FAQ: Which Code Analysis rules shipped in which version?

In response to a lot of recent requests, we've put together a complete list of rules that shipped in the different versions of Visual Studio Code Analysis and FxCop. Attached is an Excel worksheet providing this information for Visual Studio 2005, Visual Studio 2008, FxCop 1.35 and FxCop 1.36 Beta.

One of things you'll notice as you read through the list is that we removed some rules from the later versions. There are a few reasons for this:

  • Noise and applicability. We use feedback from customers, SQM data (to see which rules users turn off), and input from internal teams (Windows, Office, CLR, etc) to determine the rules that are noisy without adding any perceivable value. There are also rules that are either no longer applicable or can no longer fire. for example, a rule could have been firing on a limitation of the CLR which has since been fixed in later versions.

  • Merged rules. Sometimes it makes sense to merge rules that fire on similar things, for example, the analysis in SecureGetObjectDataOverrides was already covered by OverrideLinkDemandsShouldBeIdenticalToBase, so these two rules were merged. Similarly, LongAcronymsShouldBePascalCased, ShortAcronymsShouldBeUppercase and IdentifiersShouldBeCasedCorrectly all fired on the casing of identifiers, and hence were merged in the later.

  • Analysis engine removed. In Visual Studio 2008 and FxCop 1.36 we removed one of our analysis engines. This engine was removed for a variety of reasons; it increased analysis time (although the engine encompassed less than 5% our analysis, it took up 50% of our time-to-analyze), indeterministic results (results appearing and disappearing between runs), and bugs found within the engine (and hence the rules that depended on it) required huge architectural changes. We instead decided to invest the resources that we would have spent on fixing the old engine, on a new data flow analysis engine based on Phoenix, which we will ship in a future version of Visual Studio.

There are also more differences between Visual Studio Code Analysis and FxCop than just the rules - in a future blog post I will cover these in detail.


Comments (11)

  1. Somewhat on the topic of rules that aren’t applicable anymore, I’ve been meaning to ask about Security.ReviewVisibleEventHandlers for a while now…  It’s still quite applicable to .NET 1.x assemblies, but is there some reason that it should also verify .NET 2.0+ assemblies given the changes that were made in .NET 2.0 to include delegate "wirer-uppers" in CAS demands (as described at http://blogs.msdn.com/eugene_bobukh/archive/2005/06/08/427074.aspx)?

  2. David M. Kean says:

    Thanks Nicole. I wasn’t aware of these changes – I’ll investigate and get back to you.

  3. lextm says:

    I am using Visual Studio Pro and find out that FxCop 1.36 Beta cannot work well with it. When I try to go to source, even though a Visual Studio instance is already launched, FxCop launches another one for me. Silly!

    I cannot afford Visual Studio Team Suite, but could you make FxCop works better with Pro? Even open source SharpDevelop has a better connection with FxCop.

  4. Michal on Small Orcas Improvement – part 2. Ed Hintz on Over 1 Billion Served. The SRL Team Blog on Working…

  5. I was very sad to hear that a few beloved rules were removed from code analysis (aka FxCop) in Visual

  6. Scott says:

    Why are the maintainability and reliability rules not also part of FxCop 1.36? Other than that, it’s an exact match on rules with VS2008 which is great for those of us that only have VS2008 Express or Professional editions.

  7. Andy says:

    In CodeAnalysisRules.xls, what does "Removed in data flow engine" mean?

  8. Visual Studio® Team System 2008 Team Foundation Server and Team Suite VPC Image (Trial) http://www.microsoft

  9. [ Nacsa Sándor , 2009. január 19. – február 5.] Ez a Team System változat fejlett eszközrendszert kínál

  10. One of the features, coming with Visual Studio out of the box which is widely under-used is the static

Skip to main content