1 / 16

How Static Code Analysis can change your life (for the better)

How Static Code Analysis can change your life (for the better). Technical overview May 2008. Why Static Code Analysis is good. Code Review is necessary and good! Static Code Analysis is a fancy name for automated Code Review Static Code Analysis is necessary and good!.

colby
Download Presentation

How Static Code Analysis can change your life (for the better)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Static Code Analysis can change your life(for the better) Technical overview May 2008

  2. Why Static Code Analysis is good Code Review is necessary and good! Static Code Analysis is a fancy name for automated Code Review Static Code Analysis is necessary and good!

  3. What are major goals of code review? • Possible goals • Code compliance to company wide standard • Identify (potential) bugs in code • Identify design and implementation problems • Peer education

  4. Static Code Analysis is code review tool! • Usually performed after the coding finished (after compilation, after integration build) • Serves same goals as code review • Excellent for enforcing compliance to standards • Helps to eliminate certain bugs • Helps to identify certain design/implementation flaws • Provides certain educational value

  5. SCA vs. peer code review “Goodness”

  6. SCA to the rescue!

  7. SCA – how it is done? • For unmanaged code – source code is examined • For managed code – MSIL is examined • Different tools – different approaches • On compiled code after assembly is built • On compiled code during development • Traditional - on raw code (text)

  8. SCA with Microsoft tools • FxCop (free) • Visual Studio Team System 2005 • Visual Studio Team System 2008 • VSTS with Team Foundation Server VS 2005 FxCop 1.35 VS 2008 FxCop 1.36 .NET 3.x .NET 3.x .NET 2.0

  9. Demo • FxCop 1.36 • VSTS 2008 code analysis • VSTS 2008 code metrics • VSTS 2008 w/TFS: check-in policy • VSTS 2008 w/TFS: Team Build

  10. Custom SCA rules • Not officially supported • Complicated • Yet • Possible

  11. Visual Studio 10 (Rosario) • Based on Phoenix project • Supported extensibility • Similar framework for unmanaged/managed analysis • Rulesets support (better management story) • Data flow analysis

  12. Static code analysis – why not? We already do code reviews Way too many rules Not clear what rules to use We must have different rules Too many violations to fix Who’s going to fix the violations? Hindrance to creativity Yet another bureaucratic invention

  13. Implementing static code analysis • Identifying appropriate rules • Handling backlog • Setting up the process • Educating the team • Staying agile!

  14. Other tools of interest in SCA space • SCA tools • NDepend (www.ndepend.com) • ReSharper (www.jetbrains.com) • CodeIt.Right (www.submain.com) • Code Auditor (www.ssw.com.au) • Misc • Simian (www.redhillconsulting.com.au) • Microsoft Line Of Code Counter • Microsoft Framework Design Studio

  15. Read of interest • FxCop blog (blogs.msdn.com/fxcop) • Nicole Calinoiu (msmvps.com/blogs/calinoiu) • Partick Smacchia blog (codebetter.com/blogs/patricksmacchia) • Krzysztof Cwalina blog (blogs.msdn.com/kcwalina) • MSDN Magazine: Security code review • http://msdn.microsoft.com/en-us/magazine/cc163312.aspx

  16. Questions? (if time allows) • Email (eugenez@attrice.info) • Blog (teamfoundation.blogspot.com)

More Related