Visual Studio 2013 Static Code Analysis in depth: What? When and How?


In this post I’ll illustrate in details the following points


What is static code analysis?

Static Code Analysis feature of Visual Studio performs static code analysis on code to help developers identify potential design, globalization, interoperability, performance, security, and a lot of other categories of potential problems according to Microsoft’s rules that mainly targets best practices in writing code, and there is a large set of those rules included with Visual Studio grouped into different categorized targeting specific coding issues like security, design, Interoperability, globalizations and others.

Static here means analyzing the source code without executing it and this type of analysis can be performed through automated tools (like Visual Studio 2013 Code Analysis Tool) or manually through Code Review which already supported in Visual Studio 2012 and 2013 (check Using Code Review to Improve Quality video on Channel9)

There is also Dynamic analysis which performed on executing programs using software testing techniques such as Code Coverage for example.

When to use?

Running Code analysis tool at regular intervals during your development process can enhance the quality of your software, examines your code for a set of common defects and violations is always a good programming practice.

Adding that Code analysis can also find defects in your code that are difficult to discover through testing allowing you to achieve first level quality gate for you application during development phase before you release it to the testing team.

Supported platforms

  • .NET Framework, native (C and C++)
  • Database applications.

Support Visual Studio versions

  • All version of Visual Studio starting Visual Studio 2013 (except Visual Studio Test Professional) check Feature comparisons
  • Create and modify a custom rule set required Visual Studio Premium or Ultimate.

How to use?

Code Analysis can be run manually at any time from within the Visual Studio IDE, or even setup to automatically run as part of a Team Build or check-in policy for Team Foundation Server.

Run Code Analysis Manually

  • To run code analysis manually on a project, on the Analyze menu, click Run Code Analysis on your project or simply right click on the project name on the Solution Explorer choose Run Code Analysis from the context menu

clip_image002

clip_image004

Run Code Analysis Automatically

  • To run code analysis each time that you build a project, you select Enable Code Analysis on Build on the project’s Property Page

clip_image006

Run Code Analysis while check-in source code to TFS version control (TFSVC)

  • Team Foundation Version Control (TFVC) provides a way for organizations to enforce practices that lead to better code and more efficient group development through Check-in policies which are rules that are set at the team project level and enforced on developer computers before code is allowed to be checked in. (This is available only if you’re using Team Foundation Server)
  • Require permissions on Team Foundation Server: you must have the Edit project-level information permission set to Allow typically your account must be part of Project Administrators, Project Collection Administrators, for more information about Team Foundation permissions check http://msdn.microsoft.com/en-us/library/ms252587(v=vs.120).aspx
  • In Team Explorer, right-click the team project name, point to Team Project Settings, and then click Source Control.
  • In the Source Control dialog box, select the Check-in Policy tab.
  • Click Add to create a new check-in policy.
  • Double-click the existing Code Analysis item in the Policy Type list to change the policy.

clip_image008

  • Check or Uncheck the policy option based on the configurations you need to perform as illustrated below:
    • Enforce check-in to only contain files that are part of current solution: code analysis can run only on files specified in solution and project configuration files. This policy guarantees that all code that is part of a solution is analyzed.
    • Enforce C/C++ Code Analysis (/analyze): Requires that all C or C++ projects be built with the /analyze compiler option to run code analysis before they can be checked in.
    • Enforce Code Analysis for Managed Code: Requires that all managed projects run code analysis and build before they can be checked in.

Check Code analysis rule set reference on MSDN

clip_image010

  • What is Rule Set? Rule Set is a group of code analysis rules like the example below where Microsoft.Design is the rule set name where "Do not declare static members on generic types" is the code analysis rule

clip_image011[4]

  • Once you configured the Analysis rule the policy will be enabled for all the team member in this project whenever a team member check-in any source code to the TFSVC the policy section will highlight the Code Analysis policy as below

clip_image013

Run Code Analysis as part of Team Build

  • With Team Foundation Build (TFBuild), you can create and manage build processes that automatically compile and test your applications, and perform other important functions.
  • Code Analysis can be enabled in the Build Definition file by selecting the correct value for the build process parameter "Perform Code Analysis"

clip_image015

  • Once configure, Kick-off your build definition to queue a new build, Code Analysis will run as part of build workflow and you will be able to see code analysis warning as part of build report

clip_image017

Understand the Code Analysis results & learn how to fix them

Now after you went through Code Analysis configurations and the different ways of running it, we will go through the Code Analysis result how to understand them and how to resolve them.

