7 Metrics to Evaluate your code quality using static analysis
Bahaa Noah • February 19, 2023
Have you ever wondered how to measure the quality of your code using meaningful metrics? One of the popular measures used across teams is "Code Coverage", It's a great measure that provides a lot of insights, but it's not enough, especially when multiple teams or even many developers are working on the same code base, which is a very common situation when working on a monolithic application. In this post, I will share with you 7 useful metrics that you can use to get a pulse on the quality of your code, as well as a quick demonstration with SonarQube on how to generate these metrics.
Writing, debugging, and maintaining code is a complicated process in and of itself, and it can become even more complicated as the project scope expands and changes over time. High code complexity comes at a high cost in terms of severe bugs and defects.
Many factors can contribute to code complexity and make it difficult to maintain, such as the number of nested conditions within the code, such as
while, and so on. If you want to learn more about complexity, read more about it here.
I found this article useful about explaining code complexity as well, a-simple-understanding-of-code-complexity.
Code coverage is a metric shows the percentage of code executed during testing. It aims to help you understand how much of your code is being tested. It's an important metric that can help you assess the quality of your code, deliver features with confidence that you didn't break anything that used to work, and write a testable, decoupled code.
I could go on and on about the advantages of writing tests for the rest of this post. If you haven't tested your code yet, you should start now. It may take a little longer to develop a feature, but it will definitely save you time later when you're adding new features or updating existing ones.
The question now is how much of my code should be covered by test cases. It's debatable whether you should test 100% or not; I believe if you can do so, you should because it gives you peace of mind later on, though it's difficult to maintain 100% at all times. If you can't reach 100% at least test the parts of your code if they fail your application will breakdown and might lead to losing customers.
Bug density is the number of known bugs per number of lines of code. It's another metric that can help you improve the quality of your software. Most of the teams are using thousand lines of code as benchmark in the previous definition.
Defects can be detected before releasing on productions in many ways, mostly with writing tests for your code, effective code reviews or manual/automated QA. Even though some defects can escape to production, using static analysis tools can help you avoid these defects reaching your end user.
Duplication usually occurs when multiple developers are working on different parts of the same application at the same time. Since they’re working on different tasks, they may be unaware their colleague has already written similar code that could be repurposed for their own needs.
There’s also more subtle duplication, when specific parts of code look different but actually perform the same job. This kind of duplication can be hard to find and fix.
Again, static analysis can help you detecting the first type of duplication and give you some insights to fix it and improve your code quality and make it less smelly.
The ease of modification and maintainability of code is measured by code maintainability. It can be measured by how long it takes to make a change and the risk that the change will break something.
In other words, it refers to the Technical Debt in your application. The less there is, the better. Static analytics will provide you with details about the Code Smells in your application as well as the amount of Debt.
Compliance with coding standards is one measure that contributes vastly to the quality of your code.
We all write code in our own unique way. Working in a team and having different developers contribute to the same codebase without some predefined coding standards in place will result in a chaotic mess and poor quality code. For instance, using camel case vs. snake case with variables and classes, using spaces vs. tabs, formatting, and so on. Every programming language has its own standards, which you should enforce within your team to improve quality and make the code look consistent regardless of who wrote it.
Detecting security risks in code is an important metric to keep an eye on. It could be secrets/passwords that are hard coded in your code or a third-party package that has a vulnerability and must be updated to get the latest security patch fixed. Static code analysis tools can easily detect such issues; guardrails is a popular tool that specialises in this, I highly recommend integrate it with Github or any other version control repository you are using to run with every new code pushed.
One of the market leading tools that helps with measuring code quality when it comes to static analysis is SonarQube, I will show you a quick demo of what it can do for you.
There are many ways to install SonarQube and get it up and running, I will be using brew and docker in this demo, I will leave the installation reference here and find out what works for you.
Make sure Docker is installed and running and no services are running on port
From your terminal run:
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
You should now have SonarQube server up and running on port
In your browser open
http://localhost:9000/ and you should see a login page.
Enter the default username and password
- username: admin
- password: admin
set a new password and you should land on create your project page.
On create your project page I choose manual setup for the purpose of the demo but feel free to choose any other available option.
Fill the project details and go to the next page.
On how do you want to analyze your repository, choose locally.
Generate a token for your project.
you will be asked what option best describes your build? in my case I will choose PHP and MacOs.
You should be provided with code to run in your project to get the code analysis.
Before you do make sure sonarScanner is installed on your machine, find all installation options here SonarScanner Installation
If you're using MacOs run:
brew install sonar-scanner
Once installed navigate to your project dir and run the following command:
you should get an EXECUTION SUCCESS message if everything runs successfully.
Navigate to the browser again and you should be able to view the metrics for your project similar to the images below
There is much more than that there, have a look and see all of the useful insights it gives you to improve your code quality.
I would highly recommend including such analysis in your CD/CD pipelines if not all but at least code coverage and security vulnerabilities scanning, it will help you to maintain your code quality within your team.
These metrics provide insight into the code quality, helping to identify areas of improvement, enforce coding standards, and minimize the risk of bugs or security vulnerabilities.
That was one way to improve your code quality, but it is not the only way. According to a Smart Bear 2020 Code Review survey, the number one way a company can improve code quality is through Code Review.
And I would finish with a quote from Peter Drucker
If you can't measure it, you can't improve it.
Which is true most of the time.
Thank you for taking the time to read this; I hope you found it useful. Please contact me if you require additional assistance or have any suggestions.