Coding Horror: Managed Code Analysis Tools

Managed Code Analysis Tools

September 6, 2005

Navigating a new codebase can feel like like landing on an alien planet. That's where static code analysis tools come in handy; they're akin to software tricorders. They provide a general snapshot of unfamiliar code: Is it normal? Is it unusual? Is it dangerous?*

Classic Star Trek Tricorder

There's an element of "correctness" associated with static code analysis, but I think this should be de-emphasized. The last thing developers want is a Code Nazi peering over their shoulder. I prefer to think of these tools as software tricorders, collecting a bunch of recommendations and metrics about our code. What we choose to do with that data is up to us.

The most famous static code analysis tool for .NET is, of course, Microsoft's FxCop. If you haven't tried FxCop in a while, I recommend running the latest version across one of your compiled assemblies. You'd be surprised how helpful it is, particularly for identifying unused variables and functions. You may also be surprised how annoying some of the rules are; that's why the entire list of rules can be selectively enabled or disabled and saved as profiles. You can even write your own custom FxCop rules-- how about a custom rule that requires XML documentation for each assembly, as illustrated in this June 2004 MSDN article?

FxCop is currently a standalone .exe in an informal GotDotNet workspace, but in Visual Studio 2005, it's an integrated part of the build process. You can enable output from the console version of FxCop by ticking the checkbox on the Code Analysis tab of the project properties. Any FxCop warnings or errors then show up as you would expect in the standard Task List tab.**

There's at least one commercial tool that also does .NET static code analysis, namely FMS Total .NET Analyzer. I tried the evaluation version which is limited to identifying only one issue for each category. It's nice enough, but it also seems to overlap quite a bit with FxCop. And it's pricey.

In addition to those well-known tools, Raymond Lewallen and Robin Curry found some additional lesser known managed code analysis tools:

Reflector.CodeMetrics (an add-in for the essential Reflector)
DevMetrics ($)
NDepend
Complexity Analyzer ($)
CCMetrics
CRPlugin (plugin for DxCore)
Source Monitor
vil

I've heard good things about NDepends in particular, but I haven't had a chance to check it out yet.

* Don't bother if you're wearing a red shirt. In classic Trek fashion, you may not be around long enough to care.
** at least in VS.NET 2005 beta 2, you can.

Posted by Jeff Atwood

« Head First Design Patterns

The Problem With Configurability »

8 Comments

Jeff,
I can't resist adding DevPartner SecurityChecker to the above list. While it doesn't cover everything FxCop does, I think it does a much better job on the security front... I'm a little biased though.

I also like NDepend.

The FxCop article you linked to is a good place to start looking at FxCop, but there are a number of more fleshed out articles/sample rules using the introspection engine available.

Tim Weaver on September 7, 2005 10:20 AM

there are a number of more fleshed out articles/sample rules using the introspection engine available

It's helpful to provide links ;)

Jeff Atwood on September 7, 2005 11:16 AM

Thanks for the pointers Raymond. Robin's blog has some excellent info, and I have linked it in the original post!

Jeff Atwood on September 8, 2005 4:29 AM

I can't resist adding DevPartner SecurityChecker to the above list.

Interesting. We use FxCop mostly for security audits internally.. here's an overview/review of SecurityChecker

http://www.aspnetpro.com/productreviews/2005/04/asp200504rm_p/asp200504rm_p.asp

Jeff Atwood on September 8, 2005 4:32 AM

I really like NDepend. Back in July, I held an XP seminar/workshop where part of my "simplicity" discussion I discussed analyzing and using code metrics to create and maintain simple code. One attendee, Robin Curry, was apparently excited by what I had to say and really took off on his own into using code metrics. He's even put up quite a few posts on integrating code metric apps, such as NDepends, into the build process. Here is the post where he integrated NDepend into CruiseControl: http://www.robincurry.org/blog/CommentView,guid,3640af37-9a2c-441d-acf9-f79017123cb2.aspx

Raymond Lewallen on September 8, 2005 11:18 AM

I just released NDepend 2.0 with some major enhancements such as an interactive view of your application and a language dedicated to query and constraint the structure of your code: Code Query Language.
http://www.NDepend.com
http://www.ndepend.com/CQL.htm

Regards,
Patrick Smacchia

Patrick Smacchia on April 5, 2006 10:18 AM

Stumbled upon this old post again, and though I know I shouldn't be adding anything...

Ndepend is neat, I am sure, but why does every little tool cost $300-$500 now? At least price the damn things less than Vista Ultimate.

Spoil Sport on February 12, 2007 9:20 AM

Check out SemmleCode (http://semmle.com). It's free, it's object-oriented, and tightly integrated with Eclipse.

The object-oriented code query language .QL enables superior intellisense (and thus makes writing queries easier), it allows very concise expression of new code queries, and it make such queries easy to share and re-use.

Let us know what you think on the forums at http://semmle.com!

[disclosure: I'm a prof at Oxford working on static analysis tools and the CEO of Semmle]

Oege de Moor on April 5, 2007 6:16 AM

The comments to this entry are closed.