Code Analysis window in Visual Studio will show all the analysis results based on the rule sets you configured in the project file properties, let’s dig deep into what each result item contains:

clip_image019

1

Check ID

The unique identifier for the rule. CheckId and Category are used for in-source suppression of a warning.      

2

Title

The title of warning message      

3

Description

A description of the problem or suggested fix

4

File Name

File name and the line of code number which violate the code analysis rule set

5

Category

The code analysis category for this error

6

Warning /Error

Depend on how you configure it in the rule set the default is Warning level

7

Action

Copy: copy the warning information to the clipboard

Create Work Item: If you’re connected to Team Foundation Server you can create a work item most probably you may create a Task or Bug and assign it for a developer to fix certain code analysis warning

Suppress Message: There are times when you might decide not to fix a code analysis warning. You might decide that resolving the warning requires too much recoding in relation to the probability that the issue will arise in any real-world implementation of your code. Or you might believe that the analysis that is used in the warning is inappropriate for the particular context. You can suppress individual warnings so that they no longer appear in the Code Analysis window.

Two options available:

In Source inserts a SuppressMessage attribute in the source file above the method that generated the warning. This makes the suppression more discoverable.

In Suppression File adds a SuppressMessage attribute to the GlobalSuppressions.cs file of the project. This can make the management of suppressions easier. Note that the SuppressMessage attribute added to GlobalSuppression.cs also targets the method that generated the warning. It does not suppress the warning globally.      

Visual Studio makes it very easy to fix Code analysis warning, all you have to do is clicking on the Check Id hyperlink if you are not aware how to fix the warring and you’ll be directed to MSDN online or local copy based on the configuration you did while installing Visual Studio and you will find all the information about the warring including how to fix it.

clip_image021

Create a Custom Code Analysis Rule Set

  • The Microsoft standard rule sets provide groups of rules that are organized by function and depth. For example, the Microsoft Basic Design Guidelines Rules and the Microsoft Extended Design Guidelines Rules contain rules that focus on usability and maintainability issues, with added emphasis on naming rules in the Extended rule set, you can create and modify a custom rule set to meet specific project needs associated with code analysis. To create a custom rule set, you open one or more standard rule sets in the rule set editor.
  • Create and modify a custom rule set required Visual Studio Premium or Ultimate.
  • You can check How to: Create a Custom Rule Set on MSDN for more details http://msdn.microsoft.com/en-us/library/dd264974.aspx

Q & A

References

Comments (15)

  1. Adel says:

    Thanks Hosam for the detailed article, one question, is there an analysis part of VS Static Code Analysis that sans for dead code, in other word methods or classes that is not referenced, css/js dead clases/links, js functions that is not used?

  2. Hosam Kamel says:

    @Adel Thanks for raising this point will update the post to include some information about that and for you questions yes you can use code analysis to detect the following types of dead code, you can simply run the "All Microsoft Rules" or simply create a custom Rule set with the following check Ids

    •Private methods that are not called from any other code (CA1811)

    •Unused local variables (CA1804)

    •Unused private fields (CA1823)

    •Unused parameters (CA1801)

    •Internal classes that are not instantiated from any other code (CA1812)

    As for the JavaScript we released a feature to analyze JavaScript code but for Windows Store Apps only  (blogs.msdn.com/…/using-visual-studio-s-javascript-memory-analysis-tool-to-find-memory-leaks-on-your-windows-8-javascript-app.aspx) I believe JSLint is still the tool for that since Visual Studio Code analyzer can scan only .NET framework code and native (C and C++)  

  3. Adel says:

    Much appreciated

  4. Laurent says:

    Thanks for your article. is there a tool to display charts of analysis history ? or something like easy UI to check more frequent transgression rules, overall complexity..etc. ? something like SonarQube for instance ?

