Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Static code analysis

4,461 views

Published on

Published in: Technology
  • These are one of the best companies for review articles. High quality with cheap rates. ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ I highly recommend it :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • My brother found Custom Writing Service ⇒ www.HelpWriting.net ⇐ and ordered a couple of works. Their customer service is outstanding, never left a query unanswered.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello. I would invite all who are interested in static code analysis, try our tool PVS-Studio.
    PVS-Studio is a static analyzer that detects errors in source code of C/C++/C++11 applications (Visual Studio 2005/2008/2010).
    Examples of use PVS-Studio:
    100 bugs in Open Source C/C++ projects
    http://www.viva64.com/en/a/0079/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Static code analysis

  1. 1. Static code analysis<br />@RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com<br />
  2. 2. Thank you!<br />
  3. 3. Integrate in <br />dev. process<br />Static code <br />analysis<br />Tools<br />
  4. 4.
  5. 5.
  6. 6. Overall, testing is far more valuable <br />than static analysis<br /> - Bill Pugh<br />
  7. 7. Static analysis, at best, might catch<br />5-10% of your software quality <br />problems<br /> - Bill Pugh<br />
  8. 8. Obstacles?<br />
  9. 9. Obstacles?<br />Marketing <br />budget<br />
  10. 10. Obstacles?<br />Will fix everything<br />
  11. 11. Obstacles?<br />
  12. 12. Obstacles?<br />
  13. 13. Obstacles?<br />
  14. 14. Obstacles?<br />
  15. 15. Obstacles?<br />Return on investment<br />
  16. 16.
  17. 17. Used effectively, static analysis <br />is cheaper than other techniques <br />for catching the same bugs<br /> - Bill Pugh<br />
  18. 18. If you are not using them [static <br />Analysis tools], then basically <br />you are negligent, and you should <br />prepare to be sued by the army <br />of lawyers that have <br />already hit the <br />beach<br />- Gary McGraw <br />
  19. 19. Combining inspections, static analysis, <br />and testing is cheaper than testing <br />by itself and leads to much <br />better defect removal <br />efficiency levels.<br />- Capers Jones<br />
  20. 20. At my company, sometimes I feel less <br />like Chief Architect, and more like <br />Chief Debugger or Chief Code Reader. <br />Sometimes I get to caught up in <br />trying to read code in order to <br />understand the big picture. This is <br />my own failing, as I often try to <br />use a microscope when I need a <br />telescope.<br />- Scott Hanselman<br />
  21. 21. Once I realized the depth and <br />breadth of the information I was <br />looking at it, I was like a kid <br />in a candy shop<br />- Scott Hanselman<br />
  22. 22. An average of 17% cost savings would<br />have been possible if the static <br />analysis tool was used<br />- Dejan Baca, BengtCarlsson, Lars Lundberg<br />“Evaluating the Cost Reduction <br />of Static Code Analysis <br />for Software Security” (2008)<br />
  23. 23. Types of bugs<br /><ul><li>Code quality
  24. 24. Bad practice
  25. 25. Input validation
  26. 26. Maintainability
  27. 27. Correctness
  28. 28. Security
  29. 29. Multithreaded correctness
  30. 30. Performance
  31. 31. Internationalization
  32. 32. Interoperability
  33. 33. Specific for tools</li></li></ul><li>“Smaller”<br />“Enterprise”<br />General<br /><ul><li>FxCop (free)
  34. 34. NDepend
  35. 35. Mono.Gendarme (free)
  36. 36. Smokey (free)
  37. 37. ReSharper
  38. 38. CodeRush</li></ul>Duplication detection<br /><ul><li>Simian</li></ul>Security<br /><ul><li>CAT (Microsoft Code </li></ul>Analysis Tool .NET) (free)<br />Code style<br /><ul><li>StyleCop (free)
  39. 39. Agent Smith (free, ReSharper plugin)</li></ul>Code contracts<br />General<br /><ul><li>FxCop (free)
  40. 40. NDepend
  41. 41. Mono.Gendarme (free)
  42. 42. Smokey (free)
  43. 43. ReSharper
  44. 44. CodeRush</li></ul>Duplication detection<br /><ul><li>Simian</li></ul>Security<br /><ul><li>CAT (Microsoft Code </li></ul>Analysis Tool .NET) (free)<br />Code style<br /><ul><li>StyleCop (free)
