question

When people talk about static analysis, they usually talk about quality metrics and programming conventions. And seems that code auditing is something apart, since what it finds are bugs and security breaches. When, in theory, both are static analysis (code audits are made without executing the program, aren't they? With tools like Findbugs, Coverity, etc.).

So, is code auditing static analysis also?

Answer 1

Code audits is done by humans mostly (with some little help from tools), like any other kind of audits (e.g. financial audits). Code review is generally done inside the developing team, but code audit is often done by outside persons.

Static source code analysis is done by software code analysis tools, and using them is very complex in practice (so in fact the analyzing software tool needs help or expertise from its user and/or will give false positives).

The halting problem is a fondamental limitation of source code analysis: no tool can exist to statically detect every infinitely looping program (and only them).

You might consider, for analysis of C or C++ code, customizing your GCC compiler with MELT. Or using Frama-C, probably by adding ACSL annotations into your source code (with enough annotations, and on some limited classes of C programs, mostly for embedded applications, the tool would be able to prove that your code behave well w.r.t. specifications).

But there is no silver bullet. Programming is hard (even with tools).