For programs written in .net/C# does FxCop (and Roslyn equivalents) cover the relevant rules in MISRA? Has anybody gone through and ticked them off?
Or is there a compliance standard for .NET similar to MISRA?
No. By default FxCop (now Code Analysis in Visual Studio) only watches for spelling/casing corrections and Microsoft's own guidelines. You are free to come-up with your own rules, of course.
Note that most of the static-analysis tools only look at the compiled CIL - so you won't be able to watch for safety-critical style violations (such as non-braced if and unintentional switch-case fallthroughs).
Given that MISRA is specifically for C and C++ (and not C#/CIL) you won't find it under FxCop. Though I imagine if you did implement MISRA for C# you would make a tidy bit of money from it - I'd pay for it!
After some googleing I did find http://www.sonarlint.org/visualstudio/rules/index.html#sonarLintVersion=2.0.0&ruleId=S2291&tags=misra
This tool looks quite interesting taking the Roslyn analyzers to the next level. I will investigate this tool further.
Related
I accidently saw that there is a feature in VS2010 (built in, I believe) which tells you how to make your c# code more good looking, i.e. "it's better to write here not like this, but like this", but I couldn't find this tool. And one more question, is there any tool, which can perform the code analysis for unhandled exceptions?
I highly suggest: Resharper plug-in.
Sounds like you're talking about FxCop.
Could be StyleCop, though I sometimes question it's fashion taste. StyleCop enforces consistency in code style (aka "better looking") but does nothing semantically to the code. Visual Studio's built in Code Analysis is about semantics and grew out of FxCop.
I am currently involved in some interesting programming language research which has, up until now, centred around extending the upcoming Java 7.0 compiler with some very powerful programmer-productivity-based features. The work should be equally applicable to related programming languages such as C#.
I'm currently scoping out the options for prototyping a C# port of the functionality. I would prefer open-source options so that the fruits of this work can be shared with the broadest-possible audience. Thus the Mono C# compiler seems to be the most obvious starting point. I'm an experienced C# developer so writing the code isn't the problem. I'm mainly concerned about extending the compiler in a maintainable and supported fashion. In the Mono FAQ on the subject (link) it is stated that "Mono has already been used as a foundation for trying out new ideas for the C# language (there are three or four compilers derived from Mono's C# compiler)". Unfortunately, there are no further pointers than this and, so far, Google searches have not turned anything up.
I'm wondering if anybody out there has any information on this. Do mcs/gmcs/dmcs have a standard extensibility model? Specifically, I will be performing some interesting transformations on a program's abstract syntax tree. Is there a standard mechanism for inserting functionality into the compiler chain between abstract syntax tree generation and the type checker and then code generation?
Up until now I've written some ad-hoc extensions to the code (primarily in the code generator) but this doesn't seem to be a maintainable solution especially given that I intend to keep my extensions up to date with the Git trunk of Mono as much as possible. Furthermore it would be nice to be able to make updates to my extensions without having to recompile the whole compiler every time I make a change. I would like to be able to wrap all my AST manipulations into a single .NET assembly that could be dynamically loaded by mcs/gmcs/dmcs without having to hack at the core compiler code directly.
Any thoughts or pointers on extending the Mono C# compiler would be gratefully received!
UPDATES (23 October 2010)
In response to the responses to my question, I decided that I would start working on a branch of Mono in order to create a simple extensibility model for the compiler. It's in its very early stages, but here it is at GitHub:
http://github.com/rcook/mono-extensibility
And the main commit is: http://github.com/rcook/mono-extensibility/commit/a0456c852e48f6822e6bdad7b4d12a357ade0d01
If anybody would be interested in collaborating on this project, please let me know!
Unfortunately, I cannot adequately answer your question, but if you look at the examples of C# extensions on Miguel de Icaza's blog, you will notice that all of them take the form of patches to the compiler, not plugins or extensions. This seems to indicate that there is no such API.
Note that all of these examples are of much smaller scope than what you seem to be working on:
Parameterless Anonymous Methods (this post actually explicitly mentions concerns about the maintainability of such language extensions)
String Interpolation
Destructuring Assignment for Tuples
Syntactic Sugar for IEnumerable
These are mostly localized syntactic sugar, with no "interesting" behavior. The fourth patch, for example, implements Cω's syntactic sugar for IEnumerables, but without any of Cω's semantics that make this syntax interesting. If you look at the patch you can see that it literally does stupid syntactical expansion of ~T → IEnumerable<T>, as opposed to Cω, where member access and method invocation are properly lifted over streams.
