What is New in Code Analysis for Visual Studio 2013
July 3, 2013
This post (addressing uservoice feedback on CA) was written by Nat Ayewah, a member of the code analysis team in Windows
Last year’s release of Visual Studio 2012 marked a significant update to the Code Analysis experience in Visual Studio. We made code analysis available in more editions of Visual Studio, introduced a new user interface for viewing, filtering and stepping through results, and made accuracy and other improvements.
In Visual Studio 2013, our focus has been on fixing bugs in response to user feedback, and making a few more improvements to the user experience. Highlights include:
- Categorization of results and enables users to filter by category
- Users can now sort results by various properties including Rule ID, File Name and Category
Code Analysis Categories
Visual Studio 2013 introduces categories for native rules and exposes the existing managed code analysis categories in the user interface. These categories provide a more fine-grained grouping of defects to indicate, for example, if the defect is related to an annotation syntax error, a critical security vulnerability or a simple logic error. Categories are particularly helpful when dealing with a large list of warnings, which can be overwhelming without some guidance on which warnings to focus on first. With this change, users can focus their efforts on the categories that are most relevant to their needs. Users will immediately notice the new categories because they augment the results displayed in the code analysis viewer:
Users also have the option to filter the results by category using the search box, or select a specific category from a new dropdown button. By design, this button replaces the Error/Warning option that was in Visual Studio 2012. Users can still use the search box to separate errors from warnings.
Sorting Results
Visual Studio 2012 moved code analysis results out of the error list and into a new Code Analysis Viewer that makes it easier to read and filter results. It also provides a detailed explanation of the code path for some warnings. One key feature of the error list that was missing in the new viewer was the ability to sort the defect list. Visual Studio 2013 adds support for sorting to the new viewer by way of a new toolbar Sort button. Users can sort the defect list by six common properties or reset the list to its default sort order. Selecting a sort property twice results in a descending order sort:
In Closing
The code analysis team received lots of useful feedback from users that was used to improve the accuracy of the analysis for native code analysis. We also worked with partners to improve the quality of headers shipped with Windows and Drivers Kits. Please try out Visual Studio 2013 and check out the new Code Analysis features.
We would love to hear any questions or comments you have in the comments below or on our MSDN forum.
Great that the headers shipping with Windows SDK/DDK are improved. Just need the MFC/ATL headers to be correctly annotated now….
Are there any changes to the annotations available, or are the VS2012 list of annotations still the current list?
Any plans to update standalone FxCop seeing that Code Analysis is still not supported in the Professional Edition?
A huge deal would be if you would add a filtering option that would allow the developer to filter out CA messages only for the files that are currently checked-out.
The reason is that when the existing codebase contains many warnings it is very easy to introduce new ones just because you don't find your changes in the list.
@Knaģis, why not run code analysis on the whole project. Then suppress them all in the Global Suppression file, as and when you change code you will invalidate the global suppression and be force to fix them.
@Josh
We’ve improved annotations in MFC/ATL headers, but there’s no change in terms of annotations available in VS 2013 compared with VS 2012.
@Carel
Full code analysis functionality was moved to the Professional addition of Visual Studio in 2012, with limited functionality included in the Express editions
What are the plans for FxCop? It seems like it's being retired.
Is there any plan to add the new Code Analysis to SSDT?
Nope, at this time there are no plans to add the new Code Analysis to SSDT
@Vince,
Are you referring to the FxCop standalone, or FxCop in Visual Studio? We removed the standalone FxCop from the Windows SDK for several reasons, including 1. There was a desire to reduce the size of the Windows SDK, and distinguish between components that were truly Windows versus Visual Studio components. 2. As I mentioned below full FxCop support was moved into the Professional Edition of Visual Studio 2012 with limited support included in the Express versions. FxCop continues to be fully supported in the Visual Studio IDE.
This is a great step forward – I really missed being able to sort the CA warnings.
One problem that I'm seeing with the new 2012/2013 window on my end is that it isn't always obvious to developers that there are CA warnings after a build. Devs are used to checking the error list after building, and ignoring everything else. This means that code often gets checked in with CA warning violations, which we want to avoid.
It would be cool to have an option (something property that could be set in the csproj file) that would cause the existence of any CA warning violations to output a single warning in the Error List. Something like "Warning: there were one or more Code Analysis issues; see the {link}Code Analysis{/link} window for details.
@RobSiklos
Thanks for the great feedback. This experience is something that we are looking to improve in the future, while unfortunately it won't make it into Visual Studio 2013 RTM, it is on our radar.
As a workaround at the moment, you could consider creating a custom ruleset where you set the action for code analysis warnings to be Error which will fail your build if there are any.
Are there any improvements to exporting the CA issues to Excel or Word? This was way better in VS2010 when coming from the Errors window. In VS2012 from the Code Analysis window copy / paste doesn't cut it 😉 Pasting in Excel does not result in separate columns for the issue number, title, file, line # etc.
@John,
The behavior you want is still available, in Excel right click and choose "Paste special…", then choose "csv". When we introduced the new code analysis window we added HTML formatting for pasting results into email per request, so when you copy from the window it puts the data into the clipboard as html, csv, and plain text. Excel takes the HTML by default over the csv (I don't know the rational for this), but you can tell it to take the csv and it will paste each of these fields into a separate column.
Andrew,
Should this raise a "using uninitialized memory" warning?
