Static code analysis
Upcoming SlideShare
Loading in...5
×
 

Static code analysis

on

  • 2,821 views

 

Statistics

Views

Total Views
2,821
Views on SlideShare
2,818
Embed Views
3

Actions

Likes
2
Downloads
65
Comments
1

1 Embed 3

http://www.linkedin.com 3

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Static code analysis Static code analysis Presentation Transcript

  • Static code analysis
    @RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com
  • Thank you!
  • Integrate in
    dev. process
    Static code
    analysis
    Tools
  • Overall, testing is far more valuable
    than static analysis
    - Bill Pugh
  • Static analysis, at best, might catch
    5-10% of your software quality
    problems
    - Bill Pugh
  • Obstacles?
  • Obstacles?
    Marketing
    budget
  • Obstacles?
    Will fix everything
  • Obstacles?
  • Obstacles?
  • Obstacles?
  • Obstacles?
  • Obstacles?
    Return on investment
  • Used effectively, static analysis
    is cheaper than other techniques
    for catching the same bugs
    - Bill Pugh
  • If you are not using them [static
    Analysis tools], then basically
    you are negligent, and you should
    prepare to be sued by the army
    of lawyers that have
    already hit the
    beach
    - Gary McGraw
  • Combining inspections, static analysis,
    and testing is cheaper than testing
    by itself and leads to much
    better defect removal
    efficiency levels.
    - Capers Jones
  • At my company, sometimes I feel less
    like Chief Architect, and more like
    Chief Debugger or Chief Code Reader.
    Sometimes I get to caught up in
    trying to read code in order to
    understand the big picture. This is
    my own failing, as I often try to
    use a microscope when I need a
    telescope.
    - Scott Hanselman
  • Once I realized the depth and
    breadth of the information I was
    looking at it, I was like a kid
    in a candy shop
    - Scott Hanselman
  • An average of 17% cost savings would
    have been possible if the static
    analysis tool was used
    - Dejan Baca, BengtCarlsson, Lars Lundberg
    “Evaluating the Cost Reduction
    of Static Code Analysis
    for Software Security” (2008)
  • Types of bugs
    • Code quality
    • Bad practice
    • Input validation
    • Maintainability
    • Correctness
    • Security
    • Multithreaded correctness
    • Performance
    • Internationalization
    • Interoperability
    • Specific for tools
  • “Smaller”
    “Enterprise”
    General
    • FxCop (free)
    • NDepend
    • Mono.Gendarme (free)
    • Smokey (free)
    • ReSharper
    • CodeRush
    Duplication detection
    • Simian
    Security
    • CAT (Microsoft Code
    Analysis Tool .NET) (free)
    Code style
    • StyleCop (free)
    • Agent Smith (free, ReSharper plugin)
    Code contracts
    General
    • FxCop (free)
    • NDepend
    • Mono.Gendarme (free)
    • Smokey (free)
    • ReSharper
    • CodeRush
    Duplication detection
    • Simian
    Security
    • CAT (Microsoft Code
    Analysis Tool .NET) (free)
    Code style
    • StyleCop (free)
    • Agent Smith (free, ReSharper plugin)
    Code contracts
    • Microsoft ..
    • HP ..
    • IBM Rational ..
    • Klockwork ..
    • Coverity ..
    • Microsoft ..
    • HP ..
    • IBM Rational ..
    • Klockwork ..
    • Coverity ..
    http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
  • Demo
  • Tools summary
  • Integrating into development process
  • Summary
    $
  • Summary
  • Links & References
    # List of static code analysis tools
    http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
    # General:
    Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010
    http://vimeo.com/17157772
    How and to who should you report static analysis results to
    http://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.html
    Software Engineering Radio - Static Code Analysis (Episode 59, 2006)
    http://www.se-radio.net/2007/06/episode-59-static-code-analysis/
  • Links & References
    # NDepend:
    Link
    http://www.ndepend.com/
    Tips
    http://www.ndepend.com/Tips.aspx
    Metrics:
    http://www.ndepend.com/Metrics.aspx
    Hanselmanpodcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspx
    Success story on large project
    http://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/
    Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdf
    Discussions with NHibernate contributor on value of these tools (read comments)
    http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface
  • Links & References
    Links to various NDepend analyses
    http://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/
    CQL examples
    http://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/
    http://mookid.dk/oncode/archives/1052
    http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3
  • Links & References
    # Visual Studio Code Analysis:
    Visual Studio Code Analysis and Code metrics forum
    http://social.msdn.microsoft.com/forums/en-US/vstscode/threads/
    Rules
    http://msdn.microsoft.com/en-us/library/ee1hzekz.aspx
    How to write custom static code analysis rules and integrate them into VS2010
    http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx
    Data flow analysis in VS2010 (Whatis not in FxCop)
    http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspx
    Integrate VS2010 Code analysis in CI or MsBuild
    Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.html
    Part 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.html
    Visual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)
    http://csharpguidelines.codeplex.com/
  • Links & References
    # FxCop:
    Download
    http://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3C
    Intro and integrate with CI
    http://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/
    Share rules:
    http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developers
    How to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspx
    How to get the suppress-messages in code to work with FxCopgui
    http://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx
    # StyleCop:
    Link
    http://stylecop.codeplex.com/
    StyleCop on legacy projects
    http://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspx
    StyleCop in CI build
    http://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx
  • Links & References
    # ReSharper
    Link:
    www.jetbrains.com/resharper/
    Code Quality Analysis
    http://www.jetbrains.com/resharper/features/code_analysis.html
    Structural Search Replace
    http://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/
    ReSharper Settings Manager
    http://rsm.codeplex.com/
    # List of rules from other tools:
    Fortify (HP):
    https://www.fortify.com/vulncat/en/vulncat/index.html
  • Questions?
    @RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com