Code review is a process where two or more developers visually inspect a set of program code, typically, several times. The code can be a method, a class, or an entire program.
Thus, It is a systematic examination, sometimes referred to as peer review of computer source code. It is intended to find mistakes overlooked in software development, improving the overall quality of software. Reviews are done in various forms such as pair programming, informal walk through, and formal inspections.
Objectives of Code-review
- Best Practice: A more efficient, less error-prone, or more elegant way to accomplish a given task.
- Error Detection: Finding or Discovering logical or transitional errors.
- Vulnerability Exposure: Identifying and averting common vulnerabilities like Cross-Site Scripting [XSS], Injection, Buffer Overflow, Excessive Disclosure, etc. Although many controls are inapplicable and can be ignored, a STIG provides an excellent vulnerability checklist.
- Malware Discovery: This often-overlooked and very special code-review objective looks for segments of code that appear extraneous, questionable, or flat-out weird. The intent is to discover back doors, Trojans, and time bombs. In today’s world malevolent code is a very real threat and should not be overlooked, especially by Government agencies
Code reviews can often find and remove common vulnerabilities such as format string exploits, race conditions, memory leaks and buffer overflows, thereby improving software security. Online software repositories based on Subversion, Mercurial, Git or others allow groups of individuals to collaboratively review code. Additionally, specific tools for collaborative code review can facilitate the code review process.
Types of Code review
Code review classified into two main categories: Formal code review and Lightweight code review.
- Formal code review: It involves a careful and detailed process with multiple participants and multiple phases. Formal code reviews are the traditional method of review, in which software developers attend a series of meetings and review code line by line, usually using printed copies of the material. Formal inspections are extremely thorough and have been proven effective at finding defects in the code under review.
- Lightweight review: Lightweight reviews are often conducted as part of the normal development process:
- Over-the-shoulder: One developer looks over the author’s shoulder as the latter walks through the code.
- Email pass-around: Source code management system emails code to reviewers automatically after checkin is made.
- Pair programming: Two authors develop code together at the same workstation, as is common in Extreme Programming.
- Tool-assisted code review: Authors and reviewers use software tools, informal ones such as pastebins and IRC, or specialized tools designed for peer code review.