static code analysis
DESCRIPTION
TRANSCRIPT
Thank you!
Static code analysis
Tools Integrate in dev. process
Overall, testing is far more valuable than static analysis
- Bill Pugh
Static analysis, at best, might catch 5-10% of your software quality problems
- Bill Pugh
Obstacles?
Obstacles?
Marketing budget
Obstacles?
Will fix everything
Obstacles?
Obstacles?
Obstacles?
Obstacles?
Obstacles?
Return on investment
Used effectively, static analysis is cheaper than other techniques for catching the same bugs
- Bill Pugh
If you are not using them [static Analysis tools], then basically you are negligent, and you should prepare to be sued by the army of lawyers that have already hit the beach
- Gary McGraw
Combining inspections, static analysis, and testing is cheaper than testing by itself and leads to much better defect removal efficiency levels.
- Capers Jones
At my company, sometimes I feel less like Chief Architect, and more like Chief Debugger or Chief Code Reader. Sometimes I get to caught up in trying to read code in order to understand the big picture. This is my own failing, as I often try to use a microscope when I need a telescope.
- Scott Hanselman
Once I realized the depth and breadth of the information I was looking at it, I was like a kid in a candy shop
- Scott Hanselman
An average of 17% cost savings would have been possible if the static analysis tool was used
“Evaluating the Cost Reduction of Static Code Analysis for Software Security” (2008)
- Dejan Baca, Bengt Carlsson, Lars Lundberg
Types of bugs
• Code quality• Bad practice• Input validation• Maintainability• Correctness• Security• Multithreaded correctness• Performance• Internationalization• Interoperability• Specific for tools
General• FxCop (free)• NDepend• Mono.Gendarme (free)• Smokey (free)• ReSharper• CodeRushDuplication detection• SimianSecurity• CAT (Microsoft Code
Analysis Tool .NET) (free)Code style• StyleCop (free)• Agent Smith (free, ReSharper plugin)Code contracts
“Smaller” “Enterprise”• Microsoft ..• HP ..• IBM Rational ..• Klockwork ..• Coverity ..
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
General• FxCop (free)• NDepend• Mono.Gendarme (free)• Smokey (free)• ReSharper• CodeRushDuplication detection• SimianSecurity• CAT (Microsoft Code
Analysis Tool .NET) (free)Code style• StyleCop (free)• Agent Smith (free, ReSharper plugin)Code contracts
• Microsoft ..• HP ..• IBM Rational ..• Klockwork ..• Coverity ..
Demo
Tools summary
Integrating into development process
$
Summary
Summary
Links & References
# List of static code analysis toolshttp://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
# General: Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010http://vimeo.com/17157772How and to who should you report static analysis results tohttp://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.htmlSoftware Engineering Radio - Static Code Analysis (Episode 59, 2006)http://www.se-radio.net/2007/06/episode-59-static-code-analysis/
Links & References
# NDepend: Linkhttp://www.ndepend.com/Tipshttp://www.ndepend.com/Tips.aspxMetrics: http://www.ndepend.com/Metrics.aspxHanselman podcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspxSuccess story on large projecthttp://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdfDiscussions with NHibernate contributor on value of these tools (read comments)http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface
Links & References
Links to various NDepend analyseshttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/
CQL exampleshttp://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/http://mookid.dk/oncode/archives/1052http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3
Links & References
# Visual Studio Code Analysis: Visual Studio Code Analysis and Code metrics forumhttp://social.msdn.microsoft.com/forums/en-US/vstscode/threads/Ruleshttp://msdn.microsoft.com/en-us/library/ee1hzekz.aspxHow to write custom static code analysis rules and integrate them into VS2010http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspxData flow analysis in VS2010 (What is not in FxCop)http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspxIntegrate VS2010 Code analysis in CI or MsBuild Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.htmlPart 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.htmlVisual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)http://csharpguidelines.codeplex.com/
Links & References
# FxCop:Downloadhttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3CIntro and integrate with CIhttp://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/Share rules:http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developersHow to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspxHow to get the suppress-messages in code to work with FxCop guihttp://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx
# StyleCop: Link http://stylecop.codeplex.com/StyleCop on legacy projectshttp://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspxStyleCop in CI buildhttp://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx
Links & References
# ReSharperLink:www.jetbrains.com/resharper/Code Quality Analysishttp://www.jetbrains.com/resharper/features/code_analysis.htmlStructural Search Replacehttp://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/ReSharper Settings Managerhttp://rsm.codeplex.com/
# List of rules from other tools:Fortify (HP):https://www.fortify.com/vulncat/en/vulncat/index.html
