Static code analysis
-
Upload
rune-sundling -
Category
Technology
-
view
2.714 -
download
6
description
Transcript of Static code analysis
![Page 2: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/2.jpg)
Thank you!
![Page 3: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/3.jpg)
Static code analysis
Tools Integrate in dev. process
![Page 4: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/4.jpg)
![Page 5: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/5.jpg)
![Page 6: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/6.jpg)
Overall, testing is far more valuable than static analysis
- Bill Pugh
![Page 7: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/7.jpg)
Static analysis, at best, might catch 5-10% of your software quality problems
- Bill Pugh
![Page 8: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/8.jpg)
Obstacles?
![Page 9: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/9.jpg)
Obstacles?
Marketing budget
![Page 10: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/10.jpg)
Obstacles?
Will fix everything
![Page 11: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/11.jpg)
Obstacles?
![Page 12: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/12.jpg)
Obstacles?
![Page 13: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/13.jpg)
Obstacles?
![Page 14: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/14.jpg)
Obstacles?
![Page 15: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/15.jpg)
Obstacles?
Return on investment
![Page 16: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/16.jpg)
![Page 17: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/17.jpg)
Used effectively, static analysis is cheaper than other techniques for catching the same bugs
- Bill Pugh
![Page 18: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/18.jpg)
If you are not using them [static Analysis tools], then basically you are negligent, and you should prepare to be sued by the army of lawyers that have already hit the beach
- Gary McGraw
![Page 19: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/19.jpg)
Combining inspections, static analysis, and testing is cheaper than testing by itself and leads to much better defect removal efficiency levels.
- Capers Jones
![Page 20: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/20.jpg)
At my company, sometimes I feel less like Chief Architect, and more like Chief Debugger or Chief Code Reader. Sometimes I get to caught up in trying to read code in order to understand the big picture. This is my own failing, as I often try to use a microscope when I need a telescope.
- Scott Hanselman
![Page 21: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/21.jpg)
Once I realized the depth and breadth of the information I was looking at it, I was like a kid in a candy shop
- Scott Hanselman
![Page 22: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/22.jpg)
An average of 17% cost savings would have been possible if the static analysis tool was used
“Evaluating the Cost Reduction of Static Code Analysis for Software Security” (2008)
- Dejan Baca, Bengt Carlsson, Lars Lundberg
![Page 23: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/23.jpg)
Types of bugs
• Code quality• Bad practice• Input validation• Maintainability• Correctness• Security• Multithreaded correctness• Performance• Internationalization• Interoperability• Specific for tools
![Page 24: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/24.jpg)
General• FxCop (free)• NDepend• Mono.Gendarme (free)• Smokey (free)• ReSharper• CodeRushDuplication detection• SimianSecurity• CAT (Microsoft Code
Analysis Tool .NET) (free)Code style• StyleCop (free)• Agent Smith (free, ReSharper plugin)Code contracts
“Smaller” “Enterprise”• Microsoft ..• HP ..• IBM Rational ..• Klockwork ..• Coverity ..
http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
General• FxCop (free)• NDepend• Mono.Gendarme (free)• Smokey (free)• ReSharper• CodeRushDuplication detection• SimianSecurity• CAT (Microsoft Code
Analysis Tool .NET) (free)Code style• StyleCop (free)• Agent Smith (free, ReSharper plugin)Code contracts
• Microsoft ..• HP ..• IBM Rational ..• Klockwork ..• Coverity ..
![Page 25: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/25.jpg)
Demo
![Page 26: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/26.jpg)
Tools summary
![Page 27: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/27.jpg)
Integrating into development process
![Page 28: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/28.jpg)
![Page 29: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/29.jpg)
![Page 30: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/30.jpg)
$
Summary
![Page 31: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/31.jpg)
Summary
![Page 32: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/32.jpg)
Links & References
# List of static code analysis toolshttp://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
# General: Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010http://vimeo.com/17157772How and to who should you report static analysis results tohttp://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.htmlSoftware Engineering Radio - Static Code Analysis (Episode 59, 2006)http://www.se-radio.net/2007/06/episode-59-static-code-analysis/
![Page 33: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/33.jpg)
Links & References
# NDepend: Linkhttp://www.ndepend.com/Tipshttp://www.ndepend.com/Tips.aspxMetrics: http://www.ndepend.com/Metrics.aspxHanselman podcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspxSuccess story on large projecthttp://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdfDiscussions with NHibernate contributor on value of these tools (read comments)http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface
![Page 34: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/34.jpg)
Links & References
Links to various NDepend analyseshttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/
CQL exampleshttp://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/http://mookid.dk/oncode/archives/1052http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3
![Page 35: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/35.jpg)
Links & References
# Visual Studio Code Analysis: Visual Studio Code Analysis and Code metrics forumhttp://social.msdn.microsoft.com/forums/en-US/vstscode/threads/Ruleshttp://msdn.microsoft.com/en-us/library/ee1hzekz.aspxHow to write custom static code analysis rules and integrate them into VS2010http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspxData flow analysis in VS2010 (What is not in FxCop)http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspxIntegrate VS2010 Code analysis in CI or MsBuild Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.htmlPart 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.htmlVisual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)http://csharpguidelines.codeplex.com/
![Page 36: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/36.jpg)
Links & References
# FxCop:Downloadhttp://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3CIntro and integrate with CIhttp://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/Share rules:http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developersHow to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspxHow to get the suppress-messages in code to work with FxCop guihttp://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx
# StyleCop: Link http://stylecop.codeplex.com/StyleCop on legacy projectshttp://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspxStyleCop in CI buildhttp://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx
![Page 37: Static code analysis](https://reader037.fdocuments.us/reader037/viewer/2022102700/54c6f6bd4a795937038b45ad/html5/thumbnails/37.jpg)
Links & References
# ReSharperLink:www.jetbrains.com/resharper/Code Quality Analysishttp://www.jetbrains.com/resharper/features/code_analysis.htmlStructural Search Replacehttp://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/ReSharper Settings Managerhttp://rsm.codeplex.com/
# List of rules from other tools:Fortify (HP):https://www.fortify.com/vulncat/en/vulncat/index.html