Introduction of Static Quality Analysis in Small and Medium-Sized Software Enterprises: Experiences from Technology Transfer

TL;DR

This study demonstrates that implementing static analysis in small and medium-sized software enterprises is feasible, cost-effective, and beneficial for defect detection, complementing existing quality assurance practices.

Contribution

The paper provides empirical evidence on the practical application, benefits, and challenges of static analysis techniques in SMEs, supported by a case study and quality modeling.

Findings

Effort to implement static analysis is minimal (mostly under one person-hour).

Static analysis detected multiple defects in production code.

SMEs found static analysis results helpful and plan to integrate them into their QA processes.

Abstract

Today, small and medium-sized enterprises (SMEs) in the software industry face major challenges. Their resource constraints require high efficiency in development. Furthermore, quality assurance (QA) measures need to be taken to mitigate the risk of additional, expensive effort for bug fixes or compensations. Automated static analysis (ASA) can reduce this risk because it promises low application effort. SMEs seem to take little advantage of this opportunity. Instead, they still mainly rely on the dynamic analysis approach of software testing. In this article, we report on our experiences from a technology transfer project. Our aim was to evaluate the results static analysis can provide for SMEs as well as the problems that occur when introducing and using static analysis in SMEs. We analysed five software projects from five collaborating SMEs using three different ASA techniques: code clone detection, bug pattern detection and architecture conformance analysis. Following the analysis, we applied a quality model to aggregate and evaluate the results. Our study shows that the effort required to introduce ASA techniques in SMEs is small (mostly below one person-hour each). Furthermore, we encountered only few technical problems. By means of the analyses, we could detect multiple defects in production code. The participating companies perceived the analysis results to be a helpful addition to their current QA and will include the analyses in their QA process. With the help of the Quamoco quality model, we could efficiently aggregate and rate static analysis results. However, we also encountered a partial mismatch with the opinions of the SMEs. We conclude, that ASA and quality models can be a valuable and affordable addition to the QA process of SMEs.