Title: How Static Code Analysis can change your life (for the better)
1How Static Code Analysis can change your
life(for the better)
- Technical overview
- May 2008
2Why Static Code Analysis is good
Code Review is necessary and good! Static Code
Analysis is a fancy name for automated Code
Review Static Code Analysis is necessary and
good!
3What are major goals of code review?
- Possible goals
- Code compliance to company wide standard
- Identify (potential) bugs in code
- Identify design and implementation problems
- Peer education
4Static Code Analysis is code review tool!
- Usually performed after the coding finished
(after compilation, after integration build) - Serves same goals as code review
- Excellent for enforcing compliance to standards
- Helps to eliminate certain bugs
- Helps to identify certain design/implementation
flaws - Provides certain educational value
5SCA vs. peer code review
Goodness
6SCA to the rescue!
7SCA how it is done?
- For unmanaged code source code is examined
- For managed code MSIL is examined
- Different tools different approaches
- On compiled code after assembly is built
- On compiled code during development
- Traditional - on raw code (text)
8SCA with Microsoft tools
- FxCop (free)
- Visual Studio Team System 2005
- Visual Studio Team System 2008
- VSTS with Team Foundation Server
VS 2005 FxCop 1.35
VS 2008 FxCop 1.36
.NET 3.x
.NET 3.x
.NET 2.0
9Demo
-
- FxCop 1.36
- VSTS 2008 code analysis
- VSTS 2008 code metrics
- VSTS 2008 w/TFS check-in policy
- VSTS 2008 w/TFS Team Build
10Custom SCA rules
-
- Not officially supported
- Complicated
- Yet
- Possible
11Visual Studio 10 (Rosario)
-
- Based on Phoenix project
- Supported extensibility
- Similar framework for unmanaged/managed analysis
- Rulesets support (better management story)
- Data flow analysis
12Static code analysis why not?
We already do code reviews Way too many rules Not
clear what rules to use We must have different
rules Too many violations to fix Whos going to
fix the violations? Hindrance to creativity Yet
another bureaucratic invention
13Implementing static code analysis
-
- Identifying appropriate rules
- Handling backlog
- Setting up the process
- Educating the team
- Staying agile!
14Other tools of interest in SCA space
- SCA tools
- NDepend (www.ndepend.com)
- ReSharper (www.jetbrains.com)
- CodeIt.Right (www.submain.com)
- Code Auditor (www.ssw.com.au)
- Misc
- Simian (www.redhillconsulting.com.au)
- Microsoft Line Of Code Counter
- Microsoft Framework Design Studio
15Read of interest
- FxCop blog (blogs.msdn.com/fxcop)
- Nicole Calinoiu (msmvps.com/blogs/calinoiu)
- Partick Smacchia blog (codebetter.com/blogs/patri
cksmacchia) - Krzysztof Cwalina blog (blogs.msdn.com/kcwalina)
- MSDN Magazine Security code review
- http//msdn.microsoft.com/en-us/magazine/cc163312.
aspx
16Questions? (if time allows)
- Email (eugenez_at_attrice.info)
- Blog (teamfoundation.blogspot.com)