NASA
NASA JPL resolved critical security issues in PO.DAAC utilities with DeepSource
Podaacpy is a Python utility library for interacting with NASA JPL's Physical Oceanography Distributed Active Archive Center (PO.DAAC) — an element of NASA's Earth Observing System Data and Information System (EOSDIS) which provides science data to a wide community of users for NASA's Science Mission Directorate.
DeepSource is a great product that complements projects looking to embrace CI and source code quality as part of a larger DevOps strategy. It's been very easy and a pleasure to use this product. All around, we are very happy with DeepSource.
Challenge
Prior to DeepSource, the team maintaining Podaacpy at NASA JPL used CI utilities to keep a check on quality with individual hooks such as reading the docs to build documentation, source code builds, and (nosetest) unit test execution for testing, and other tools for code coverage and dependency management. They did not have any static analysis tooling to check for code health.
Solution
Now, while the hooks helped check code for quality metrics, they were not a direct solution. Lewis was seeking an automated static analysis tool that fits easily in the development workflow, reduces the risk of additional issues in the incoming code, detects complex security issues, and gives accurate results. When they started using DeepSource, they adopted continuous quality analysis as part of their day-to-day code review workflows.
Results
Started analysis within 5 minutes
DeepSource's native integration with GitHub enabled Lewis to complete the setup in minutes and start scanning the source code immediately.
The initial integration is a walk in the park. It literally took us a couple of minutes!
Automatically discovered issues in pull requests and commits
Earlier, Podaacpy was entirely dependent on source code builds and (nosetest) unit test execution on TravisCI for quality testing— a post-merger affair. After installing DeepSource, the analysis triggers automatically with every pull request or commit, and flags all the issues in the GitHub checks itself— a pre-merger affair. It helps in two ways:
- The checks fit well in the review workflow, making it convenient for developers to act on the issues
- The earlier the issues are detected, the easier (& cheaper) it is to resolve them
Brought in highly relevant results, leveling up developer confidence
DeepSource's Python analyzers review the code at source level for 520+ types of issues, showing the most relevant results by separating them from the noise. Talking about the accuracy, Lewis says that the results were very easy to interpret and correct.
Making DeepSource part of our CI pipeline gives us confidence that, in particular, incoming code changes do not introduce additional issues. We were able to go through our entire codebase and address issues flagged by DeepSource.
Merged secure, reliable code with in-depth security analysis
As a part of NASA, there is no denying the extreme level of secure coding Podaacpy demands. Spotting and resolving security flaws at the earliest is one of their top priorities. DeepSource's Static Application Security Testing (SAST) analyzers continuously scan the source code for hundreds of known security flaws (like OWASP Top 10) to ensure each of them is addressed before the code is merged.
DeepSource has enabled us to significantly improve the quality of our Python codebase. Security is a big deal. When we know that we have no security issues and that we have the green light it is an excellent measure of project health.
DeepSource helped Podaacpy integrate static analysis in their code review process easily and quickly. Using DeepSource, helps them catch issues much earlier in the life cycle, take remediation measures accordingly and consistently maintain the overall project code quality and security.