This document discusses coding standards and tools for automating standard checks. It describes StyleCop for checking code style and formatting and FxCop (Code Analysis) for checking code quality issues. Both tools can have custom rules created. Automating standard checks with these tools ensures objective enforcement of standards and frees up reviewer time.
There exist many code review checklist blogs/articles in the net telling standard Java best practices/guidelines; And I have come up with a checklist accommodating best practices from some of the recent popular books (reference given) and guidelines from Oracle (on Security).
The article describes the testing technologies used when developing PVS-Studio static code analyzer. The developers of the tool for programmers talk about the principles of testing their own program product which can be interesting for the developers of similar packages for processing text data or source code.
There exist many code review checklist blogs/articles in the net telling standard Java best practices/guidelines; And I have come up with a checklist accommodating best practices from some of the recent popular books (reference given) and guidelines from Oracle (on Security).
The article describes the testing technologies used when developing PVS-Studio static code analyzer. The developers of the tool for programmers talk about the principles of testing their own program product which can be interesting for the developers of similar packages for processing text data or source code.
Regular use of static code analysis in team developmentPVS-Studio
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
Maintaining the product is one (if not the most) expensive area of the overall product costs. Writing clean code can significantly lower these costs, making it more efficient during the initial development and results in more stable code. In this session participants will learn how to apply C# techniques in order to improve the efficiency, readability, testability and extensibility of code.
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
Learn the strengths and weaknesses of .NET static analysis—and how a comprehensive development testing strategy that also includes unit testing, code review, and runtime error detection can pick up where development testing leaves off.
Regular use of static code analysis in team developmentPVS-Studio
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example.
Regular use of static code analysis in team developmentAndrey Karpov
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example.
These are the slides we presented at the 2009 Montreal CodeCamp for our FluentSelenium test DSL. FluentSelenium demonstrates how it is possible to make test code cleaner by introducing appropriate test abstractions.
see http://fluentselenium.codeplex.com/
Regular use of static code analysis in team developmentPVS-Studio
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
Maintaining the product is one (if not the most) expensive area of the overall product costs. Writing clean code can significantly lower these costs, making it more efficient during the initial development and results in more stable code. In this session participants will learn how to apply C# techniques in order to improve the efficiency, readability, testability and extensibility of code.
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Erika Barron
Learn the strengths and weaknesses of .NET static analysis—and how a comprehensive development testing strategy that also includes unit testing, code review, and runtime error detection can pick up where development testing leaves off.
Regular use of static code analysis in team developmentPVS-Studio
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example.
Regular use of static code analysis in team developmentAndrey Karpov
Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.
The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example.
These are the slides we presented at the 2009 Montreal CodeCamp for our FluentSelenium test DSL. FluentSelenium demonstrates how it is possible to make test code cleaner by introducing appropriate test abstractions.
see http://fluentselenium.codeplex.com/
Automating C# Coding Standards using StyleCop and FxCopBlackRabbitCoder
As organizations grow they usually seek to build a set of coding standards to enforce uniformity and increase the maintainability of their code base. Unfortunately, this often creates a lot of churn in the code review process for simple style issues. This presentation was a session I gave at St. Louis Day of .NET 2010 and talks about how to automate many of the coding standards using two readily available tools.
fundamentals of software engineering.this unit covers all the aspects of software engineering coding standards and naming them and code inspectionna an d various testing methods and
Documenting Code - Patterns and Anti-patterns - NLPW 2016Søren Lund
How do we document code? A good solution is to create self-explanatory code; this somewhat eliminates the need to document the code. We still need some very basic documentation. Code comments are one form of documentation, that is often misused. This talk is about self-explanatory code, the documentation we need and code comment patterns and anti-patterns.
How do we document code? A good solution is to create self-explanatory code; this somewhat eliminates the need to document the code. We still need some very basic documentation. Code comments are one form of documentation, that is often misused. This talk is about self-explanatory code, the documentation we need and code comment patterns and anti-patterns.
