Review Tool

There are a number of initiatives, such as CWE, MISRA, CERT-C and ISO xxx, to improve the quality, reliability and security of software. These initiatives each specify a set of rules, proscribing the aspects of the structure, implementation or behavior of software, providing a checklist against which to evaluate source code for conformance with the standard.

The Review Tool supports a guided review of your software with respect to such checklists. With the tool, you're able to methodically identify those specific portions of your software that pertain to the checks you've elected to review. Imagix 4D's general analysis and visualization functionality help you to assess whether those specific portions are a concern or violation.

Using the Review Tool in a team environment, concerns and assessments can be recorded by the reviewers and then commented on by the software’s authors. An audit trail for documentation or submission is naturally created as part of the process.

In addition to guiding you through this process, the tool automates much of the identification and assessment activity, as well as the documentation.

Components / Terminology

The Review Tool, and this section of the user manual, use some terminology which is unique to the guided review process, and is not shared with other parts of Imagix 4D. Described in more detail later, these terms used in the Review Tool include:

Check A description of a certain style or behavior of the software that is a potential concern for correctness, consistency, compliance, performance, security or other desired property of the software, together with a set of ordered steps which lead to the identification and assessment of those portions of your software tied to this property. There is typically a direct correspondence between a rule in some standard or guideline, and the check in the Review Tool.

Checklist A set of checks corresponding to the set of rules that make up a given standard or guideline. Checklists are project-independent resources from which the specific checks used in a given project / review are selected.

Review A set of checks against which the software in an Imagix 4D project is evaluated. In addition to the check definitions from the checklist, the review includes project-specific data that is collected and recorded about each check.

Step A specific action in identifying or assessing some portions of your software. Each check is made up of an ordered list of such steps.

Probe An artifact tied a specific portion of your software. The probe might identify a symbol, a line in a source file including some symbol, a note, or a result of some automated analysis. A step results in a set of probes being created. Probes can also serve as the input to a step, resulting in the creation of some downstream probes.

Rating An assessment of whether a given probe is in conformance with the rule being evaluated. The final step in each check typically identifies the probes directly related to the rule being reviewed. It is these probes that are assigned a rating.

Note A text string associated with some item - a review, check, step or probe. Notes provide the ability to comment on each item, and add to the document record being built up.

Creating and Performing a Review

The review process starts by choosing a base checklist, and then selecting the specific checks from that checklist to apply against the software in your current project. The resulting review initially consists of just the selected checks, with no probes data, ratings or notes.

The process of performing the review consists of selecting each check and performing each step. You're guided through this process in the Check display, which indicates each step and its associated action. Many of the steps can be completed automatically. For the steps that require human intelligence to study the code, instructions in the step explain what to look for, and menu items leverage the visualization engine of Imagix 4D. As each step is completed, its resulting probes are passed along to any downstream steps requiring those results.

The final step of each check is typically a review step, where the probes directly related to the check have been identified. In the review step, you're able to assess each probe and assign a rating of whether the probe is not an issue, is a concern, or is a violation with respect to the check.

Throughout this process, artifacts are automatically recorded and stored by the Review Tool. These include the probes that are identified and notes that are attached, along with a record of when and by whom each action was completed. Progress can be tracked in the Review widget, where the overall list of checks for the review, along with the progress on each check, is presented.

Advanced Operation

Described in later sections, topics in using the Review Tool include:

Multi User Operation – Passing Reviews Between Participants For collaboration between the person(s) performing the review and others, such as code owners, whose comments are becoming part of the review record, strategies for locking and releasing the review improve the teamwork.

Multi User Operation – Partitioning Reviews Between Participants For medium to large size projects where the review tasks are shared across multiple participants, strategies for applying the Review Tool's partitioning and combining functions lead to greater efficiency.

Managing the Evolution of Reviews The Review Tool tracks the review over time. You’re able to compare with previous review states or return to previous states.

Reviewing Later Versions of Software Part of the benefit of reviewing your software with the Review Tool is the leverage it provides for reviews of subsequent versions of your software, or reviews of similar software. You’re able to carry old results forward as well as use them for comparison with new results.

Creating / Writing Own Checklist In addition to using checks from the checklists supplied with the Review Tool, it is possible to define your own checks / checklists, supporting your own rules against which you'd like to review your software. See the Checklist API for details.