Your SlideShare is downloading. ×
  • Like
Static code analysis
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Static code analysis

  • 2,704 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
2,704
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
84
Comments
1
Likes
3

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Static code analysis
    @RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com
  • 2. Thank you!
  • 3. Integrate in
    dev. process
    Static code
    analysis
    Tools
  • 4.
  • 5.
  • 6. Overall, testing is far more valuable
    than static analysis
    - Bill Pugh
  • 7. Static analysis, at best, might catch
    5-10% of your software quality
    problems
    - Bill Pugh
  • 8. Obstacles?
  • 9. Obstacles?
    Marketing
    budget
  • 10. Obstacles?
    Will fix everything
  • 11. Obstacles?
  • 12. Obstacles?
  • 13. Obstacles?
  • 14. Obstacles?
  • 15. Obstacles?
    Return on investment
  • 16.
  • 17. Used effectively, static analysis
    is cheaper than other techniques
    for catching the same bugs
    - Bill Pugh
  • 18. If you are not using them [static
    Analysis tools], then basically
    you are negligent, and you should
    prepare to be sued by the army
    of lawyers that have
    already hit the
    beach
    - Gary McGraw
  • 19. Combining inspections, static analysis,
    and testing is cheaper than testing
    by itself and leads to much
    better defect removal
    efficiency levels.
    - Capers Jones
  • 20. At my company, sometimes I feel less
    like Chief Architect, and more like
    Chief Debugger or Chief Code Reader.
    Sometimes I get to caught up in
    trying to read code in order to
    understand the big picture. This is
    my own failing, as I often try to
    use a microscope when I need a
    telescope.
    - Scott Hanselman
  • 21. Once I realized the depth and
    breadth of the information I was
    looking at it, I was like a kid
    in a candy shop
    - Scott Hanselman
  • 22. An average of 17% cost savings would
    have been possible if the static
    analysis tool was used
    - Dejan Baca, BengtCarlsson, Lars Lundberg
    “Evaluating the Cost Reduction
    of Static Code Analysis
    for Software Security” (2008)
  • 23. Types of bugs
  • “Smaller”
    “Enterprise”
    General
    Duplication detection
    • Simian
    Security
    • CAT (Microsoft Code
    Analysis Tool .NET) (free)
    Code style
    • StyleCop (free)
    • 39. Agent Smith (free, ReSharper plugin)
    Code contracts
    General
    Duplication detection
    • Simian
    Security
    • CAT (Microsoft Code
    Analysis Tool .NET) (free)
    Code style
    • StyleCop (free)
    • 45. Agent Smith (free, ReSharper plugin)
    Code contracts
    http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
  • 55. Demo
  • 56. Tools summary
  • 57. Integrating into development process
  • 58.
  • 59.
  • 60. Summary
    $
  • 61. Summary
  • 62. Links & References
    # List of static code analysis tools
    http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
    # General:
    Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010
    http://vimeo.com/17157772
    How and to who should you report static analysis results to
    http://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.html
    Software Engineering Radio - Static Code Analysis (Episode 59, 2006)
    http://www.se-radio.net/2007/06/episode-59-static-code-analysis/
  • 63. Links & References
    # NDepend:
    Link
    http://www.ndepend.com/
    Tips
    http://www.ndepend.com/Tips.aspx
    Metrics:
    http://www.ndepend.com/Metrics.aspx
    Hanselmanpodcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspx
    Success story on large project
    http://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/
    Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdf
    Discussions with NHibernate contributor on value of these tools (read comments)
    http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface
  • 64. Links & References
    Links to various NDepend analyses
    http://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/
    CQL examples
    http://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/
    http://mookid.dk/oncode/archives/1052
    http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3
  • 65. Links & References
    # Visual Studio Code Analysis:
    Visual Studio Code Analysis and Code metrics forum
    http://social.msdn.microsoft.com/forums/en-US/vstscode/threads/
    Rules
    http://msdn.microsoft.com/en-us/library/ee1hzekz.aspx
    How to write custom static code analysis rules and integrate them into VS2010
    http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx
    Data flow analysis in VS2010 (Whatis not in FxCop)
    http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspx
    Integrate VS2010 Code analysis in CI or MsBuild
    Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.html
    Part 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.html
    Visual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)
    http://csharpguidelines.codeplex.com/
  • 66. Links & References
    # FxCop:
    Download
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3C
    Intro and integrate with CI
    http://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/
    Share rules:
    http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developers
    How to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspx
    How to get the suppress-messages in code to work with FxCopgui
    http://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx
    # StyleCop:
    Link
    http://stylecop.codeplex.com/
    StyleCop on legacy projects
    http://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspx
    StyleCop in CI build
    http://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx
  • 67. Links & References
    # ReSharper
    Link:
    www.jetbrains.com/resharper/
    Code Quality Analysis
    http://www.jetbrains.com/resharper/features/code_analysis.html
    Structural Search Replace
    http://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/
    ReSharper Settings Manager
    http://rsm.codeplex.com/
    # List of rules from other tools:
    Fortify (HP):
    https://www.fortify.com/vulncat/en/vulncat/index.html
  • 68. Questions?
    @RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com