
Ask HN: Do you use bug finding tools? - remyb
I&#x27;m interested in developers opinions about current bug finding tools and static analysis tools, about their usability and usefulness in everyday software development.<p>So, do you use static analysis tools or bug finding tools, either yourself as a developer or in your company? If so, do you find them useful? How well are they integrated into your workflow? What kind of information or diagnostics would like them to give you? If not, have you ever used this kind of tools in the past and what was your main concern?
======
stevekemp
I used to do a lot of security-auditing of C/C++ code. In those days I started
off using RATS, and other automated scanners.

Generally though I found they produced more noise than value, so these days
when I audit code I do it from start to finish, though I'll certainly have a
quick-glance at any code that involves:

* fopen

* popen

* getenv

* or bind/accept

I guess that means "no", not really, and despite that I've reported (security)
bugs in applications as diverse as Emacs, Firefox, and GNU Readline.

------
k4ch0w
For Third party libraries I use
[https://github.com/jeremylong/DependencyCheck](https://github.com/jeremylong/DependencyCheck)

------
dronescanfly
sonarQube (for Java)

The bug and fatal errors should cover most low hanging potential bugs.

Every other type (code smell/code style) should be taken with a grain of salt
and configured in such a way that it suits your teams need.

SonarQube is executing static analysis on pushes to each branch.

Currently only used as a guide, not as a gate.

During the first few weeks of using it i found it to be obnoxious, until
certain rules were adjusted/removed

Now i find it being more on the helpful side of things

------
slipwalker
SonarQube ( executing on CI ) + SonarLint ( running on local IDE ) mostly
helpful, after the ruleset were adjusted.