Code review is one of the crucial software activities where developers and stakeholders collaborate with each other in order to assess software changes. Since code review processes act as a final gate for new software changes to be integrated into the software product, an intense collaboration is necessary in order to prevent defects and produce a high quality of software products. Recently, code review analytics has been implemented in projects (for example, StackAnalytics4 of the OpenStack project) to monitor the collaboration activities between developers and stakeholders in the code review processes. Yet, due to the large volume of software data, code review analytics can only report a static summary (e.g., counting), while neither insights nor instant suggestions are provided. Hence, to better gain valuable insights from software data and help software projects make a better decision, we conduct an empirical investigation using statistical approaches. In particular, we use the large-scale data of 196,712 reviews spread across the Android, Qt, and OpenStack open source projects to train a prediction model in order to uncover the relationship between the characteristics of software changes and the likelihood of having poor code review collaborations. We extract 20 patch characteristics which are grouped along five dimensions, i.e., software changes properties, review participation history, past involvement of a code author, past involvement of reviewers, and review environment dimensions. To validate our findings, we use the bootstrap technique which repeats the experiment 1,000 times. Due to the large volume of studied data, and an intensive computation of characteristic extraction and find- ing validation, the use of the High-Performance-Computing (HPC) re- sources is mandatory to expedite the analysis and generate insights in a timely manner. Through our case study, we find that the amount of review participation in the past and the description length of software changes are a significant indicator that new software changes will suffer from poor code review collaborations [2017]. Moreover, we find that the purpose of introducing new features can increase the likelihood that new software changes will receive late collaboration from reviewers. Our findings highlight the need for the policies of software change submission that monitor these characteristics in order to help software projects improve the quality of code reviews processes. Moreover, based on our findings, future work should develop real-time code review analytics implemented on HPC resources in order to instantly provide insights and suggestions to software projects
Examines some of the fundamental problems with the way the industry thinks about software "engineering", and breaks some notions in order to find useful ways of improving your code quality, and your skills and discipline as a developer.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
2. Agenda
What are Coding Standards?
Benefits of Automation
Standards Automation Tools
Use of StyleCop and FxCop
3. What are Coding Standards?
A set of rules or guidelines used when writing the
source code of a computer program.
Generally dictates:
Safety mandates to avoid introducing errors.
Style mandates to increase maintainability.
Security mandates to avoid vulnerabilities.
Efficiency mandates to help increase performance.
Standards may be enforced through code reviews or
may simply be “suggestions”.
5. But, Isn’t Programming Art?
This always has been an interesting point of
contention.
On one extreme development can be thought of as a
work of art and any source that reaches a logically
correct result is acceptable and everything else is just
“style.”
The other extreme believes that programming is purely
a mechanical process and there is only a limited
number of correct answers.
Which is correct?
6. Reality Lies In Between
It may be more accurate to say developers are more
like artisans (crafters) than artists, though containing
elements of both.
An artist has a wide range of forms they can adhere to
and much is dependent on the interpretation of the
viewer.
In contrast, artisans tend to construct or design for a
purpose, and while there are some elements of style in
construction, if it fails to achieve its purpose
effectively, it is a failure.
7. The “Art” of Sorting
Take sorting, for example.
Both Bubble sort and Quick sort are valid sorts on a set
of data.
Bubble sort has a complexity of O(n2
) and Quick sort is
O(n log n).
Assuming sorting 1 million elements and each check
takes 1 µs, roughly this would be:
Bubble Sort: 11 days
Quick Sort: 19 seconds
Both sort data, but one is clearly more useful.
8. Standardizing an “Art”
While there are many ways to solve a given problem,
there should be guidelines for effective construction.
These guidelines are similar to building codes used in
building construction to ensure safety and quality.
These guidelines form the basis for coding standards
and are best compiled from group consensus and
industry best practices.
9. Enforcing Standards
Standards should be enforced to promote safety,
efficiency, and maintainability.
Standards can be enforced through Code Reviews, but
these tend to be applied with varying levels of
adherence.
It’s much better to attempt to automate as much of
your standards as possible so that the code is judged
more objectively.
10. Benefits of Automation
Standards are applied objectively since only analyzes
the source or assembly.
Just plain faster than trying to catch standards
violations manually.
Code authors don’t feel personally attacked.
Frees more reviewer time since won’t have to waste as
much time in code reviews.
Frees more time for developers since code spends less
time and iterations in review.
11. Standards Automation Tools
There are two primary tools from Microsoft:
StyleCop – Analyzes source files to determine if source
code is correctly formatted.
FxCop (Static Code Analysis)– Analyzes assemblies to
determine if code is constructed safely and optimally.
These tools overlap in some of their base rules but
both have their strengths.
Other third party and Microsoft tools exist, but
beyond this presentation’s scope.
12. FxCop, VS Code Analysis
Static analysis
Analyzes compiled assembly (dll, exe)
Finds violations of programming and design rules
http://msdn.microsoft.com/en-us/library/3z0aeatx.aspx
15. Pex
Dynamic analysis
Analyzes code branches at runtime
Generates inputs to achieve max coverage
Generates test cases
http://research.microsoft.com/en-us/projects/pex/
17. FsCheck
Randomly generates test inputs
Generates test cases based on program specifications
Port of Haskell's QuickCheck
http://fscheck.codeplex.com/
19. StyleCop
Analyzes source files and not compiled code.
