How Static Code Analysis

can change your life

(for the better)

Technical overview
May 2008

Why Static Code Analysis is good

Code Review is necessary and good!
Static Code Analysis is a fancy name for
automated Code Review
Static Code Analysis is necessary and good!

What are major goals of code review?

Possible goals
Code compliance to company wide standard
Identify (potential) bugs in code
Identify design and implementation problems
Peer education

Static Code Analysis is code review tool!

Usually performed after the coding finished (after
compilation, after integration build)
Serves same goals as code review
Excellent for enforcing compliance to standards
Helps to eliminate certain bugs
Helps to identify certain design/implementation flaws
Provides certain educational value

SCA vs. peer code review

SCA to the rescue!

SCA how it is done?

For unmanaged code source code is examined
For managed code MSIL is examined

Different tools different approaches

On compiled code after assembly is built
On compiled code during development
Traditional - on raw code (text)

SCA with Microsoft tools

FxCop (free)
Visual Studio Team System 2005
Visual Studio Team System 2008
VSTS with Team Foundation Server

Demo
FxCop 1.36
VSTS 2008 code analysis
VSTS 2008 code metrics
VSTS 2008 w/TFS: check-in policy
VSTS 2008 w/TFS: Team Build

Custom SCA rules

Not officially supported
Complicated
Yet
Possible

Visual Studio 10 (Rosario)

Based on Phoenix project
Supported extensibility
Similar framework for unmanaged/managed
analysis
Rulesets support (better management story)
Data flow analysis

Static code analysis why not?

We already do code reviews
Way too many rules
Not clear what rules to use
We must have different rules
Too many violations to fix
Whos going to fix the violations?
Hindrance to creativity
Yet another bureaucratic invention

Implementing static code analysis

Identifying appropriate rules
Handling backlog
Setting up the process
Educating the team
Staying agile!

Other tools of interest in SCA space

SCA tools
NDepend (www.ndepend.com)
ReSharper (www.jetbrains.com)
CodeIt.Right (www.submain.com)
Code Auditor (www.ssw.com.au)
Misc
Simian (www.redhillconsulting.com.au)
Microsoft Line Of Code Counter
Microsoft Framework Design Studio

Read of interest
FxCop blog (blogs.msdn.com/fxcop)
Nicole Calinoiu (msmvps.com/blogs/calinoiu)
Partick Smacchia blog (codebetter.com/blogs/patricksmacchia)
Krzysztof Cwalina blog (blogs.msdn.com/kcwalina)
MSDN Magazine: Security code review
http://msdn.microsoft.com/en-us/magazine/cc163312.aspx

Questions? (if time allows)

Email (eugenez@attrice.info)
Blog (teamfoundation.blogspot.com)