Static code analysis

4,211 views

Published on

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,211
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
131
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Static code analysis

  1. 1. Static code analysis<br />@RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com<br />
  2. 2. Thank you!<br />
  3. 3. Integrate in <br />dev. process<br />Static code <br />analysis<br />Tools<br />
  4. 4.
  5. 5.
  6. 6. Overall, testing is far more valuable <br />than static analysis<br /> - Bill Pugh<br />
  7. 7. Static analysis, at best, might catch<br />5-10% of your software quality <br />problems<br /> - Bill Pugh<br />
  8. 8. Obstacles?<br />
  9. 9. Obstacles?<br />Marketing <br />budget<br />
  10. 10. Obstacles?<br />Will fix everything<br />
  11. 11. Obstacles?<br />
  12. 12. Obstacles?<br />
  13. 13. Obstacles?<br />
  14. 14. Obstacles?<br />
  15. 15. Obstacles?<br />Return on investment<br />
  16. 16.
  17. 17. Used effectively, static analysis <br />is cheaper than other techniques <br />for catching the same bugs<br /> - Bill Pugh<br />
  18. 18. If you are not using them [static <br />Analysis tools], then basically <br />you are negligent, and you should <br />prepare to be sued by the army <br />of lawyers that have <br />already hit the <br />beach<br />- Gary McGraw <br />
  19. 19. Combining inspections, static analysis, <br />and testing is cheaper than testing <br />by itself and leads to much <br />better defect removal <br />efficiency levels.<br />- Capers Jones<br />
  20. 20. At my company, sometimes I feel less <br />like Chief Architect, and more like <br />Chief Debugger or Chief Code Reader. <br />Sometimes I get to caught up in <br />trying to read code in order to <br />understand the big picture. This is <br />my own failing, as I often try to <br />use a microscope when I need a <br />telescope.<br />- Scott Hanselman<br />
  21. 21. Once I realized the depth and <br />breadth of the information I was <br />looking at it, I was like a kid <br />in a candy shop<br />- Scott Hanselman<br />
  22. 22. An average of 17% cost savings would<br />have been possible if the static <br />analysis tool was used<br />- Dejan Baca, BengtCarlsson, Lars Lundberg<br />“Evaluating the Cost Reduction <br />of Static Code Analysis <br />for Software Security” (2008)<br />
  23. 23. Types of bugs<br /><ul><li>Code quality
  24. 24. Bad practice
  25. 25. Input validation
  26. 26. Maintainability
  27. 27. Correctness
  28. 28. Security
  29. 29. Multithreaded correctness
  30. 30. Performance
  31. 31. Internationalization
  32. 32. Interoperability
  33. 33. Specific for tools</li></li></ul><li>“Smaller”<br />“Enterprise”<br />General<br /><ul><li>FxCop (free)
  34. 34. NDepend
  35. 35. Mono.Gendarme (free)
  36. 36. Smokey (free)
  37. 37. ReSharper
  38. 38. CodeRush</li></ul>Duplication detection<br /><ul><li>Simian</li></ul>Security<br /><ul><li>CAT (Microsoft Code </li></ul>Analysis Tool .NET) (free)<br />Code style<br /><ul><li>StyleCop (free)
  39. 39. Agent Smith (free, ReSharper plugin)</li></ul>Code contracts<br />General<br /><ul><li>FxCop (free)
  40. 40. NDepend
  41. 41. Mono.Gendarme (free)
  42. 42. Smokey (free)
  43. 43. ReSharper
  44. 44. CodeRush</li></ul>Duplication detection<br /><ul><li>Simian</li></ul>Security<br /><ul><li>CAT (Microsoft Code </li></ul>Analysis Tool .NET) (free)<br />Code style<br /><ul><li>StyleCop (free)
  45. 45. Agent Smith (free, ReSharper plugin)</li></ul>Code contracts<br /><ul><li>Microsoft ..
  46. 46. HP ..
  47. 47. IBM Rational ..
  48. 48. Klockwork ..
  49. 49. Coverity ..
  50. 50. Microsoft ..
  51. 51. HP ..
  52. 52. IBM Rational ..
  53. 53. Klockwork ..
  54. 54. Coverity ..</li></ul>http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis<br />
  55. 55. Demo<br />
  56. 56. Tools summary<br />
  57. 57. Integrating into development process<br />
  58. 58.
  59. 59.
  60. 60. Summary<br />$<br />
  61. 61. Summary<br />
  62. 62. Links & References<br /># List of static code analysis tools<br />http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis<br /># General: <br />Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010<br />http://vimeo.com/17157772<br />How and to who should you report static analysis results to<br />http://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.html<br />Software Engineering Radio - Static Code Analysis (Episode 59, 2006)<br />http://www.se-radio.net/2007/06/episode-59-static-code-analysis/<br />
  63. 63. Links & References<br /># NDepend: <br />Link<br />http://www.ndepend.com/<br />Tips<br />http://www.ndepend.com/Tips.aspx<br />Metrics: <br />http://www.ndepend.com/Metrics.aspx<br />Hanselmanpodcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspx<br />Success story on large project<br />http://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/<br />Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdf<br />Discussions with NHibernate contributor on value of these tools (read comments)<br />http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface<br />
  64. 64. Links & References<br />Links to various NDepend analyses<br />http://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/<br />CQL examples<br />http://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/<br />http://mookid.dk/oncode/archives/1052<br />http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3<br />
  65. 65. Links & References<br /># Visual Studio Code Analysis: <br />Visual Studio Code Analysis and Code metrics forum<br />http://social.msdn.microsoft.com/forums/en-US/vstscode/threads/<br />Rules<br />http://msdn.microsoft.com/en-us/library/ee1hzekz.aspx<br />How to write custom static code analysis rules and integrate them into VS2010<br />http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx<br />Data flow analysis in VS2010 (Whatis not in FxCop)<br />http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspx<br />Integrate VS2010 Code analysis in CI or MsBuild<br />Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.html<br />Part 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.html<br />Visual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)<br />http://csharpguidelines.codeplex.com/<br />
  66. 66. Links & References<br /># FxCop:<br />Download<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3C<br />Intro and integrate with CI<br />http://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/<br />Share rules:<br />http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developers<br />How to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspx<br />How to get the suppress-messages in code to work with FxCopgui<br />http://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx<br /># StyleCop: <br />Link<br />http://stylecop.codeplex.com/<br />StyleCop on legacy projects<br />http://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspx<br />StyleCop in CI build<br />http://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx<br />
  67. 67. Links & References<br /># ReSharper<br />Link:<br />www.jetbrains.com/resharper/<br />Code Quality Analysis<br />http://www.jetbrains.com/resharper/features/code_analysis.html<br />Structural Search Replace<br />http://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/<br />ReSharper Settings Manager<br />http://rsm.codeplex.com/<br /># List of rules from other tools:<br />Fortify (HP):<br />https://www.fortify.com/vulncat/en/vulncat/index.html<br />
  68. 68. Questions?<br />@RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com<br />

×