  45. 45. Agent Smith (free, ReSharper plugin)</li></ul>Code contracts<br /><ul><li>Microsoft ..
  46. 46. HP ..
  47. 47. IBM Rational ..
  48. 48. Klockwork ..
  49. 49. Coverity ..
  50. 50. Microsoft ..
  51. 51. HP ..
  52. 52. IBM Rational ..
  53. 53. Klockwork ..
  54. 54. Coverity ..</li></ul>http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis<br />
  55. 55. Demo<br />
  56. 56. Tools summary<br />
  57. 57. Integrating into development process<br />
  58. 58.
  59. 59.
  60. 60. Summary<br />$<br />
  61. 61. Summary<br />
  62. 62. Links & References<br /># List of static code analysis tools<br />http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis<br /># General: <br />Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010<br />http://vimeo.com/17157772<br />How and to who should you report static analysis results to<br />http://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.html<br />Software Engineering Radio - Static Code Analysis (Episode 59, 2006)<br />http://www.se-radio.net/2007/06/episode-59-static-code-analysis/<br />
  63. 63. Links & References<br /># NDepend: <br />Link<br />http://www.ndepend.com/<br />Tips<br />http://www.ndepend.com/Tips.aspx<br />Metrics: <br />http://www.ndepend.com/Metrics.aspx<br />Hanselmanpodcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspx<br />Success story on large project<br />http://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/<br />Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdf<br />Discussions with NHibernate contributor on value of these tools (read comments)<br />http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface<br />
  64. 64. Links & References<br />Links to various NDepend analyses<br />http://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/<br />CQL examples<br />http://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/<br />http://mookid.dk/oncode/archives/1052<br />http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3<br />
  65. 65. Links & References<br /># Visual Studio Code Analysis: <br />Visual Studio Code Analysis and Code metrics forum<br />http://social.msdn.microsoft.com/forums/en-US/vstscode/threads/<br />Rules<br />http://msdn.microsoft.com/en-us/library/ee1hzekz.aspx<br />How to write custom static code analysis rules and integrate them into VS2010<br />http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx<br />Data flow analysis in VS2010 (Whatis not in FxCop)<br />http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspx<br />Integrate VS2010 Code analysis in CI or MsBuild<br />Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.html<br />Part 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.html<br />Visual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style)<br />http://csharpguidelines.codeplex.com/<br />
  66. 66. Links & References<br /># FxCop:<br />Download<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3C<br />Intro and integrate with CI<br />http://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/<br />Share rules:<br />http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developers<br />How to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspx<br />How to get the suppress-messages in code to work with FxCopgui<br />http://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx<br /># StyleCop: <br />Link<br />http://stylecop.codeplex.com/<br />StyleCop on legacy projects<br />http://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspx<br />StyleCop in CI build<br />http://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx<br />
  67. 67. Links & References<br /># ReSharper<br />Link:<br />www.jetbrains.com/resharper/<br />Code Quality Analysis<br />http://www.jetbrains.com/resharper/features/code_analysis.html<br />Structural Search Replace<br />http://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/<br />ReSharper Settings Manager<br />http://rsm.codeplex.com/<br /># List of rules from other tools:<br />Fortify (HP):<br />https://www.fortify.com/vulncat/en/vulncat/index.html<br />
  68. 68. Questions?<br />@RuneSundling | Rune.Sundling@gmail.com | rune-sundling.blogspot.com<br />

×