The objective of static analysis is to find defects in software source code and software models.
Static analysis is performed without actually executing the software being examined by the tool;
dynamic testing does execute the software code. Static analysis can locate defects that are hard to
find in testing. As with reviews, static analysis finds defects rather than failures. Static analysis tools
analyze program code (e.g. control flow and data flow), as well as generated output such as HTML
and XML.

The value of static analysis is:

Early detection of defects prior to test execution.
Early warning about suspicious aspects of the code or design, by the calculation of metrics,
such as a high complexity measure.
Identification of defects not easily found by dynamic testing.
Detecting dependencies and inconsistencies in software models, such as links.
Improved maintainability of code and design.
Prevention of defects, if lessons are learned in development.

Typical defects discovered by static analysis tools include:

referencing a variable with an undefined value;
inconsistent interface between modules and components;
variables that are never used;
unreachable (dead) code;
programming standards violations;
security vulnerabilities;
syntax violations of code and software models.

Static analysis tools are typically used by developers (checking against predefined rules or
programming standards) before and during component and integration testing, and by designers
during software modeling. Static analysis tools may produce a large number of warning messages, which need to be well managed to allow the most effective use of the tool.

Compilers may offer some support for static analysis, including the calculation of metrics.