Impressed by Static Analysis

  • Article

For the last two days we had a chance as a team to pick up a pre-release version of Team System and give it a through user scenario test to see if we could sign off on it being a quality product. I actually quite enjoyed this as it gave me a change to try out some of the features that I haven’t had the time to look at before now. For me this mainly meant taking a look at static code analysis and web and load tests. In this blog entry I’ll look a little deeper at the static code analysis tool.

 

            For my example I was using a small ASP.net front-end that pushed and pulled some simple data out of a local SQLEXPRESS database. I chose this because I don’t have a great deal of experience with working with databases or ASP.net, so please excuse any sloppy code as I was trying to pull this together by the seat of my pants in an hour or two. After writing some of the basic functionality, pushing and pulling news posts from the database to the ASP.net form controls, I ran the code analysis tool on the website. For websites, the code analysis tool can be run by clicking on the menu shown below (for non-website projects you access this from the code analysis tab of the project’s property page).

 

 

            When you run the code analysis tool you will get a parcel of warnings in the error list tool window (pictured below).

 

 

To help you sort through these warnings they are all grouped into namespaces such as Microsoft.Design or Microsoft.Security. To get more information about a warning, just right-click it and select error help (example help screen shown below). These help screens are great as they explain what the warning is, detail about the violated rule, instructions on how to fix it, examples of when to exclude (ignore) the warning and a very nice code example. The code example is a favorite of mine as it shows and example of the rule being broken and of how to fix it.

 

 

            So not every static analysis warning is something that you *need* to fix. For example, for my mini-app I didn’t want to deal with all the Globalization warnings, since my one hour hack is intended only for the US market ;). So there are two different ways to exclude warnings from code analysis. The first way is to right click on one of the warnings in the error list window and choose “Suppress Message”; this will add an attribute into one of your code files to suppress that specific instance of that warning. But what if you want to suppress a message for all instances or suppress an entire class of messages? For an ASP.net website go to the Website menu and select “Code Analysis Configuration.” This will bring up the dialog shown below that will let you choose warnings and classes of warnings to exclude from static analysis. Also by clicking on the warning section you can change a message to show up as an error instead of a warning when running static analysis. Again for non-website projects you access this screen through the code analysis tab of a project’s property pages.

 

 

            In summary, I was impressed by Static Analysis’ ability to ferret out issues in code, and for big programming shops to enforce specific coding guidelines for their employees. Since I was unfamiliar with ASP.net and database programming Static Analysis was able to point out several mistakes that I had made, and through the help files I was not only able to fix the issue, but to understand “why” I was fixing the issue.