Did a quick search but could not find anything about this.
I guess all of you know that the Visual Studio Code Analysis is quite nitpicking and gives warnings about a lot of things. Does anybody know how well Microsoft follow this themselves..? That is, if I were to run a code analysis on their assemblies, would the warnings be none or very few (perhaps surpress warning with a justification..?).
Most of the things that code analysis (or FXCop) check are closely based on the ".NET Framework Library Design Guidelines" (either the book, or on MSDN).
However those guidelines (especially in the book) have caveats, not all apply in all circumstances.
There are plenty of indications that MS do use these tools, but I assume they do have reasons to not apply all the rules all the time, as any other project does.
There are two core tools used widely at Microsoft for Code Analysis: FXCop for managed code and PreFast for native C++.
Historically, while not every team has thoroughly enforced the use of CA when building their products, there's been a significant upswing over the last 3-4 years in particular in the number of teams that now enforce pretty stringent CA requirements on their feature teams and on the product as a whole.
For example, in Vista, the Windows team essentially took 3 months off product development and SAL-annotated the vast majority of their key method and function declarations. in Win7, they mandated that all new code had to comply with a set of requirements for SAL-annotating key scenarios (primarily to reduce the likelihood of buffer overruns). In Win8 they're going further still and are incorporating new SAL annotations for a number of key scenarios. Combined with improved compilers and tools like PreFast (now build into VS 2010 Pro and up), they and you can find and eliminate potential issues before the product is released.
Note that the warnings issues by CA (whichever CA tool you choose to use) will always require overrides - sometimes, there's a really good reason as to why the code has to do what it does. But you should only override if you're ABSOLUTELY sure it's necessary and appropriate. NEVER turn off a warning because you don't understand it and never turn off a warning if you can't be bothered to fix it.
Related
I have to make a choice between Veracode and FxCop for application security testing.
Obviously Veracode comes with a price and FxCop is free.
But to know the efficiency of FxCop I must compare my results with the free analysis result provided by veracode. Both the tests are run against the same dll.
How will I know which one is a Cross-site scripting error or an CRLF injection in FxCop?
Is there any guide available? Any way to decipher if I am looking at the same errors in both?
Any help is appreciated.
FxCop is not specifically geared towards security testing. Though it has a couple of rules that check for specific security issues, it's far less advanced than VeraCode, Coverity or Fortify in this respect. It's not meant to replace them, on this front, it's meant to provide basic checks.
Code Analysis also checks other aspects like localization and globalization issues, memory leaks and other generally bad things that have nothing to do with security.
You base solution should at least use Code Analysis inside Visual Studio. Whether you want to use additional security checks from 3rd party vendors is up to you. There are a number of (open source) rulesets available that extend Code Analysis with additional security rules. These are not standard rules that ship with Visual Studio though (and haven't been updated in ages).
To see which types of check are built into Code Analysis (FxCop), look at the documentation. You'll see that there is no cross site scripting warnings present, which makes sense, as you're likely to make such mistakes in HTML and Javascript and not primarily in C#. CodeAnalysis and FxCop target issues in your Managed .NET code, not in your client side scripts or HTML.
Other tools like JsHint/JsLint and and tools recommended by the OWASP group may provide free alternatives.
I want to use SLP Code Protector to make decompilation of a .NET application harder. I don't want licensing functionality, just the offline code protection it offers.
I know it is now owned by InishTech but I'm hoping to obtain just the Code Protector via Microsoft as suggested in this article from Visual Studio magazine
The code protector is just one part of Microsoft's SLP vision. The code protector is free to use, and it will be included with Visual Studio.
Is Microsoft's SLP Code Protector still available and if so, how would I use in in Visual Studio?
http://www.microsoft.com/slps/ -->
InishTech has assumed full responsibility for the existing customer base,
and acquired the rights to SLP Services. To ensure a smooth transition
for SLP Services customers, Microsoft will continue to offer SLP Services
support until September 24, 2009.
It is now InishTech. You can learn more about the solutions they offer here: http://www.inishtech.com/
Disclaimer: I work for InishTech.
