How Static Code Analysis can change your life (for the better)

1
How Static Code Analysis can change your
life(for the better)

• Technical overview
• May 2008

2
Why Static Code Analysis is good
Code Review is necessary and good! Static Code
Analysis is a fancy name for automated Code
Review Static Code Analysis is necessary and
good!
3
What are major goals of code review?

• Possible goals
• Code compliance to company wide standard
• Identify (potential) bugs in code
• Identify design and implementation problems
• Peer education

4
Static Code Analysis is code review tool!

• Usually performed after the coding finished
  (after compilation, after integration build)
• Serves same goals as code review
• Excellent for enforcing compliance to standards
• Helps to eliminate certain bugs
• Helps to identify certain design/implementation
  flaws
• Provides certain educational value

5
SCA vs. peer code review
Goodness
6
SCA to the rescue!
7
SCA how it is done?

• For unmanaged code source code is examined
• For managed code MSIL is examined
• Different tools different approaches
• On compiled code after assembly is built
• On compiled code during development
• Traditional - on raw code (text)

8
SCA with Microsoft tools

• FxCop (free)
• Visual Studio Team System 2005
• Visual Studio Team System 2008
• VSTS with Team Foundation Server

VS 2005 FxCop 1.35
VS 2008 FxCop 1.36
.NET 3.x
.NET 3.x
.NET 2.0
9
Demo

• FxCop 1.36
• VSTS 2008 code analysis
• VSTS 2008 code metrics
• VSTS 2008 w/TFS check-in policy
• VSTS 2008 w/TFS Team Build

10
Custom SCA rules

• Not officially supported
• Complicated
• Yet
• Possible

11
Visual Studio 10 (Rosario)

• Based on Phoenix project
• Supported extensibility
• Similar framework for unmanaged/managed analysis
• Rulesets support (better management story)
• Data flow analysis

12
Static code analysis why not?
We already do code reviews Way too many rules Not
clear what rules to use We must have different
rules Too many violations to fix Whos going to
fix the violations? Hindrance to creativity Yet
another bureaucratic invention
13
Implementing static code analysis

• Identifying appropriate rules
• Handling backlog
• Setting up the process
• Educating the team
• Staying agile!

14
Other tools of interest in SCA space

• SCA tools
• NDepend (www.ndepend.com)
• ReSharper (www.jetbrains.com)
• CodeIt.Right (www.submain.com)
• Code Auditor (www.ssw.com.au)
• Misc
• Simian (www.redhillconsulting.com.au)
• Microsoft Line Of Code Counter
• Microsoft Framework Design Studio

15
Read of interest

• FxCop blog (blogs.msdn.com/fxcop)
• Nicole Calinoiu (msmvps.com/blogs/calinoiu)
• Partick Smacchia blog (codebetter.com/blogs/patri
  cksmacchia)
• Krzysztof Cwalina blog (blogs.msdn.com/kcwalina)
  
• MSDN Magazine Security code review
• http//msdn.microsoft.com/en-us/magazine/cc163312.
  aspx

16
Questions? (if time allows)

• Email (eugenez_at_attrice.info)
• Blog (teamfoundation.blogspot.com)