Microsoft Research's Phoenix Compiler Pipeline was once explicitly touted as the solution to such extensibility problems, but it seems that it now focuses mostly on optimizations and analysis on the IR level in a code generation backend. In fact, I'm not even sure if the project is even still alive.
The mono C# compiler is a bit of a hack. I spent around a week figuring out how to use information from the parse tree. The compiler does not produce any intermediate representation and code generation may break parts of the parse tree.
Still, the parser and tokenizer might prove useful to you and you just take it from there.
SharpDevelop also provides a C# parser.
The SharpDevelop parser is easier to use than the mono C# parser.
If F# also works for you, I would recommended. The source much cleaner than mono and available under open source license.
I just got a heaping pile of (mostly undocumented) C# code and I'd like to visualize it's structure before I dive in and start refactoring. I've done this in the past (in other languages) with tools that generate call graphs.
Can you recommend a good tool for facilitating the discovery of structure in C#?
UPDATE
In addition to the tools mentioned here I've seen (through the tubes) people say that .NET Reflector and CLR Profiler have this functionality. Any experience with these?
NDepend is pretty good at this. Additionally Visual Studio 2008 Team System has a bunch of features that allow you to keep track of cyclomatic complexity but its much more basic than NDepend. (Run code analysis)
Concerning NDepend, it can produce some usable call graph like for example:
The call graph can be made clearer by grouping its method by parent classes, namespaces or projects:
Find more explanations about NDepend call graph here.
It's bit late, but http://sequenceviz.codeplex.com/ is an awesome tool that shows the caller graph/Sequence diagram. The diagrams are generated by reverse engineering .NET Assemblies.
As of today (June 2017), the best tool in class is Resharper's Inspect feature. It allows you to find all incoming calls, outgoing calls, value origin/destination, etc.
The best part of ReSharper, compared to other tools mentioned above: it's less buggy.
I've used doxygen to some success. It's a little confusing, but free and it works.
Visual Studio 2010.
Plus, on a method-by-method basis - Reflector (Analyzer (Ctrl+R); "Depends On" and "Used By")
SequenceViz and DependencyStructureMatrix for Reflector might help you out: http://www.codeplex.com/reflectoraddins
I'm not sure if it will do it over just source code, but ANTS Profiler will produce a call graph for a running application (may be more useful anyway).
I just saw Clone Detective linked on YCombinator news, and the idea heavily appeals to me. It seems like it would be useful for many languages, not just C#, but I haven't seen anything similar elsewhere.
Edit: For those who don't want to follow the link, Clone Detective scans the codebase for duplicate code that may warrant refactoring to minimize duplication.
Java has a few - some of the most popular static analysis tools have this built in along with many other useful rules.
Ones I have used, in the (purely subjective) order that I was happiest with:
PMD - comes with CPD - their copy and paste detector
Checkstyle - specific rules to look for duplicate code
Findbugs - the daddy of all Java static analysis tools. Includes duplicate code detection, along with just about anything else that you can think of, but quite resource intensive
There are some nice IDE plugins for all of these and many other reporting tools (for example, you can see results on a Hudson continuos build server, or your project's Maven site)
The IntelliJ IDE (Java, Scala, Ruby,...) has a Locate Duplicate... tool. Usefull indeed !
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a tool, library or favorite off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 9 years ago.
This question's answers are a community effort. Edit existing answers to improve this post. It is not currently accepting new answers or interactions.
What tools are there available for static analysis against C# code? I know about FxCop and StyleCop. Are there others? I've run across NStatic before but it's been in development for what seems like forever - it's looking pretty slick from what little I've seen of it, so it would be nice if it would ever see the light of day.
Along these same lines (this is primarily my interest for static analysis), tools for testing code for multithreading issues (deadlocks, race conditions, etc.) also seem a bit scarce. Typemock Racer just popped up so I'll be looking at that. Anything beyond this?
Real-life opinions about tools you've used are appreciated.
Code violation detection Tools:
FxCop, excellent tool by Microsoft. Check compliance with .NET framework guidelines.
