Managed Static Code Analysis in VSTS: Part I
This article attempts to explain the concept of static code analysis and tools that can be used to realize it with a focus on managed code analysis.
During the implementation process, building applications with consistent code is considered one of the main objectives that the development team strives to do, because it affects the final product quality. Consistent code is the term that means writing code that follows the coding best practices and conforms to rules and standards. Peer review can be considered the method by which we can guarantee that the development team actually writes consistent code. Automation took that part of the job when static code analysis tools began to be used. This article attempts to explain the concept of static code analysis and tools that can be used to realize it. I will focus in this article on managed code analysis, so native or unmanaged code is outside the scope of this article.
Code analysis is nothing more than inspecting code to find common mistakes, provide suggestions for code improvements and re-factoring, and detect violations of coding standards and rules. Code analysis can be considered one of the main quality metrics or KPIs in the implementation process.
There are many managed code analysis tools such as FxCop that is a standalone utility that can be used to analyze managed code against a library of predefined rules. Now this tool is fully integrated with the Visual Studio Team System IDE.
For managed code, Microsoft defines groups of rules related to the implementation process that cover various aspects, such as naming conventions, performance issues, security considerations, globalization, maintainability and so on. There are about two hundred of these rules and they compose the library that the VSTS code analysis tool uses to check code consistency.
We will explore the most important rules in the guideline in the following.
These rules enforce naming standards as described in the Design Guidelines. Use of these rules verifies that the names of items, such as assemblies, classes, members and variables conform to standards. Some rules will even help to detect misspellings in your assigned names.
These rules help to detect places in your code that may be optimized for performance. They detect a wide variety of wasteful, redundant, or extraneous code.
These rules help to identify insufficient or incorrect security practices. Rules exist to find missing attributes, improper use of permissions, and possible opportunities for SQL injection attacks.
This group of rules focuses on the interfaces and structure of code and enforces proper implementation of common concepts, such as classes, events, collections, namespaces, and parameters.
This group supports the internationalization of code and focuses on formatting. It also includes avoiding strings of literal text.
These rules help to make your code easier to maintain and identify potential problems such as complexity and overuse of inheritance.
You can run the code analysis in VSTS by simply building your application and any violations are detected by the tool that will be listed in the error list window as warnings or compilation errors depending on your project settings.