In this post I'll illustrate in details the following points
- What is static code analysis?
- When to use?
- Supported platforms
- Supported Visual Studio versions
- How to use
- Run Code Analysis Manually
- Run Code Analysis Automatically
- Run Code Analysis while check-in source code to TFS version control (TFSVC)
- Run Code Analysis as part of Team Build
- Understand the Code Analysis results & learn how to fix them
- Create your custom rule set
- Q & A
- Visual Studio static code analysis vs. FxCop vs. StyleCpp
- Code Analysis for SharePoint Apps and SPDisposeCheck?
- Can I use Code Analysis to find dead code in my application
- Can code analysis detect the duplicate code in my application?
- Code Analysis and SQL Server Database Projects?
- ReSharper 8 vs. Visual Studio 2013?
What is static code analysis?
Static Code Analysis feature of Visual Studio performs static code analysis on code to help developers identify potential design, globalization, interoperability, performance, security, and a lot of other categories of potential problems according to Microsoft's rules that mainly targets best practices in writing code, and there is a large set of those rules included with Visual Studio grouped into different categorized targeting specific coding issues like security, design, Interoperability, globalizations and others.
Static here means analyzing the source code without executing it and this type of analysis can be performed through automated tools (like Visual Studio 2013 Code Analysis Tool) or manually through Code Review which already supported in Visual Studio 2012 and 2013 (check Using Code Review to Improve Quality video on Channel9)
There is also Dynamic analysis which performed on executing programs using software testing techniques such as Code Coverage for example.
Running Code analysis tool at regular intervals during your development process can enhance the quality of your software, examines your code for a set of common defects and violations is always a good programming practice.
Adding that Code analysis can also find defects in your code that are difficult to discover through testing allowing you to achieve first level quality gate for you application during development phase before you release it to the testing team.
- .NET Framework, native (C and C++)
- Database applications.
Support Visual Studio versions
- All version of Visual Studio starting Visual Studio 2013 (except Visual Studio Test Professional) check Feature comparisons
- Create and modify a custom rule set required Visual Studio Premium or Ultimate.
How to use?
Code Analysis can be run manually at any time from within the Visual Studio IDE, or even setup to automatically run as part of a Team Build or check-in policy for Team Foundation Server.
Run Code Analysis Manually
- To run code analysis manually on a project, on the Analyze menu, click Run Code Analysis on your project or simply right click on the project name on the Solution Explorer choose Run Code Analysis from the context menu
Run Code Analysis Automatically
- To run code analysis each time that you build a project, you select Enable Code Analysis on Build on the project's Property Page
Run Code Analysis while check-in source code to TFS version control (TFSVC)
- Team Foundation Version Control (TFVC) provides a way for organizations to enforce practices that lead to better code and more efficient group development through Check-in policies which are rules that are set at the team project level and enforced on developer computers before code is allowed to be checked in. (This is available only if you're using Team Foundation Server)
- Require permissions on Team Foundation Server: you must have the Edit project-level information permission set to Allow typically your account must be part of Project Administrators, Project Collection Administrators, for more information about Team Foundation permissions check http://msdn.microsoft.com/en-us/library/ms252587(v=vs.120).aspx
- In Team Explorer, right-click the team project name, point to Team Project Settings, and then click Source Control.
- In the Source Control dialog box, select the Check-in Policy tab.
- Click Add to create a new check-in policy.
- Double-click the existing Code Analysis item in the Policy Type list to change the policy.
- Check or Uncheck the policy option based on the configurations you need to perform as illustrated below:
- Enforce check-in to only contain files that are part of current solution: code analysis can run only on files specified in solution and project configuration files. This policy guarantees that all code that is part of a solution is analyzed.
- Enforce C/C++ Code Analysis (/analyze): Requires that all C or C++ projects be built with the /analyze compiler option to run code analysis before they can be checked in.
- Enforce Code Analysis for Managed Code: Requires that all managed projects run code analysis and build before they can be checked in.
Check Code analysis rule set reference on MSDN
- What is Rule Set? Rule Set is a group of code analysis rules like the example below where Microsoft.Design is the rule set name where "Do not declare static members on generic types" is the code analysis rule
- Once you configured the Analysis rule the policy will be enabled for all the team member in this project whenever a team member check-in any source code to the TFSVC the policy section will highlight the Code Analysis policy as below
- TFS is a very extensible platform so you can simply implement your own custom Code Analysis Check-in policy, check this link for more details http://msdn.microsoft.com/en-us/library/dd492668.aspx but you have to be aware also about compatibility between different TFS versions check http://msdn.microsoft.com/en-us/library/bb907157.aspx
Run Code Analysis as part of Team Build
- With Team Foundation Build (TFBuild), you can create and manage build processes that automatically compile and test your applications, and perform other important functions.
