Code review: go automatic! – ARCAD Software

3. Nothing is lost, everything is shared

Knowledge sharing is a crucial and often problematic issue within development teams. At best, good technical practices and coding standards will be recorded in a document management tool and at worst they will be… in the collective unconscious!  It would be unfair to blame a newcomer for not respecting the standards, if they are only used and understood by the most experienced team members.

Here again, the benefits of automation are measurable.  A good source quality checking tool will naturally become the de facto documentary reference as to standards and best practices.  As it is applied, the tool will gain in value as it is continually enriched with more and more rules,

This makes code quality checkers an efficient and reliable way of sharing knowledge within a project and ensuring that standards are applied.  The most efficient technique – and the one that fits best in a DevOps approach – is to integrate the code quality checker right into the development environment, making the checking and enforcement of quality rules continuous.  It also saves the developer the tedious task of flipping back and forth between his editor and some external knowledge source.

4. Meanwhile, on the IBM i

Old pots make the best soup,” comes to mind when talking about the IBM i platform. Initially sidelined by the DevOps scene, IBM’s historic OS is pushing back strongly, thanks to the mobilization of major tool vendors and the Open Source world. Development on the IBM i platform is dominated by the RPG language, on which IBM has invested heavily over the last twenty years, giving it a new lease of life thanks to its RPG Free and especially RPG Fully Free form variants, which bring it right the fore of modern languages. Taking care of the specifics of RPG in an automatic code review requires specialized tools, and this is precisely what ARCAD-CodeChecker, (the source code quality checker from the ARCAD for DevOps range from ARCAD Software) is designed to do. All forms and evolutions of the language are supported by the product, from RPG III to RPG-FullyFree, and even cases of mixed Columnar/Free. As experienced RPG developers are becoming increasingly rare, CodeChecker capitalizes on more than 28 years of experience in this field by providing a hundred or so quality rules applicable not only to RPG, but also to the CL language and very soon to COBOL.

5. What about security?

If there is one subject of utmost importance, especially since the advent of the DevOps movement, it is undoubtedly security within the source code. We are talking here about DevSecOps. In principle, DevSecOps requires that security of an application be a design consideration right from the very beginning – security by design. To take an example, by applying quality control rules based on the OWASP community recommendations, serious security flaws can be avoided, such as SQL injection risks, buffer overflow risks, etc.

Legacy systems are not entirely without their own security issues either. For example, in the case of the IBM i platform where application modernization techniques are common, traditional legacy programs are now routinely exposed as Web services. This creates a new risk that was hitherto unheard of in IBM i applications.  It is therefore critical to detect security flaws in RPG code as early as possible.  This security area is thoroughly covered by ARCAD CodeChecker, which as part of its DevSecOps ruleset, will detect and report on risks of SQL injection in RPG.

6. The final word

In conclusion, the legacy or “heritage” systems such as IBM i have an equal, or arguably even greater need for code review than their distributed counterparts. The growing scarcity of coding skills in languages like RPG has only increased the importance of automated code checking, as new generations of developers step up to maintain these core mission critical applications with little prior knowledge of the rather specific languages that comprise them.

Their specific technology has meant that legacy systems have in the past been left somewhat aside in the enterprise CI/CD chain, deploying at a different frequency and using a very different set of tools. However the situation is changing fast, thanks to a number of modern tools that have been integrated into the platform by default.  Key examples include Git, which has already taken a firm foothold on IBM i and z/OS, and Ansible, just starting to make headway in the legacy world.

The automated code quality checkers are also gaining ground.  Take for example SonarQube, which offers partial support for the RPG language.  As mentioned above, if it is full support of all RPG variants that you need, then ARCAD CodeChecker alone delivers the exhaustive IBM i coverage required to future-proof your application, whatever the mix of languages it may contain.

Source code quality checking is now a mainstream function that fits naturally within the continuous integration (CI) phase of the DevOps cycle. With the ARCAD for DevOps range of solutions, and ARCAD CodeChecker in particular, you can automate a continuous quality process on IBM i to “shift defects left” and eliminate any risk of security vulnerabilities as you modernize.

Verified by MonsterInsights