Code should be stripped out of suspicious comments (e.g. todo, tbd, tbc, etc.)
Keywords that are taken into account by this code insight:
– two or more successive ! and/or ? (e.g. what is this code doing???!!!)
– todo, fixme, tdc (to be confirmed), tbd (to be defined), attention
Why you should care
Sometimes, comments that are left by developers translate their doubts, questions or emotions about the code they’re working on. Having some suspicious comments, especially in production code, could indicate a component is not totally finalized, not really mature yet or -more worrying – that may contain a bug. There’s nothing worse than a bug that pops up in production and when the team investigates it they find a comment saying “todo”.
As recommended by MITRE (CWE-546), a potential mitigation would be to remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application.
About CAST and Highlight’s Code Insights
Over the last 25 years, CAST has leveraged unique knowledge on software quality measurement by analyzing thousands of applications and billions of lines of code. Based on this experience and community standards on programming best practices, Highlight implements hundreds of code insights across 15+ technologies to calculate health factors of a software.