The All-Knowing, Benevolent Dictator Of Code
November 6, 2019 Sebastien Julliand
(Sponsored Content) Not every software project can have an all-knowing benevolent dictator looking through every line of code, and even all projects could have such a person to oversee the quality of the code, there is no reason to not automate as much of this very important code review job as is possible.
Luckily for IBM i shops, there is such a tool to help with code review, and in that sense, we suppose, you can install rather than hire that all-knowing benevolent dictator of application code. It’s called, appropriately enough, CodeChecker, and it has been available from ARCAD Software for quite some time.
At most IBM i shops, code review is done manually, as it has been done for decades. You write some application code and your peers give it a look over before that source code is promoted to quality assurance testing and then into production if it passes snuff. The more experienced programmers usually help steer the code being developed by the newer, less experienced programmers, and over time they learn to hew to the programming style and enterprise policies with regard to application source code.
The idea is that companies want to deploy good code, not just code that compiles and runs, and that is why code review has existed in organizations pretty much since there were computers running enterprise applications. But now, a lot of this code review work can be automated, and there is no reason to not bring automation and standardization to bear on the IT organization itself. (Although this is admittedly the last place that automation will come.)
Because CodeChecker is based on the experience that ARCAD and its customers have developed with regard to RPG applications over decades, it includes a library of code practices that can be thought of as best of breed, and then these are augmented by code policies that are specific to individual customers that may have their own ways of doing things – either compelled by history or law. So not only can CodeChecker safeguard the consistency of the application code, it can also detect any violations of security or highlight code that is overly complex for the job that it is doing. When these violations are encountered, CodeChecker can raise a red flag and prevent an application build from happening until they are cleaned up. And in this sense, it is a tool that will train new programmers who to adhere to best practices that are garnered both from the industry at large and at the company in which they are employed.
Perhaps equally importantly, everybody is busy these days and code review is a time-consuming and therefore expensive proposition, and automating aspects of this work is important if organizations are going to actually speed up the development process with continuous integration/continuous development (CI/CD) efforts that were developed in the open source and hyperscale communities and that are being commercialized for the rest of IT organizations as DevOps tools. People can’t be a bigger bottleneck in code review because the pace of code changes, and therefore the rate of review, has to increase. That is not sustainable, and it probably will result in bad code getting into the field in the interest of time. Code review is necessary to make sure good code gets into the field, which makes it easier to maintain, and bad code, which is much harder to understand and therefore maintain, doesn’t get out the dev/test door into production.
Perhaps as important is the idea that new programmers, who are used to open source projects and code repositories like GitHub, GitLab, BitBucket, and so on, expect for there to be some kind of code review process, whether it is automated or not. The reason is that open source projects have contributors from many different programming cultures contributing bits of code to the project. And while IBM i shops that create their own applications have perhaps had more of a monoculture within their organizations – and one that they could maintain with training and time – we are on the verge of a skills shortage as RPG programmers retire, taking their knowledge with them. The programmers who are replacing them do not have the same depth of skill in RPG and at the same time are used to having code reviewed, and fairly fast at that. Automation is the answer. For languages such as Node.js, Java, or PHP, ARCAD recommends that companies use SonarQube or other tools to do automated code review.
This combination of good coding practices and plugging potential security holes before they are left open – another thing that CodeChecker can do – is much more important now than it has been in the past. Companies have moved from monolithic code created in RPG or COBOL to applications with a web services layer that employs the SQL language to query the database in the IBM i system. This transformed their applications from simple greenscreens, but now applications can reach the database from the outside and that means SQL injection vulnerabilities are a real issue that has to be dealt with. Something has to make sure that the SQL that is implemented is secure.
At the moment, CodeChecker is focused mainly on RPG, and specifically can handle anything from old RPG III code that was originally created for a System/38 machine all the way up to applications coded in the latest-greatest RPG Free Form. CodeChecker integrates into the Rational Developer for i integrated development environment, and all you have to do is right click on the source member and you can have CodeChecker rate the code. There is also a way to automate and schedule the code checks in bulk against a code repository, say at 5 a.m. each morning before programmers get into work, so that batch code reviews can be done by the system.
Most companies have implemented on the order of 20 to 30 active rules in their code review practices, and ARCAD CodeChecker provides about 100 rules, which covers a much broader range of best practices. But that is not the end of it. ARCAD knows that there are more best practices when it comes to code and security, and probably many of them specific to industries, and to help build up the library of policies inside of CodeChecker, ARCAD is interested in starting up a community that will allow for policies created to be shared among CodeChecker users. We will let you know how to participate.
On last thing: ARCAD is hosting a webinar at 12 p.m. EST (5 p.m. GMT) on November 14 to talk about CodeChecker and how you can automate RPG code quality. You can sign up for the webinar at this link.