Update: The transcript for this chat can be found here.
Yesterday we had a really successful Team System chat with over 150 customers (including 7 MVPs). Thank you to all that attended, it is really great to be able to speak to customers directly.
The following is a list of questions that were asked about FxCop/Managed Code Analysis:
Q: Do you expect FxCop to include security analysis any time soon, from what I understand, it currently cannot detect issues like SQL injection due to its data flow analysis limitations – are you looking at including this or leaving it to 3rd parties
A: FxCop currently includes quite a few security rules: http://msdn2.microsoft.com/en-us/library/ms182296.aspx Including a rule that does dataflow analysis to find possible SQL query issues: http://msdn2.microsoft.com/en-us/library/ms182310.aspx. This set of rules is not a complete set of possible security rules, nor are the existing rules 100% guaranteed to find all the problems in their area of analysis. No code analysis tool can replace a formal security audit. Nevertheless, we have found inside Microsoft that FxCop can be of great help finding potential security issues.
Q: We recently meat with A Microsoft evangelist that told us that in the next version of VSTE that the format of fxCOP rules would be changing and that user customozation of rules is being discouraged. Can you validate this?
A: The API for custom rules is indeed not finalized. However as in the past with changes in our API we will provide details on how to upgrade your rules. See http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=333885&SiteID=1 for more details on custom rules development and support levels.
Q: Any planned release date for a final (supported) FxCop/CodeAnalysis extension API?
A: Peter, while we haven’t made any official annoucements regarding a supported and documented Managed Code Analysis API, I can say that the we are doing a lot of work cleaning up the API and making it a lot friendlier to custom rules developers. We also plan on releasing custom rules samples and whitepapers around the same time as Orcas release, which should ease the current pain to get up a custom rule up and running.
Q: Q Will upgrading customized rules be a manual process or will you provide a toolkit to do this. Many customers have customized fxCop rules to fit their environments.
A: This will most likely be a manual process, however, as mentioned above we are planning on writing whitepapers to ease this transition. What kind of custom rules do you have deployed at the moment?
This entire report with be posted on http://msdn.microsoft.com/chats/transcripts/vstudio/default.aspx in the next couple of weeks.
If you missed this chat, don’t worry, we have another one coming up on Wednesday, October 4th.