Since I’ll probably give a lecture on Code Analysis in this year’s WinDays conference in Opatija, Croatia, I’ve decided to write some notes on CA here for start.
Static Code Analysis
What is actually a code analysis? It is a process in which the software code is being examined. These can be performed during the program’s execution (that is, dynamically) or without actually executing programs (that is, statically). So, it is evidented from the start that, it involves a couple of points: who (or what) will actually perform the analysis, how will the analysis be conducted (against which principles, rules) and how will the author (and the code) be informed about the results?
At the beginning, the performer (that is, evaluator) was a man. As this discipline is part of a bigger picture – writing quality code, which also includes conducting code reviews, so testing and revisioning a code by a team peer, it was indeed the reviewer who played that role in the past. Later, automated tools appeared, and humans were shifted to the code review as the next phase of testing.
So, what to analyse and how to do that? Firstly, individual statements and declarations have been examined by their behavior, methods and classes by their structure, variables by their type and conversion. Also, potential vulnerable and unsecure code had to be found as security as fear factor emerged. Lots of formal methods arrived as a try to mathematically discover possible run-time errors (denotational semantics, axiomatic semantics, operational semantics, and abstract interpretation), but they failed to explain the nature of malicious program. But to not take this hardly, a myriad of techniques emerged instead, which proved to be very useful as use of assertions (in debugging and tracing), software metrics and reverse engineering.
Tools for static code analysis
Here I will present only those which I think are dominant in .NET:
- FxCop – it is a free static analysis tool by Microsoft for .NET code; it has begun as a standalone tool, but after proven to be succesful, integrated in Microsoft Visual Studio (Team edition).
- StyleCop – a copper-colleage of FxCop (you can think of them as “good cop, bad cop”) dedicated for styling and consistency rules (indenting, spaces, and all that tiny and tidy rules you can think of); standalone or can be incorporated inside MSBuild project (free download from Microsoft’s site),
- ReSharper – it is third-party add-on for Visual Studio 2005/2008 with static code analysis, coding assistance, cleanup, code generation, 34 different refactorings, improved unit testing and automatic correction of errors -> more at ReSharper site,
- CodeIt.Right – also a third-party tool for automatic refactoring to best practices which allows automatically correct code errors and violations – supports both C# and VB.NET -> more at CodeIt.Right site.