Code should be stripped out of suspicious comments

22 June 2017
Posted by Michael MULLER
Embedded Documentation

Code should be stripped out of suspicious comments (e.g. todo, tbd, tbc, etc.)

Software AgilityEmbedded Documentation
This code insight counts the number of occurences where suspicious keywords are found in comments. Based on the number of cases and associated with specific thresholds CAST has defined, Highlight counts penalty points to the scanned file.

Keywords that are taken into account by this code insight:
– two or more successive ! and/or ? (e.g. what is this code doing???!!!)
– todo, fixme, tdc (to be confirmed), tbd (to be defined), attention

Why you should care

Sometimes, comments that are left by developers translate their doubts, questions or emotions about the code they’re working on. Having some suspicious comments, especially in production code, could indicate a component is not totally finalized, not really mature yet or -more worrying – that may contain a bug. There’s nothing worse than a bug that pops up in production and when the team investigates it they find a comment saying “todo”.

References:
https://cwe.mitre.org/data/definitions/546.html

CAST recommendations

As recommended by MITRE (CWE-546), a potential mitigation would be to remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application.

About CAST and Highlight’s Code Insights

Over the last 25 years, CAST has leveraged unique knowledge on software quality measurement by analyzing thousands of applications and billions of lines of code. Based on this experience and community standards on programming best practices, Highlight implements hundreds of code insights across 15+ technologies to calculate health factors of a software.

How it worksFeatures & Analytics
Copyright © 2021 CAST All Rights Reserved