Transcript Static Code Analysis - Attrice Corporation

How Static Code Analysis
can change your life
(for the better)
Technical overview
May 2008
Why Static Code Analysis is good
Code Review is necessary and good!
Static Code Analysis is a fancy name for
automated Code Review
Static Code Analysis is necessary and good!
What are major goals of code review?
Possible goals
• Code compliance to company wide standard
• Identify (potential) bugs in code
• Identify design and implementation problems
• Peer education
Static Code Analysis is code review tool!
Usually performed after the coding finished (after
compilation, after integration build)
Serves same goals as code review
• Excellent for enforcing compliance to standards
• Helps to eliminate certain bugs
• Helps to identify certain design/implementation flaws
• Provides certain educational value
“Goodness”
SCA vs. peer code review
SCA to the rescue!
SCA – how it is done?
For unmanaged code – source code is examined
For managed code – MSIL is examined
Different tools – different approaches
• On compiled code after assembly is built
• On compiled code during development
• Traditional - on raw code (text)
SCA with Microsoft tools
• FxCop (free)
• Visual Studio Team System 2005
• Visual Studio Team System 2008
• VSTS with Team Foundation Server
Demo
• FxCop 1.36
• VSTS 2008 code analysis
• VSTS 2008 code metrics
• VSTS 2008 w/TFS: check-in policy
• VSTS 2008 w/TFS: Team Build
Custom SCA rules
• Not officially supported
• Complicated
Yet
• Possible
Visual Studio 10 (Rosario)
• Based on Phoenix project
• Supported extensibility
• Similar framework for unmanaged/managed
analysis
• Rulesets support (better management story)
• Data flow analysis
Static code analysis – why not?
We already do code reviews
Way too many rules
Not clear what rules to use
We must have different rules
Too many violations to fix
Who’s going to fix the violations?
Hindrance to creativity
Yet another bureaucratic invention
Implementing static code analysis
• Identifying appropriate rules
• Handling backlog
• Setting up the process
• Educating the team
• Staying agile!
Other tools of interest in SCA space
SCA tools
• NDepend (www.ndepend.com)
• ReSharper (www.jetbrains.com)
• CodeIt.Right (www.submain.com)
• Code Auditor (www.ssw.com.au)
Misc
• Simian (www.redhillconsulting.com.au)
• Microsoft Line Of Code Counter
• Microsoft Framework Design Studio
Read of interest
• FxCop blog (blogs.msdn.com/fxcop)
• Nicole Calinoiu (msmvps.com/blogs/calinoiu)
• Partick Smacchia blog (codebetter.com/blogs/patricksmacchia)
• Krzysztof Cwalina blog (blogs.msdn.com/kcwalina)
• MSDN Magazine: Security code review
http://msdn.microsoft.com/en-us/magazine/cc163312.aspx
Questions? (if time allows)
• Email ([email protected])
• Blog (teamfoundation.blogspot.com)