Unfortunately Microsoft stopped shipping the software in 2008 as stated in #Nathan Tornquist's answer (+1'd). Note that if you did have a version stashed from that time, it is frozen in time with all that implies. You'd hence find a significant number of problems which have since been resolved:
the 'generic' permutation included was not per-customer and hence only recommended for use in evaluations of SLPS. Normal recommended use of Code Protector requires a licensed 'Permutation' specific to a customer, which requires a subscription to the service - this has always been the case even when Microsoft provided the product - it was only 'free' in the sense that an MSDN subscription included a basic SLPS subscription.
the installation process circa 2008 was tricky to get right (and provides no way to run your code if you do not have an elevated installation process in order to write to the registry. Given that you only want the Code Protection that would be a significant encumberance)
There was no Visual Studio integration of any kind
Restrictions on use of generics in code to be protected, running in x64 processes, running under CLR v4 would sooner or later become an issue for you
There have been a significant number of non-headline improvements to one's ability to diagnose runtime issues
The bottom line is that even though it may be technically and/or legally possible, it really would be a bad investment of your time to attempt to do so given the amount of enhancements, performance tuning (both at runtime and in terms of time to transform code) and bugfixes that have been added since that time.
The current process (which no longer involves an SDK installation, relying instead on an InishTech-provided NuGet feed/packages and fully integrates with Visual Studio or Build Server driven builds) is outlined on http://docs.softwarepotential.com in the Getting Started with Code Protection article.
I am interested in writing a generic Intellisense enabled editor for SQL and C# (et al. if possible!). I would like to do this in C# as an overridden or extended WPF richTextBox-type control. I know there are many example projects available and I have implemented a basic version of my own; but most of the examples that I have come across (and indeed my own) are just that, basic.
A couple of code examples are:
DIY Intellisense By yetanotherchris
CodeTextBox - another RichTextBox control with syntax highlighting and Intellisense By Tamas Honfi
I have however, found a great example of an SQL editor with Intellisense QueryCommander SQL Editor By Mikael HÃ¥kansson which seems to work well. Microsoft must use a XML library of command keywords, but my question is: How (in detail) do Microsoft implement their Intellisense (as-you-type Intellisense) and how hard would it be for me to create my own of the same standard?
Edit A: A year on and I have managed to develop my own editor control with basic intellisense mainly for my own "enjoyment". I thought I would come back provide a list of freely available .NET projects that helped me with my own development and can be used out-of-the-box and free of charge:
ICSharpCode (WinForms)
AvalonEdit (WPF)
ScintillaNET (WinForms)
Query Commander [for example of intellisense implementation] (WinForms)
Edit B: 15 months after the question was asked I am still looking for new improved editors. This one is nice...
RoslynPAD is cool!
Edit C: 2 years+ on from the question, I have found the following projects, both using WPF and backed by AvalonEdit.
CodeCompletion for AvalonEdit using NRefactory. This project is really nice and has a full implementation of intellisense using NRefactory.
ScriptCS ScriptCS makes it easy to write and execute C# with a simple text editor.
How (in detail) do Microsoft implement their as-you-type Intellisense?
I can describe it to any level of detail you care to name, but I don't have the time for more than a brief explanation. I'll explain how we do it in Roslyn.
First, we build an immutable model of the token stream using a data structure that can efficiently represent edits, since obviously edits are precisely what there are going to be a lot of.
The key insight to making it efficient for persistent reuse is to represent the character lengths of the tokens but not their character positions in the edit buffer; remember, a token at the end of the file is going to change position on every edit but the length of the token does not change. You must at all costs minimize the number of total re-lexings if you want to be efficient on extremely large files.
Once you have an immutable model that can handle inserts and deletions to build up an immutable token stream without re-lexing the entire file every time, you then have to do the same thing, but for grammatical analysis. This is in practice a considerably harder problem. I recommend that you obtain an undergraduate or graduate degree in computer science with an emphasis on parser theory if you have not already. We obtained the help of people with PhDs who did their theses on parser theory to design this particular bit of the algorithm.
Then, obviously, build a grammatical analyzer that can analyze C#. Remember, it has to analyze broken C#, not correct C#; IntelliSense has to work while the program is in a non-compiling state. So start by coming up with modifications to the grammar that have good error-recovery characteristics.
OK, so now you've got a parser that can efficiently do grammatical analysis without re-lexing or re-parsing anything but the edited region, most of the time, which means that you can do the work between keystrokes. I forgot to mention, of course you will need to come up with some mechanism to not block the UI thread while doing all of these analyses should the analysis happen to take longer than the time between two keystrokes. The new "async/await" feature of C# 5 should help with that. (I can tell you from personal experience: be careful with the proliferation of tasks and cancellation tokens. If you are careless, it is possible to get into a state where there are tens of thousands of cancelled tasks pending, and that is not fast.)
Now that you've got a grammatical analysis you need to build a semantic analyzer. Since you are only doing IntelliSense, it does not need to be a particularly sophisticated semantic analyzer. (Our semantic analyzer must do an analysis suitable for generating code from correct programs and correct error analysis from incorrect programs.) But of course, again it has to do good semantic analysis on broken programs, which does increase the complexity considerably.
