Implementation and Evaluation of Static Code Analysis to Identify Security and Code Quality Issues in Academic Information Systems

Cecep Muhamad Sidik  Ramdani; Rahmi Nur  Shofa; Muhammad Adi Khairul  Anshary; Acep Irham  Gufroni; Aria Priawan  Yahya

doi:10.52436/1.jutif.2025.6.6.5371

Authors

Cecep Muhamad Sidik Ramdani Department of Information System, Siliwangi University, Indonesia
Rahmi Nur Shofa Department of Information System, Siliwangi University, Indonesia
Muhammad Adi Khairul Anshary Department of Informatics, Siliwangi University, Indonesia
Acep Irham Gufroni Department of Information System, Siliwangi University, Indonesia
Aria Priawan Yahya Department of Informatics, Siliwangi University, Indonesia

DOI:

https://doi.org/10.52436/1.jutif.2025.6.6.5371

Keywords:

Bugs, Code Smells, SonarQube, Static Code Analysis (SCA), Source code, Vulnerabilities

Abstract

In today's digital era, websites have become a key component of various digital services, from government and education to business. However, many security incidents occur due to undetected source code vulnerabilities, such as vulnerabilities, bugs, and code smells, which can degrade system performance and reliability. Therefore, a systematic approach is needed to detect and prevent these issues as early as possible. This study aims to implement and evaluate the effectiveness of the Static Code Analysis (SCA) method in identifying security and code quality issues in web applications. The tool used was SonarQube, which was then implemented in the SIMAK Universitas Siliwangi. Evaluation and testing were conducted on the tool's ability to detect various types of problems, its level of accuracy, and its ease of integration into the software development process. In this study, the evaluated aspects were bugs, code smells, and vulnerabilities. The results of this study found 23,241 issues, consisting of 2,356 bugs and 20,885 code smells, without any vulnerabilities found. With a problem ratio of 3.84% of the total code lines of 605,130, and a severity classification dominated by issues at the Critical and Major levels, these results provide an overview of the technical condition of the code used in SIMAK Universitas Siliwangi. This research is expected to provide practical contributions for software developers and security teams in continuously improving the quality and security of web applications. The outcomes of this study are expected to offer substantial and actionable contributions toward advancing the overall quality, robustness, and security of software systems. By strengthening these foundational aspects, the research is projected to positively influence the reliability, continuity, and long-term sustainability of academic service delivery within higher-education environments.

Downloads

Download data is not yet available.

References

LLDIKTI Wilayah XVII, Buku Pedoman Penilaian Maturitas Pengelola PDDIKTI 2024, Jan. 2025.

LLDIKTI3, “Pengelolaan pelaporan PDDIKTI di ITPLN,” Materi Sosialisasi, Aug. 2024.

SEVIMA, “Apa itu Sistem Informasi Akademik (SIAKAD)?,” Jun. 2023.

Quipper, “Sistem Informasi Akademik (SIAKAD) - definisi dan fitur,” May. 2024.

Katadata, “Pemerintahan, sektor paling rentan insiden siber,” Jul. 2024.

Naval-CSIRT, “5,6 juta data Kemendikbudristek dibobol,” Oct. 2024.

Verizon, “2025 Data Breach Investigations Report,” May. 2025.

K. Souppaya and K. Scarfone, “NIST SP 800-218: Secure Software Development Framework (SSDF) v1.1,” Gaithersburg: NIST, 2022.

K. Rokis and M. Kirikova, “Exploring Low-Code Development: A Comprehensive Literature Review,” Complex Systems Informatics and Modeling Quarterly, vol. 2023, no. 36, pp. 68–86, 2023.

Practical DevSecOps, “Comprehensive guide to SAST implementation,” 2023.

D. Patten, “Application security testing in CI/CD pipelines,” 2025.

C. Vassallo, S. Panichella, F. Palomba, S. Proksch, H. C. Gall, and A. Zaidman, “How developers engage with static analysis tools in different contexts,” Empir Softw Eng, vol. 25, no. 2, pp. 1419–1457, Mar. 2020.

W. Charoenwet, S. Charoenwet, and N. Yoshida, “An empirical study of static analysis tools for secure code review,” arXiv, 2024.

A. Murali et al., “FuzzSlice: Pruning false positives in static analysis warnings,” ICSE, 2024.

Practical DevSecOps, “Comprehensive guide to SAST implementation,” 2023.

M. F. Santoso, “Implementation Of UI/UX Concepts And Techniques In Web Layout Design With Figma,” Jurnal Teknologi Dan Sistem Informasi Bisnis, vol. 6, no. 2, pp. 279–285, Apr. 2024.

J. Park, J. Kim, and H. Choi, “Reduction of false positives for runtime errors in C/C++ static analysis,” Electronics, vol. 12, no. 16, p. 3518, 2023.

SonarSource Docs, “Quality gates (SonarQube 10.6),” Aug. 2025.

GitHub Docs, “About code scanning with CodeQL,” Mar. 2023.

Oligo Security Academy, “Static code analysis: Methods, pros/cons,” Jul. 2025.

ISO, “ISO/IEC 25010:2011—System and software quality models,” Geneva: ISO, 2011.

OWASP, OWASP Top 10: 2021, 2021.

MITRE, “CWE Top 25 Most Dangerous Software Weaknesses,” 2024.

Z. Wadhams, “Barriers to using SAST tools: A literature review,” Montana State Univ., 2024.

G. Liargkovas, M. Papadakis, and A. Zeller, “A study of static analysis alert suppressions,” arXiv, 2023.

C. Vassallo, S. Panichella, F. Palomba, S. Proksch, H. C. Gall, and A. Zaidman, “How developers engage with static analysis tools in different contexts,” Empir Softw Eng, vol. 25, no. 2, pp. 1419–1457, Mar. 2020.