#include <sal.h>
void SetToZero(Out int& out)
{
int* pi = &out;
*pi = 0;
}
It complains when taking the address of "out". Other operations are fine. Is there a different annotation that I should be using? This seems to be new to VS2013, but I don't know if that's because of a bug, or because of better checking — I haven't put in enough time to actually learn SAL properly :-/ .
@Michael,
This was a bug in the Preview version of Visual Studio 2013, it has subsequently been fixed so you should not see this warning fired in that case in the next release of Visual Studio 2013
Andrew,
Neat! Thanks. And now that I'm actually using the IDE, the categories are indeed quite spiffy.
What if any are the differences between C++ Static Code Analysis in VS2013 Pro, Premium and Ultimate please? Do we get addition analysis engines if we pay more?
@Tom, Professional contains all of Visual Studio's static analysis features, Premium and Ultimate do not have any additional static analysis capabilities
Any plans on having code analysis constantly run in the background? We have a fairly large project that takes about 5 minutes to run code analysis on. It would be nice to be able to avoid this step.
@Kevin, improving the performance and experience of code analysis for large builds is something that we are looking into for our next version. However given we haven't finished releasing Visual Studio 2013 we don't have any definitive plans yet.
Any plans to officially sanction and support CA on build servers without the need to install+license VS?
@Kent: We're exploring what it looks like for Code Analysis to generally be more portable, both for the rules we ship and for rules you may write on your own. This would help many scenarios, including running Code Analysis on build servers, though we have nothing to announce there quite yet.
Is Code Analysis available for Visual Studio Express 2013 Web?
@JCS: Code Analysis is not available for Microsoft Visual Studio Express 2013 for Web.
How do we use the code analysis / code metrics from command line build in VS2013 and export the results to a csv file?
@Anubhav
For code analysis, you can configure your project to run code analysis on command line build by going to the "Code Analysis" tab of the project properties and checking "Enable Code Analysis on Build". The results of the analysis will be put into an XML file named [target].CodeAnalysisLog.xml in the bin/debug folder. You can use excel to import this .xml file.
For code metrics we have a command line powertool, but the version corresponding to VS2013 has not yet been published. We will be publishing this power tool in the next two weeks, please check back here and I will provide a link to it. For reference, the VS2012 code metrics powertool can be found here: http://www.microsoft.com/…/details.aspx.
Hi,
Is there a published map somewhere detailing which warnings or errors fall into which category? I'm looking into writing a custom logger for VS 2012 that would do some of that filtering for us until we move to VS 2013, and if I could go ahead and assign the same categories when building reports, that would ease the transition.
Also, are the categories user-customizable? I'm aware of Rule Sets, but it sounds like that's orthogonal to this categorization.
Thanks,
Jay
@Jay: For managed code, the following page lists the categories that each warning falls into: msdn.microsoft.com/…/ee1hzekz.aspx. For C++ the following page lists all of the warnings, but unfortunately does not list the categories: msdn.microsoft.com/…/a5b9aa09.aspx. However, you can find this information in the ruleset editor, because the warnings are grouped by their categories. We do not have a way to customize the categories.
@Anubhav: The code metrics powertool is now available here: http://www.microsoft.com/…/details.aspx
@Dan
Thanks, that's good to know.
I've got VS 2013 on my machine now, and I was wondering if there were a way to aggregate the static analysis output from our main automated build, which uses multiple stand-alone projects rather than one umbrella solution. We save the build logs and some other outputs, but it appears if I want to use the Code Analysis window I'm limited to an interactive run on a single solution. Is there any way (short of adding all hundred of so of them into one massive solution file which we'd never be able to load at once interactively) to aggregate static analysis outputs from multiple projects and sort or view them with this tool?
Thanks,
Jay
@Jay: the code analysis window does require you to run code analysis interactively in order to use the code analysis window to filter through the results. If this is something you would like to see in future versions, I suggest you add an idea on visualstudio.uservoice.com in the Languages – C# or Languages – C++ section
Hi, in the previous comments, author was saying FxCop is not part of SDK anymore but the support will resume. But I can see the FxCopCmd.exe in the "Program FilesMicrosoft Visual Studio 12.0Team ToolsStatic Analysis Tools". So it is still with VS 2013 Ultimate?
@Antoops: Yes – FxCop no longer ships as part of a standalone SDK. The way to get FxCopCmd now is by installing Visual Studio 2013.
Is CAT.NET or BinScope integrated with any Visual Studio 2013 versions?
I have my project(s) set to "Enable Code Analysis on Build" and I have the project(s) to treat warnings as errors. I see:
Code Analysis Complete — 0 error(s), 11 warning(s)
… but, I also see:
========== Rebuild All: 8 succeeded, 0 failed, 0 skipped ==========
Why are the Code Analysis warnings not breaking the build? Is there a way to fail the build if there are Code Analysis errors or warnings?
Assuming the answer is 'No', in VS2010, I analyzed the FxCop XML ouptut to cause a build failure. Is there at least a way to get Code Analysis to output a log file so that I can at least use the same process to break the build? I found "/analyze:log filename" in the context of C++. Where can I enter this MsBuild option in a C# project?
i need some one to explain for me the codes how i can put the right code in each buton or text box
i need some one to explain for me the codes , how to write the codes for each boxes , for exampl text botx or button
please help!!!
Mr. Dan J Taylor , could you help please i need your help
@meme: I am not sure what you are having trouble with, please e-mail me at dantaylo [at] microsoft.com with more specifics.
How do I use FxCop from Visual Studio 2013 Pro? How do we turn it on?
Is there a way to install standalone FxCop?