Source Code Review
We help attorneys with analysis of source code in breach of contract, trade secret misappropriation, patent infringement, and copyright violation matters. Our experts are well-versed in all aspects of source code review. We take a two-pronged approach consisting of using automated tools to facilitate the review process coupled with a manual review to validate the results identified using the tools. We employ both dynamic and static analysis tools for analysis of software. We bring our decades of experience in software development to comprehend complex software systems and aid the counsel with determining the facts of a case.
We have experience with all aspects of source code review, including:
- Abstraction Filtration Comparison
- Abstract Syntax Tree, Call Graph, Type System
- Dynamic Analysis, Static Analysis, Hybrid Analysis
- Code quality metrics, Capability Maturity Model Integration (CMMI)
- Beyond Compare, PowerGrep, Understand by ScieTools, SonarQube
- Architecture recovery, design recovery, UML, etc.
- Frameworks: Spring, React, AngularJS, Vue, etc.
- Databases: SQL, Oracle, MySQL, MongoDB
- Cost and schedule estimation methods: COCOMO, SEER-SEM, etc.
A variety of tools are available that can greatly aid an expert in identification of relevant pieces of code to a litigation matter in a complex software system.
One category of such tools deal with search. When dealing with a very large software system, potentially consisting of thousands or millions of lines of code, having access to a proper search tool, such as PowerGrep, is essential for effectively finding the relevant pieces of code.
Another category of tools that is often handy is code comparison tools, such as BeyondCompare. These types of tools allow an expert to quickly compare source code among files, making it extremely effective to identify cases of literal copying.
Despite the importance of the aforementioned tools, an expert often needs to also manually analyze the results produced by tools to evaluate their relevance to the issues in a case.
Generally speaking software analysis tools fall under two categories: static and dynamic.
Static analysis evaluates the source code of a software system without executing it. The input to a static analysis tool is the source code of the software. These tools have a number of advantages that make them suitable to a variety of software forensic tasks. An advantage of static analysis tool is its ability to be complete, i.e., capable of validating certain property in the entire code base. Static analysis tools, however, tend to suffer from soundness, i.e., have false positives. This is because static analysis tools tend to over-approximate the behavior of code.
Unlike static analysis tools, dynamic analysis tools execute the software. As a result, dynamic analysis tools are often sound, meaning that they do not produce false positives. However, dynamic analysis tools tend to be incomplete, meaning that they cannot be used to rule out the presence of a property in the software. The most common form of dynamic analysis is software testing.
While automated tools can greatly improve the productivity of an expert in identifying relevant pieces of code, they are typically not sufficient for an expert to confidently opine in a litigation matter. An expert usually cannot blindly accept the results produced by a tool without further manual verification.
Tools are typically good at identification of literal copying or searching for specific keywords. But many litigation matters require the expert to abstract from the low-level trivial differences in the code to arrive at a more abstract representation. For instance, in copyright matters, an expert is often expected to conduct what is known as the Abstraction-Filteration-Comparison test.
In certain cases, the issues revolve around a particular architecture for software. In such cases, the expert needs to recover the architecture of software systems that are in dispute from their implementation artifacts to then be able to evaluate any similarities between them.
Meet Our Experts
Source Code Expert Witness
Sam Malek, PhD, is a seasoned source code expert witness with more than 20+ years of experience in academia and industry. He is currently a Professor of Software Engineering at the University of California. He has testified more than 35 times in litigation matters involving a variety of software-related subjects, including source code review and analysis.