- Code Analysis can be enabled in the Build Definition file by selecting the correct value for the build process parameter "Perform Code Analysis"
- Once configure, Kick-off your build definition to queue a new build, Code Analysis will run as part of build workflow and you will be able to see code analysis warning as part of build report
Now after you went through Code Analysis configurations and the different ways of running it, we will go through the Code Analysis result how to understand them and how to resolve them.
Code Analysis window in Visual Studio will show all the analysis results based on the rule sets you configured in the project file properties, let's dig deep into what each result item contains:
The unique identifier for the rule. CheckId and Category are used for in-source suppression of a warning.
The title of warning message
A description of the problem or suggested fix
File name and the line of code number which violate the code analysis rule set
The code analysis category for this error
Depend on how you configure it in the rule set the default is Warning level
Copy: copy the warning information to the clipboard
Create Work Item: If you're connected to Team Foundation Server you can create a work item most probably you may create a Task or Bug and assign it for a developer to fix certain code analysis warning
Suppress Message: There are times when you might decide not to fix a code analysis warning. You might decide that resolving the warning requires too much recoding in relation to the probability that the issue will arise in any real-world implementation of your code. Or you might believe that the analysis that is used in the warning is inappropriate for the particular context. You can suppress individual warnings so that they no longer appear in the Code Analysis window.
Two options available:
In Source inserts a SuppressMessage attribute in the source file above the method that generated the warning. This makes the suppression more discoverable.
In Suppression File adds a SuppressMessage attribute to the GlobalSuppressions.cs file of the project. This can make the management of suppressions easier. Note that the SuppressMessage attribute added to GlobalSuppression.cs also targets the method that generated the warning. It does not suppress the warning globally.
Visual Studio makes it very easy to fix Code analysis warning, all you have to do is clicking on the Check Id hyperlink if you are not aware how to fix the warring and you'll be directed to MSDN online or local copy based on the configuration you did while installing Visual Studio and you will find all the information about the warring including how to fix it.
- The Microsoft standard rule sets provide groups of rules that are organized by function and depth. For example, the Microsoft Basic Design Guidelines Rules and the Microsoft Extended Design Guidelines Rules contain rules that focus on usability and maintainability issues, with added emphasis on naming rules in the Extended rule set, you can create and modify a custom rule set to meet specific project needs associated with code analysis. To create a custom rule set, you open one or more standard rule sets in the rule set editor.
- Create and modify a custom rule set required Visual Studio Premium or Ultimate.
- You can check How to: Create a Custom Rule Set on MSDN for more details http://msdn.microsoft.com/en-us/library/dd264974.aspx
Q & A
- Visual Studio static code analysis vs. FxCop vs. StyleCpp http://www.excella.com/blog/stylecop-vs-fxcop-difference-between-code-analysis-tools/
- Code Analysis for SharePoint Apps and SPDisposeCheck? This post lists some of the rule set you can run specifically for SharePoint applications and how to integrate SPDisposeCheck as well.
- Can I use Code Analysis to find dead code in my application (Thanks Adel for the comment)? Yes Code Analysis can discover the dead code in your application by just enabling the right rules below, Habib Heydarian has a good post around that http://blogs.msdn.com/b/habibh/archive/2009/07/31/discover-dead-code-in-your-application-using-code-analysis.aspx
- Private methods that are not called from any other code (CA1811)
- Unused local variables (CA1804)
- Unused private fields (CA1823)
- Unused parameters (CA1801)
- Internal classes that are not instantiated from any other code (CA1812)
- Can code analysis detect the duplicate code in my application? Visual Studio 2012 and 2013 has a new feature allow you to detect the duplicate code in your application called “Code Clone Detection” http://msdn.microsoft.com/en-us/library/hh205279.aspx
- Code Analysis for SQL Server Database Projects? This post illustrate how to run static code analysis on T-SQL through SSDT
- ReSharper 8 vs. Visual Studio 2013? This document lists some of the features that are provided by ReSharper 8 but are missing or not as fully implemented in Visual Studio 2013.
- A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
- What is New in Code Analysis for Visual Studio 2013 http://blogs.msdn.com/b/visualstudioalm/archive/2013/07/03/what-is-new-in-code-analysis-for-visual-studio-2013.aspx
- Analyze the code quality of Windows Store apps using Visual Studio static code analysis http://msdn.microsoft.com/en-us/library/windows/apps/hh441471.aspx
- [Hands-on-lab] Using Code Analysis with Visual Studio 2012 to Improve Code Quality http://download.microsoft.com/download/A/9/2/A9253B14-5F23-4BC8-9C7E-F5199DB5F831/Using%20Code%20Analysis%20with%20Visual%20Studio%202012%20to%20Improve%20Code%20Quality.docx