Great for checking elements such as:
Spacing
Comments
File composition
Naming
Cannot easily check type hierarchies or program
structure.
Available at http://stylecop.codeplex.com/
20. Configuring StyleCop
If you have StyleCop installed, you can have
Settings.StyleCop files for each project if you want to
vary styles per project.
Will take the first Settings.StyleCop file it finds from
working directory on up the path.
Default will be the Settings.StyleCop file in
c:program filesMicrosoft StyleCop…
Various configurations can make harder to enforce
uniform rules, though, so use with caution.
21. Configuring StyleCop
You can configure which base rules you want active by
using StyleCopSettingsEditor.exe.
Let’s take a minute to look at the rules…
22. Configuring StyleCop
You can also get to StyleCop settings in Visual Studio
directly by right-clicking a project.
This creates local copy of rules, use cautiously.
23. Running StyleCop
You can run StyleCop from VS or MSBuild.
Has no native command-line interface, but one exists
at sourceforge called StyleCopCmd.
24. StyleCop Results
Shows in Error List window, can turn on “Warnings as
Errors” in VS if you want to break builds on violations.
26. On Suppressing Rules
It’s better to keep a rule even if it only applies 95% of
the time and force developers to suppress the rule for
the one-off exceptions.
This puts a SuppressMessage attribute in code
which must be justified and prevents viewing the
exception to the rule as a precedent for ignoring the
rule.
If code reviewer disagrees, can be debated.
Turning off rules should be avoided unless the rule is
invalid most or all of the time.
27. Custom StyleCop Rules
StyleCop rules are fairly easy to write.
Create class library that references the StyleCop
assemblies:
Located in c:program filesMicrosoft StyleCop…
Microsoft.StyleCop.dll
Microsoft.StyleCop.Csharp.dll
Add a CS (C# source file) for new analyzer.
Add an XML file for rule configuration.
28. Custom StyleCop Rules
In the CS file, create an analyzer that inherits from
SourceAnalyzer and has class attribute also named
SourceAnalyzer for C# files.s
30. Custom StyleCop Rules
When you see your violation, call the method
AddViolation and give it a rule name and args:
31. Custom Style Cop Rules
Then, in the XML file, define the rule and message.
Make sure XML file has same name as class name and
is Embedded Resource.
32. Custom StyleCop Rules
Then, build the custom assembly.
Place custom assembly in:
C:Program FilesMicrosoft StyleCop …
You should now see custom rules in the
StyleCopSettingsEditor.
If you don’t see custom rules, check that the XML file:
Is an embedded resource
Has same filename as the class name (minus
extensions)
Let’s look at the code more closely…
33. StyleCop for ReSharper
JetBrains’s ReSharper is an Visual Studio IDE plug-in
that adds a lot of refactoring and aids.
StyleCop for ReSharper is a ReSharper plug-in that
allows for dynamic checking of StyleCop rules as you
type.
Will highlight rule violations with squiggle just like
other ReSharper hints.
http://stylecopforresharper.codeplex.com/
Let’s look at how this appears in the IDE.
34. FxCop (aka VS Code Analysis)
Great for checking elements such as:
Non-spacing style issues (naming, etc).
Code safety and performance issues
Type hierarchy issues
Analysis of database objects
Cannot check source style such as spacing.
Already baked into Visual Studio 2008/10.
Can also be used as a stand-alone.
36. Running FxCop From Visual Studio
Right click on project or solution and choose Run
Code Analysis:
Let’s look at an example analysis.
37. Suppressing FxCop Errors
Just like in StyleCop, you can suppress one-off
exceptions to the rules.
Can insert manually or automatically from the error
list in Visual Studio.
38. Custom FxCop Rules
Create a Class Library in Visual Studio.
Add references to FxCop assemblies:
From C:Program FilesMicrosoft FxCop…
FxCopCommon.dll
FxCopSdk.dll
Microsoft.Cci.dll
Microsoft.VisualStudio.CodeAnalysis
Add a CS file for the new rule.
Add an XML file for the rule definition.
41. Custom FxCop Rule
XML file is Embedded and contains rule detail:
Remember filename must be same as passed to base
constructor of BaseIntrospectionRule.
42. Custom FxCop Rules
To use custom rule, use CTRL+R or Project Add
Rules in FxCop.
You can verify by clicking on rules tab:
43. Summary
Automating code standards can be very useful for
getting rid of a lot of the “noise” in code reviews and
allowing reviewers to concentrate on logic bugs.
Automated code standards take the personal side out
of enforcing style, safety, and performance.
Custom rules can be used in FxCop and StyleCop to
allow for your own rules.