Traditionally, program analysis is for experts only: it is hard to create non-trivial yet accurate analyses. lgtm changes that, and makes the power of deep program analysis available to everyone, by treating source code as a database, and analyses as concise queries in an object-oriented query language. A common use case is to use it to find variants of vulnerabilities: for example this one in ChakraCore was found that way, and also this remote code execution vulnerability in Apache Struts. In this talk, I’ll discuss examples such as these, both from open source and commercial customers. I’ll also speculate why the technology behind lgtm succeeded, where previous attempts to use queries for program analysis did not. A free instance of lgtm is running at lgtm.com, continuously analysing all commits on over 50,000 open source projects, and including an in-browser IDE for creating new queries.
Oege de Moor is an expert on software quality management. His aim is to make software development a mature engineering discipline, where meeting targets is the norm, not the exception. In pursuit of that aim, he has founded Semmle Inc, which produces ODASA. ODASA assists in the management of large and complex software projects by putting objective facts (about software quality and development activity) at your fingertips. It guides you to those areas of the code where maintenance and testing work will have the greatest economic impact. ODASA analyses all relevant software quality indicators (source code, and output of testing tools, issue tracking systems, license compliance checkers, profiling tools, …) to give a total picture of software quality. These measures are analysed as trends over time, and presented on an intuitive graphical dashboard. ODASA integrates smoothly with whatever tool chain you already have in place. Inside ODASA is a state-of-the-art analytics engine, encompassing the latest insights in software analysis and prediction.