[geromek]

I think the reason is fairly simple: even the most evident-no-doubt clear SQL Injection vulnerability found by a SCA tool may never be exploited at all under production (for instance because of a WAF). Then the obvious benefits of static analysis are not that obvious for your employer.

Sometimes we forget companies do not want a perfect code or the best possible well designed software but a product that make them earn money.

My experience is that developers only use those kind of tools if they are forced to by their QA managers of bounded by contract. Programmers usually don't want to fix or track bugs.

[PinguTS]

So, you are saying "Developers don't want to deliver quality."?

If that it true, than I don't want to work with them.

[geromek]

I am saying "Developers do not want : 1 - Pay A LOT of money for advanced solutions that are more than AST checkers (hello SonarQube) or big piles of false positives. 2 - Add overhead to their workflows (more than an IDE plugin is harmful, and what happens with those devs not using an IDE?). 3 - Spend time on figuring out if the static analysis results make sense or not, one by one.

A typical SCA tool can report hundreds or thousands of occurrences for a certain code base. How are developers going to deal with them?

[PinguTS]

I am from engineering background and not soley a software guy, so forgive me my different view on this topic.

I learned, that every error you can fix early on will cost you about 10x to fix in the next stage.

All the new principles like Agile have not changed that.

[glogla]

I think the idea is not that it's not worth to fix errors as soon as possible (which it is), but that static analysis tools provide too many false positives and too many non-errors to be useful.

[Gravityloss]

I guess you can combine the points: if you use static analysis from the start / have it configured right then the amount of false positives should stay relatively low.

[Consultant32452]

Gosh I'm the opposite. I do consulting work and whether my clients want it or not the work I provide them utilizes several code analysis tools: findbugs, cobertura, checkstyle, and PMD. I simply don't write code without those tools present if it's even remotely reasonable to do so.