Managed Code Analysis Tools

codinghorror · September 6, 2005, 12:00am

Navigating a new codebase can feel like like landing on an alien planet. That's where static code analysis tools come in handy; they're akin to software tricorders. They provide a general snapshot of unfamiliar code: Is it normal? Is it unusual? Is it dangerous?*

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2005/09/managed-code-analysis-tools.html

Tim_Weaver · September 7, 2005, 12:00am

Jeff,
I can’t resist adding DevPartner SecurityChecker to the above list. While it doesn’t cover everything FxCop does, I think it does a much better job on the security front… I’m a little biased though.

I also like NDepend.

The FxCop article you linked to is a good place to start looking at FxCop, but there are a number of more fleshed out articles/sample rules using the introspection engine available.

codinghorror · September 7, 2005, 12:00am

there are a number of more fleshed out articles/sample rules using the introspection engine available

It’s helpful to provide links

codinghorror · September 8, 2005, 12:00am

Thanks for the pointers Raymond. Robin’s blog has some excellent info, and I have linked it in the original post!

codinghorror · September 8, 2005, 12:00am

I can’t resist adding DevPartner SecurityChecker to the above list.

Interesting. We use FxCop mostly for security audits internally… here’s an overview/review of SecurityChecker

http://www.aspnetpro.com/productreviews/2005/04/asp200504rm_p/asp200504rm_p.asp

RaymondL · September 8, 2005, 12:00am

I really like NDepend. Back in July, I held an XP seminar/workshop where part of my “simplicity” discussion I discussed analyzing and using code metrics to create and maintain simple code. One attendee, Robin Curry, was apparently excited by what I had to say and really took off on his own into using code metrics. He’s even put up quite a few posts on integrating code metric apps, such as NDepends, into the build process. Here is the post where he integrated NDepend into CruiseControl: http://www.robincurry.org/blog/CommentView,guid,3640af37-9a2c-441d-acf9-f79017123cb2.aspx

PatrickS · April 5, 2006, 12:00am

I just released NDepend 2.0 with some major enhancements such as an interactive view of your application and a language dedicated to query and constraint the structure of your code: Code Query Language.
http://www.NDepend.com
http://www.ndepend.com/CQL.htm

Regards,
Patrick Smacchia

Spoil_Sport · February 12, 2007, 12:00am

Stumbled upon this old post again, and though I know I shouldn’t be adding anything…

Ndepend is neat, I am sure, but why does every little tool cost $300-$500 now? At least price the damn things less than Vista Ultimate.

Oeged · April 5, 2007, 12:00am

Check out SemmleCode (http://semmle.com). It’s free, it’s object-oriented, and tightly integrated with Eclipse.

The object-oriented code query language .QL enables superior intellisense (and thus makes writing queries easier), it allows very concise expression of new code queries, and it make such queries easy to share and re-use.

Let us know what you think on the forums at http://semmle.com!

[disclosure: I’m a prof at Oxford working on static analysis tools and the CEO of Semmle]