My advice is to start by building a "top level" semantic analyzer, again using an immutable model that can persist the state of the declared-in-source-code types from edit to edit. The top level analyzer deals with anything that is not a statement or expression: type declarations, directives, namespaces, method declarations, constructors, destructors, and so on. The stuff that makes up the "shape" of the program when the compiler generates metadata.
Metadata! I forgot about metadata. You'll need a metadata reader. You need to be able to produce IntelliSense on expressions that refer to types in libraries, obviously. I recommend using the CCI libraries as your metadata reader, and not Reflection. Since you are only doing IntelliSense, obviously you don't need a metadata writer.
Anyway, once you have a top-level semantic analyzer, then you can write a statement-and-expression semantic analyzer that analyzes the types of the expressions in a given statement. Pay particular attention to name lookup and overload resolution algorithms. Method type inference will be particularly tricky, especially inside LINQ queries.
Once you've got all that, an IntelliSense engine should be easy; just work out the type of the expression at the current cursor position and display a dropdown appropriately.
how hard would it be for me to create my own of the same standard?
Well, we've got a team of, call it ten people, and it'll probably take, call it five years all together to get the whole thing done from start to finish. But we have lots more to do than just the IntelliSense engine. That's maybe only 40% of the work. Oh, and half those people work on VB, now that I think about it. But those people have on average probably five or ten years experience in doing this sort of work, so they're faster at it than you will be if you've never done this before.
So let's say it should take you about ten to twenty years of full time work, working alone, to build a Roslyn-quality IntelliSense engine for C# that can do acceptably-close-to-correct analysis of large programs in the time between keystrokes.
Longer if you need to do that PhD first, obviously.
Or, you could simply use Roslyn, since that's what it's for. That'll take you probably a few hours, but you don't get the fun of doing it yourself. And it is fun!
You can download the preview release here:
http://www.microsoft.com/download/en/details.aspx?id=27746
This is an area where Microsoft typically produces great results - Microsoft developer tools really are awesome. And there is a clear commercial advantage for sales of their developer tools and for sales of Windows to having the best intellisense so it makes sense for Microsoft to devote the kind of resources Eric describes in his wonderfully detailed answer. Still, I think it's worth pointing out a few of things:
Your customers may not actually need all the features that Microsoft's implementation provides. The Microsoft solution might be incredibly over-engineered in terms of the features that you need to provide to your customers/users. Unless you're actually implementing a generic coding environment that is intended to be competitive with Visual Studio, it is likely that there are aspects of your intended use that either simplify the problem, or that allow you to make compromises on the solution that Microsoft feels they cannot make. Microsoft will likely spend resources decreasing response times that are already measured in hundreds of milliseconds. That may not be something you need to do. Microsoft is spending time on providing an API for others to use for code analysis. That's likely not part of your plan. Prioritize your features and decide what "good enough" looks like for you and your customers then estimate the cost of implementing that.
In addition to bearing the obvious costs of implementing requirements that you may not actually have, Microsoft also carries some costs that may not be obvious if you haven't worked in a team. There are huge communication costs associated with teams. It's actually incredibly easy to have five smart people take longer to produce a solution than it takes for a single smart person to produce the equivalent solution. There are aspects of Microsoft's hiring practices and organizational structure that make this scenario more likely. If you hire a bunch of smart people with egos and then empower all of them to make decisions, you too can get a 5% better solution for 500% of the cost. That 5% better solution might be profitable for Microsoft, but it could be deadly for a small company.
Going from a 1 person solution to a 5 person solution increases the costs, but that's just the intra-team development costs. Microsoft has separate teams that are devoted to (roughly) design, development, and testing even for a single feature. The project-related communication between peers across these boundaries has higher friction than within each of the disciplines. This not only increases communication costs between individuals, but it also results in larger team sizes. And more than that - since it's not a single team of 12 individuals, but is instead 3 teams of 5 individuals, there is 3x the upward communication cost. More costs that Microsoft has chosen to carry that may not translate to similar costs for other companies.
My point here is not to describe Microsoft as an inefficient company. My point is that Microsoft makes a ton of decisions about everything from hiring, to team organization, to design and implementation that start from assumptions about profitability and risk that simply do not apply to companies that are not Microsoft.
In terms of the intellisense thing, there are various ways of thinking about the problem. Microsoft is producing a very generic, reusable solution that doesn't just solve intellisense, but also targets code navigation, refactoring, and various other uses for code analysis. You don't need to do things the same way if your sole goal is to make it easy for developers to enter code without having to type much. Targeting that feature doesn't take years of effort and there are all sorts of creative things you can do if you're not just providing an API, but you actually control the UI too.