Edit October 2010: No longer available as a standalone download. It is now included in the Windows SDK and after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe
Edit February 2018: This functionality has now been integrated into Visual Studio 2012 and later as Code Analysis
Clocksharp, based on code source analysis (to C# 2.0)
Mono.Gendarme, similar to FxCop but with an open source licence (based on Mono.Cecil)
Smokey, similar to FxCop and Gendarme, based on Mono.Cecil. No longer on development, the main developer works with Gendarme team now.
Coverity Prevent™ for C#, commercial product
PRQA QA·C#, commercial product
PVS-Studio, commercial product
CAT.NET, visual studio addin that helps identification of security flaws Edit November 2019: Link is dead.
CodeIt.Right
Spec#
Pex
SonarQube, FOSS & Commercial options to support writing cleaner and safer code.
Quality Metric Tools:
NDepend, great visual tool. Useful for code metrics, rules, diff, coupling and dependency studies.
Nitriq, free, can easily write your own metrics/constraints, nice visualizations. Edit February 2018: download links now dead. Edit June 17, 2019: Links not dead.
RSM Squared, based on code source analysis
C# Metrics, using a full parse of C#
SourceMonitor, an old tool that occasionally gets updates
Code Metrics, a Reflector add-in
Vil, old tool that doesn't support .NET 2.0. Edit January 2018: Link now dead
Checking Style Tools:
StyleCop, Microsoft tool ( run from inside of Visual Studio or integrated into an MSBuild project). Also available as an extension for Visual Studio 2015 and C#6.0
Agent Smith, code style validation plugin for ReSharper
Duplication Detection:
Simian, based on source code. Works with plenty languages.
CloneDR, detects parameterized clones only on language boundaries (also handles many languages other than C#)
Clone Detective a Visual Studio plugin (which uses ConQAT internally)
Atomiq, based on source code, plenty of languages, cool "wheel" visualization
General Refactoring tools
ReSharper - Majorly cool C# code analysis and refactoring features
The tool NDepend is quoted as Quality Metric Tools but it is pretty much also a Code violation detection tool. Disclaimer: I am one of the developers of the tool
With NDepend, one can write Code Rule over LINQ Queries (what we call CQLinq). More than 200 CQLinq code rules are proposed by default. The strength of CQLinq is that it is straightforward to write a code rule, and get immediately results. Facilities are proposed to browse matched code elements. For example:
Beside that, NDepend comes with many others static analysis like features. These include:
Reporting from your CI/CD
Azure DevOps Hub
GitHub Action
Smart Technical Debt Estimation
Dependency Matrix
Code Diff capabilities
NDepend.API that lets write you own static analysis tool. With NDepend.APi we even developed a tool to detect code duplicate (details in this blog post: An Original Algorithm to Find .NET Code Duplicate).
Powerful Dependency Graph
Gendarme is an open source rules based static analyzer (similar to FXCop, but finds a lot of different problems).
Clone Detective is a nice plug-in for Visual Studio that finds duplicate code.
Also speaking of Mono, I find the act of compiling with the Mono compiler (if your code is platform independent enough to do that, a goal you might want to strive for anyway) finds tons of unreferenced variables and other Warnings that Visual Studio completely misses (even with the warning level set to 4).
Have you seen CAT.NET?
From the blurb -
CAT.NET is a binary code analysis tool
that helps identify common variants of
certain prevailing vulnerabilities
that can give rise to common attack
vectors such as Cross-Site Scripting
(XSS), SQL Injection and XPath
Injection.
I used an early beta and it did seem to turn up a few things worth looking at.
Aside from the excellent list by madgnome, I would add a duplicate code detector that is based off the command line (but is free):
http://sourceforge.net/projects/duplo/
Klocwork has a static analysis tool for C#: http://www.klocwork.com
I find the Code Metrics and Dependency Structure Matrix add-ins for Reflector very useful.
Optimyth Software has just launched a static analysis service in the cloud www.checkinginthecloud.com. Just securely upload your code run the analysis and get the results. No hassles.
It supports several languages including C# more info can be found at wwww.optimyth.com
Axivion Bauhaus Suite is a static analysis tool that works with C# (as well as C, C++ and Java).
It provides the following capabilities:
Software Architecture Visualization (inlcuding dependencies)
Enforcement of architectural rules e.g. layering, subsystems, calling rules
Clone Detection - highlighting copy and pasted (and modified code)
Dead Code Detection
Cycle Detection
Software Metrics
Code Style Checks
These features can be run on a one-off basis or as part of a Continuous Integration process. Issues can be highlighted on a per project basis or per developer basis when the system is integrated with a source code control system.