  5. This is a great article. In MSDN it is one of the few that I have seen which also adds a references section. While most are findable within MSDN itself, the notable mention is the ACM article reference.  Even though it will not add to your knowledge of static analysis within Visual Studio, it broadens the understanding of how these tools are constructed, their limitations, and what to expect from them.  It is a nice read by itself.

  6. philippecp says:

    Is there any plans to extend dead code analysis to also include public methods and fields by doing a cross project analysis within a solution? I inherited maintenance of code where the author liked to create many small cross-referenced projects with class and methods being public by default. Unfortunately, static code analysis does not help me find dead code in this situation.

  7. Matt Salmon says:

    This is a useful article, thanks Hosam. My team are looking to implement our own custom rules (not just custom rule sets, but specific rules which may not already be available in the Microsoft sets). This article is the closest I can find, but it's 4 years old now:

    blogs.msdn.com/…/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx

    I'd like to stick to using Code Analysis because of the IDE/TFS integration, but I can find no formal documentation on how to do this, can you offer any advice?

  8. sandip says:

    My question is if we are planning to perform the cleanup using Code Analysis feature. We cannot do this in one go since we are having very large number of projects(95). Out of which many of them are part of different solutions, I mean common libraries. Is there any chance that if I apply rules against one solution will broke other solutions.

    Simple question is " Does all the analysis Rules make sure those are only DLL level warnings are generated? "

  9. Hosam Kamel says:

    @Sandip if you need to indicate that a warning is non-applicable, you can use "In Source Suppression" of warnings is implemented through custom attribute

    [System.Diagnosis.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1039:ListsAreStrongTyped")]

    There are many ways to suppress the code analysis on certain component or generated code, hereunder couple of links:

    msdn.microsoft.com/…/dd742298.aspx

    msdn.microsoft.com/…/ms244717.aspx

  10. Uchitha Ranasinghe says:

    I have the same question as Sandip. We got a solution comprising of many projects and we need to do a feel of how the whole solution is doing. For example there could be public methods/properties of low level projects (Services etc…) which are not used by the front end and thus can be cleaned up. Wondering whether VS 2013 analysis can solve it in anyway.

  11. Kedar says:

    I am using VS2013. I ran code analysis with security rules on my web project. But it did not show issues in config file such as

    1. connection string is in clear text

    2. password is in clear text.

    Please guide me on this.

  12. sandip says:

    @Hosam Kamel

    Now, I have gone through both the links. Thank you for value additions on my knowledge base.

    I was having question, that I think need to be explained with example as below,

    Lets assume I have the Team Project on TFS server. This team projects consist of several .sln(s) on it.

    Lets assume Solution1 and Solution2. Out of these am able to run the CA on individual solution level by setting properties in all projects in it. This is one-by-one job, which is fine as far as looking at ROI.

    Let's say Solution1 and Solution2 has common projects(used in both), which are having both kind of references namely File References and Project References. Fixing warnings from one solution may break another solution.

    To Avoid above–

    Now instead of applying all rules in all solutions.

    I want the set of rules(List) that are having impact only in current solutions in other words, fixing warning in one should not break in other.

    I cannot simply select all rules. (Example. There are many related to spelling corrections, e.g.CA1704: Identifiers should be spelled correctly). Here I would need to build all solutions for one warning corrections to make sure every other solutions are successfully built.

    So to start with small step,

    1.  Is there any such standard recommendation list of rule set available which will give guidelines for only current project and strictly independent of any other dependencies(file & project ref.)?

    2.  My second question is, Is for file and project references are making any difference in this exercise?

    Thanks for patience.

    Sandip

  13. Sanket Gawade says:

    Thanks for article, I have one question can we do impact analysis by using this tool?

    For example I have one project in that there is one integer variable now my requirement is to change that integer variable to long

    So I have to generate report which contains how many fields or variable will affect? How many files I have to recompile again?

  14. yogesh says:

    Hello

    Thanks for the article it is too much informative, i have one question can we get the Log files regarding this that when we run this code analyzer and its details.

    Thank you

    Yogesh

  15. Steve says:

    Hi, I'm using VS Express 2013. When I run code analysis on my current project I get just 5 issues listed but if I examine the xml files generated by the code analysis tool, they contain many more issues – how do I get these to show up in the main code analysis window?