So far I use to develop in Java. Java is multi-platform (now works on Android!), has a very powerfull VM and is open, well behaved, etc. But is also old and seems to be stopped on time in terms of language features. Scala and Gosu are nice replacements, but I don't like Scala syntax and Gosu is very immature and unlike to win from Scala. All this makes me think about moving to C# at least for web development! Phew!
One thing that is quite important to me is IDE support. Right now I use Eclipse for Java, and my favorite features are these (most important first, somewhat):
Full code navigation (call hierarchy, show variable reads & writes, inherited members).
Incremental compilation (which means fast compilation).
Many kinds of errors are detected and underlined before compilation.
Many intelligent quick-fixes (can fix/write many code for you and quickly rename elements and refactor references).
Intelligent and configurable code completion. Display hints even for unimported packages/classes.
Over 15 kinds of refactorings, all of them very useful.
Over 15 options of source generation (add unimplemented methods, generate getters and setter, generate delegates).
Configurable code formatter, even for code fragments (select code then format).
Debugger supports hot code replacement and "Drop to Frame" so I can go back an check other things without full program startup.
Code cleanups (remove unnecessary parenthesis, remove unnecessary "this" references, etc).
Very decent, autonomous and seamless CVS integration, with integrated file comparison and computer-aided merge.
Very nice tools for web development (server deployment, JavaScript and HTML editor with formatter).
Tons of plugins (code coverage analyser, memory dump analyser, eGIT).
Which of these features are available in Visual Studio for C#/ASP.NET? If I can get some by adding a cheap plugin, please tell.
Well, I like Visual Studio a lot more than Eclipse. I have only used Eclipse for minimal Java programming and Action Script. Visual Studio can do every thing you listed and if you combine it with a paid plugin like Resharper or CodeRush, you get a lot more. Why don't you download Visual Studio Express and play around with it? That would be much better than getting an answer from a very biased C# dev.
VS2010 with the addition of ReSharper has most of these things. I can't speak to CVS, but it does have fine SVN integration.
I started using VS about six months ago after a few years of Eclipse, and it works pretty well.
Nothing is cheap in the VS world compared to Eclipse.
I'm deciding between ReSharper 5.0 VS CodeRush 10.1. I've seen a lot of questions that target which one is better/faster than the other. For Example, ReSharper may be a little slower than CodeRush when working with large projects. What I am looking for is a list of which features are completely, outright missing in the opponent.
An example would be that ReSharper has an intellisense replacement, which CodeRush leaves to VisualStudio.
What features does one have that the other is missing - assuming performance/speed and learning curve is a non-issue?
(I'm ReSharper Product Manager, take with care)
For me it is not specific features that make most sense here, you can make up any numbers on comparison charts by categorizing things, e.g. you can count formatting actions as refactorings. Also some missing features here and there can be complimented with other plugins - being them within tool's ecosystem or VS ecosystem.
What I really find important for any tool of this kind is deep and accurate code understanding. Some tools, unfortunately, are not that accurate. Every product has bugs and issues, of course, but being not able to accurately resolve symbols is show-stopper for me. May be not for other people, who value fast typing over accurate analysis and refactoring. Other tools in this area cannot even parse C# code sometimes, not to say about resolving generic overloaded methods with lambdas and correctly supporting LINQ patterns.
As for complete, direct and independent feature list comparison, I don't think there is one. I believe every product has comparison chart with Visual Studio (ReSharper has), so you can combine them, and then clarify specific points with the community and users of corresponding products.
I am personally using and loving both, DevExpress CodeRush Express for VS (free) and ReSharper (open source license).
http://www.devexpress.com/Products/Visual_Studio_Add-in/CodeRushX/
http://www.jetbrains.com/resharper/buy/opensource_license.html
Honestly speaking I want both, though they do have some overlaps such as refactoring, code analysis. But they do have a lot of unique features, such as structure highlight (CR). And at some extent installing both consumes more system resources. However, the benefits from both products are huge.
Always use a powerful machine (or machines) as your development environment, and it can overcome a lot of pains in the near future :)
Cards on Table: I'm a huge CodeRush fan and a member of DX-Squad (Which means I help out on the DX forums)
As you might imagine, I use CodeRush quite a bit and I have a reasonably good knowledge on what is, and what isn't possible using the current DX toolset. I think however that there are few who are particularly well versed in both products
As for what might be missing from each. Typically this doesn't bother me... If I need something not supplied with CodeRush, I tend to build it myself :)
The DXCore (free framework on which CodeRush and CodeRush XPress are built) makes this very easy. Feel free to head over to our community site and take a look.