NASA: Resolving critical security issues in PO.DAAC utilities with DeepSource

Share on Twitter Share on LinkedIn Share on Facebook
Header image
"DeepSource is a great product which complements projects looking to embrace CI and source code quality as part of a larger DevOps strategy. It's been very easy and a pleasure to use this product. All round, we are very happy with DeepSource."
— Lewis John McGibbney, NASA Jet Propulsion Laboratory
12
security issues resolved
72
total issues resolved
46,733
lines of code analyzed

Background

Podaacpy is a Python utility library for interacting with NASA JPL’s Physical Oceanography Distributed Active Archive Center (PO.DAAC) — an element of NASA’s Earth Observing System Data and Information System (EOSDIS) which provides science data to a wide community of users for NASA’s Science Mission Directorate. Podaacpy library provides intuitive Python interfaces to interact with all of PO.DAAC’s webservices.

Prior to DeepSource, it used Travis CI to keep a check on quality with individual hooks such as read the docs to build documentation, source code builds and (nosetest) unit test execution for testing, coveralls.io for test coverage and requires.io for dependency management.

Challenge

While the hooks helped check code for quality metrics, they were not a direct solution. Lewis McGibbney- NASA Jet Propulsion Laboratory, was seeking an automated static analysis tool which can

Solution

Started analysis within 5 minutes

DeepSource’s native integration with GitHub enabled Lewis to complete the setup in minutes and start scanning the source code immediately.

"The initial integration is a walk in the park. It literally took us a couple of minutes!"

Discovering issues in Pull Requests and Commits, automatically

Earlier, Podaacpy was entirely dependent on source code builds and (nosetest) unit test execution on TravisCI for quality testing— a post merger affair. After installing DeepSource, the analysis triggers automatically with every pull request or commit, and flags all the issues in the GitHub checks itself— a pre merger affair. It helps in two ways:

"The simple integration has streamlined our developer workflow and hardened our CI / CD process."

Highly relevant results, leveling up developer confidence

DeepSource’s Python analyzers review the code at source level for 520+ types of issues, showing the most relevant results by separating them from the noise. Talking about the accuracy, Lewis says that the results were very easy to interpret and correct.

"Making DeepSource part of our CI pipeline gives us confidence that, in particular, incoming code changes do not introduce additional issues. We were able to go through our entire codebase and address issues flagged by DeepSource."

Merging secure, reliable code with in-depth security analysis

As a part of NASA, there is no denying the extreme level of secure coding Podaacpy demands. Spotting and resolving security flaws at the earliest is one of their top priorities. DeepSource’s Static Application Security Testing (SAST) analyzers continuously scan the source code for hundreds of known security flaws (like OWASP Top 10) to ensure each of them are addressed before the code is merged.

"DeepSource has enabled us to significantly improve the quality of our Python codebase. Security is a big deal. When we know that we have no security issues and that we have the green light it is an excellent measure of project health."

Results

DeepSource helped Podaacpy integrate static analysis in their code review process easily and quickly. Using DeepSource, helps them catch issues much earlier in the life cycle, take remediation measures accordingly and maintain the overall project code quality.

Ready to get started?

Signup for free. Start analyzing code in minutes.