Tool for incremental static analysis of code?

Question

Are there any, free, tools which allow incremental static analysis of code (for SVN and preferably Git)? Currently we are using Sonar (2.12 I think?) but the problem is the time it needs to analyse all the code in our project which is 40-60minutes. And we need to multiply it since we have several branches working on different subprojects.

That is why I am looking for a tool that could analyse the code from only the latest commit (which, to my knowledge Sonar does not support) or only the code that has been modified in the last X hours/days/whatever.

I have found the Cutoff Plugin for Sonar, which supposedly does what I want (checks only the code from the file that have been modified after a certain date) but:

1. I still need to check if it works
2. check if it supports dynamic date changes (so it would only take into consideration the code from ie the last day and not that I would have to change the exclude date manually daily).
3. it doesn't seem to be well supported (last change in 2010 and it still is in version 0.1)

It would be perfect if it only checked the code from the last commit, but I haven't seen that anywhere.

Also as a side question: is running the analysis after every commit (ie using the hudson sonar plugin) a good thing or should it be avoided? At my last team we had sonar run like that and we'd get an instant email if we "broke it" (added a major/critical to the code). This was very convenient as we knew who was at fault (based on the info from the commit). Or should we instead analyse it less frequently (lets say once a week)? In that case I would have to check if Sonar would be able to say who committed the problematic code.

Answer 1

There's very few, especially since the are many tools/rules rely on walking the possible stacks to limit the number of false positives. So a change in one assembly would require re-evaluation of the calling assemblies as well, it's not as simple as it looks from the outside.

To speed up the static analysis consider investing in a memory disk or an SSD to store the sources and binaries. Use a multi-core machine, have plenty of memory and run the x64 version of these tools whenever possible. Many of these tools are first I/O and then CPU limited. Most improvements can be found by reducing the latency and throughput of the system and the amount of swapping required (by having enough memory) to further reduce I/O.

You can also use a buddy build/validate shelve set build on a build server to offload the build time to a different machine which can be shared among developers.

Answer 2

I realize I'm late to the party, but there is another tool that might be relevant for you: Teamscale

Teamscale connects to your repository (eg Git or SVN) and analyzes your code incrementally, right after each commit. With that, you get feedback about new/fixed code problems almost immediately after your commit. You can also see the full history of your code, blacklist false positives, and much more. (Full disclosure: I'm a Teamscale developer)

Answer 3

There are also such tools for static analysis as:

1. PMD
2. Checkstyle
3. FindBugs

High chances that you will find it useful alternative for the Sonar.

You didn't mention whether you use Continuous Integration tool or not. Probably you will need it up and running in order to run inspections using any of these tools.