Static Code Scanning Workflow and Tool Selection for Mobile Projects

Background : To prevent memory leaks, crashes, and other runtime issues in the ZHUANZHUAN app, a code review and static analysis process is required to improve code quality and reduce release risk.

Static Code Scanning : Defined as scanning source code with specialized tools without compiling, to detect semantic defects and security vulnerabilities.

Tool Selection : Four tools were evaluated – Clang (iOS, Objective‑C/C), Oclint (iOS, Objective‑C/C), Infer (both Android and iOS, supports Java, Objective‑C, C), and Lint (Android, Java). Infer was chosen for its cross‑platform support, fast incremental analysis, and active maintenance.

Main Process :

Validate the new tag’s buildability in Jenkins.

Check whether the tag has already been scanned.

Ensure Infer executes correctly (adjusted compile parameters).

Verify the number of files scanned to confirm completeness.

Extract issues, filter out warnings, and categorize errors (e.g., NULL_DEREFERENCE, RESOURCE_LEAK, CONTEXT_LEAK for Android; NULL_DEREFERENCE, MEMORY_LEAK, RESOURCE_LEAK, DEAD_STORE for iOS).

Compare extracted issues against a whitelist based on function name, file path, and proximity of error line.

Send a report via email with issue counts and attached detailed files.

After fixes, add resolved issues to the whitelist for future scans.

The workflow integrates static analysis into the CI system, automates validation, and provides clear feedback to developers, completing the static scanning project.