Static Analysis Tools For .NET, Matt Berseth’s Blog
All prices were confirmed October 30, 2008, and are subject to change. The opinions expressed in this column are solely those of the author and do not necessarily reflect the opinions of Microsoft.
Improve Software Quality with Static Code Analysis Tools
Blogs of Note
Improve Software Quality with Static Code Analysis Tools
Many software teams use code reviews to ensure that developers are writing correct, secure code that adheres to the company's design guidelines. These guidelines might outline naming conventions, patterns to use for accessing data or other external resources, and so on. Many aspects of the code review process are rather mechanical and can be automated. Static code analysis tools scan through source code or intermediate code and search for violations of defined design guideline rules.
One such static analysis tool for applications within the Microsoft .NET Framework is FxCop (version 1.36), a free tool created by Microsoft. FxCop analyzes the intermediate code of a compiled .NET assembly and provides suggestions for design, security, and performance improvements. By default, FxCop analyzes an assembly based on the rules set forth by Design Guidelines for Developing Class Libraries. The design guideline rules are divided into nine categories, including design, globalization, performance, and security, among others. An example of a naming rule is, "Events should not have 'before' or 'after' prefix." If FxCop identifies an event named BeforeUpdate, it will recommend replacing BeforeUpdate with a present-tense version of the event name (namely, Update). You can also plug in a custom rules class that reflects your company's internal design guidelines.
To analyze an assembly, launch FxCop, create a new project, and add the assembly to the project. FxCop shows the 200+ rules that are used when analyzing the assembly; you may turn off existing rules or add your own. Click the Analyze button to begin the analysis. After enumerating the types, classes, methods, and members of your assembly, FxCop displays the analysis results, which list the offending code and the rule that was violated. Select a result for a more detailed description and solution.
FxCop is available as a standalone app; it also includes a command-line implementation that makes it easy to plug into an automated build process. (Code Analysis, a tool much like FxCop, ships with Visual Studio Team System and is integrated into the Visual Studio shell.) For more on how to use FxCop, see the Bugslayer columns by John Robbins: "Bad Code? FxCop to the Rescue" and "Three Vital FXCop Rules."
FxCop Analyzes an Assembly Based on Rules Set by .NET Design Guidelines
(Click the image for a larger view)
Another static code analysis tool from Microsoft is StyleCop (version 4.3). Whereas FxCop evaluates design guidelines against intermediate code, StyleCop evaluates the style of C# source code. Style guidelines are rules that specify how source code should be formatted. They dictate whether spaces or tabs should be used for indentation and the format of for loops, if statements, and other constructs. Example StyleCop rules include: the body of for statements should be wrapped in opening and closing curly brackets; there should be white space on both sides of the = and != operators; and calls to member variables within a class must begin with "this.".
StyleCop is not integrated into Visual Studio Team System—you must install it yourself. Executing StyleCop from within Visual Studio analyzes the source code in the currently opened solution, displaying the results as warnings in the error list window. StyleCop can also be integrated with MSBuild.
While FxCop and StyleCop pinpoint rule violations, the developer is still responsible for implementing these tools' suggestions. CodeIt.Right (version 1.1) from SubMain takes static code analysis to the next level by enabling rule violations to be automatically refactored into conforming code. Like FxCop, CodeIt.Right ships with an extensive set of predefined rules, based on the design guidelines document mentioned earlier, with the ability to add custom rules. But CodeIt.Right makes it much easier to create and use custom rules.
Using custom rules in FxCop requires building and compiling a rules class and plugging it into FxCop. With CodeIt.Right, custom rules are generated from a graphical user interface; defining a new rule entails picking the base behavior pattern and then customizing a couple of properties. CodeIt.Right integrates within the shells of Visual Studio .NET 2003, Visual Studio 2005, and Visual Studio 2008, and offers a command-line implementation as well.
CodeIt.Right Updates Selected Violations to Conform to Rules (Click the image for a larger view)
To use CodeIt.Right from within Visual Studio, choose the Start Analysis option from the CodeIt.Right menu. After the solution is analyzed, CodeIt.Right displays the results in a window within the Visual Studio IDE, listing each rule violation. This report can be exported to an XML or Microsoft Office Excel file.
CodeIt.Right's biggest benefit is the automatic code refactoring. From the results screen you can check which violations to fix and then click the Correct Checked button. All changes made by CodeIt.Right are highlighted within Visual Studio, and the automated changes can be rolled back with the click of a button.
Static code analysis tools provide a fast, automated way to ensure that your source code adheres to predefined design and style guidelines. Following such guidelines helps produce more uniform code and also can point out potential security, performance, interoperability, and globalization shortcomings. Static code analysis tools are not a replacement for human-led code reviews. Rather, they can generate a first pass of the code base and highlight areas that require more attention from a senior developer.
Price: FxCop (free); StyleCop (free); CodeIt.Right ($250 per user license).
Blogs of Note
Many Web sites have embraced AJAX, a set of technologies for building responsive user interfaces. To help with building AJAX-enabled Web applications, ASP.NET ships with the ASP.NET AJAX Framework; this framework provides the core functionality for implementing AJAX scenarios. Additionally, Microsoft has partnered with the AJAX community and released the AJAX Control Toolkit, a set of free, open-source AJAX-enabled Web controls.
Every Web developer building AJAX-enabled sites needs to check out Matt Berseth's blog. Most of the blog entries show how to create a particular Web-based UI and do so in a very detailed fashion with downloadable code, live demos, and a plethora of code snippets and screenshots. For example, in one blog entry Matt shows how to use a ListView control and the Accordion control from the AJAX Control Toolkit to create a UI that mirrors the Microsoft Office Outlook navigation bar. Another entry shows how to use the ModalPopup control with the GridView and DetailsView controls to create an editable grid whose editing interface appears in a modal window. Matt's blog also includes a demo gallery, where all of the live demos scattered throughout his blog entries are consolidated on one page.
Send your questions and comments for Scott to firstname.lastname@example.org.
Scott Mitchell, author of numerous books and founder of 4GuysFromRolla.com, is an MVP who has been working with Microsoft Web technologies since 1998. Scott is an independent consultant, trainer, and writer. Reach him at Mitchell@4guysfromrolla.com or via his blog at ScottOnWriting.NET.