What is Static Code Analysis
Every developer wants to write predictive, maintainable and high quality software. Unfortunately that's not always the case because of our human nature - we do make mistakes. That's why we try to automate all the things related to software development lifecycle: testing, deploying, running applications.
But what about the codebase? What do we do to enforce minimally complex and maintainable code, ensure proper code styles standards, prevent common pitfalls and violations, and predict what the code would do at runtime?
By applying RULES defined by your team, the platform or the programming language. And that's what Static Code Analysis is all about.
Static Code Analysis can be simple manual inspection such as code review or automated via some of the tools we will overview in this blog post.
Keep digging
Eric Dietrich wrote very explanatory article about what exactly Static Analysis is here:
https://blog.ndepend.com/static-analysis-explanation-everyone/
If you are curious about Dynamic Analysis you can also check out these articles:
https://securityboulevard.com/2021/02/dynamic-code-analysis-a-primer/
https://github.com/analysis-tools-dev/dynamic-analysis
https://www.overops.com/blog/static-vs-dynamic-code-analysis-how-to-choose-between-them/
This post is Part 1 from the Static Analysis series. In the next post we will setup SonarCloud for a ASP.NET Core + React SPA project in CI pipeline. Check it out here.
Where to use Static Code Analysis
I found plenty of NuGet packages, IDE extensions and external services available on the market. That was hard to digest and probably I might miss some very helpful tools. Would be great if you guys share your opinion or favorite tools for the job.
In development
Using build-time code analysis in Visual Studio /Code (or other preferred tool), we enable developers to quickly understand what rules are being broken. This enables them to fix code earlier in the development lifecycle, and we can avoid builds that fail later.
Extensions for Visual Studio Code
- OmniSharp - https://github.com/OmniSharp/omnisharp-roslyn A go-to tool for C# development in VSC.
- Roslynator - https://github.com/JosefPihrt/Roslynator A collection of 500+ analyzers, refactorings and fixes for C#, powered by Roslyn.
- DevSkim - https://github.com/microsoft/devskim DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code.
- SonarLint - https://www.sonarlint.org/vscode Even that this extension doesn't scan your .NET projects it's still super useful for your frontend html, css, js, ts files.
- Sonar Dotnet - https://github.com/yagoluiz/sonar-dotnet-vscode/ Easy connect to SonarCloud from your development environment.
Extensions for Visual Studio
- Roslynator - https://github.com/JosefPihrt/Roslynator Again the famous Roslynator analyzers for Visual Studio.
- ReSharper - https://www.jetbrains.com/resharper/ This is more than just analysis tool. If you haven't heard of ReSharper, definitely should be checked out.
- NDepend - https://www.ndepend.com/ The "Swiss Army Knife" for .NET Developers, Architects and Teams.
Other tools
- Rider - https://www.jetbrains.com/rider/ Another great IDE for .NET developers which comes with the power of ReSharper.
In build pipelines
NuGet packaged analyzers are the easiest, and they will automatically run as your project builds on the build agents. When a build encounters a code quality error, you can immediately fail the build, send alerts, or apply any other actions you and your team needs.
.NET Core SDK 3.0 or later, comes with included analyzers for Open APIs previously known as Swagger. To enable the analyzer in your project, include the IncludeOpenAPIAnalyzers property in the project file:
<PropertyGroup>
<IncludeOpenAPIAnalyzers>true</IncludeOpenAPIAnalyzers>
</PropertyGroup>
NuGet packages
- Microsoft recommended code quality rules and .NET API usage rules - https://www.nuget.org/packages/Microsoft.CodeAnalysis.NetAnalyzers/
- Microsoft's CSharp analyzers for ASP.NET Core MVC - https://www.nuget.org/packages/Microsoft.AspNetCore.Mvc.Api.Analyzers
- Roslynator analyzers as NuGet package - https://www.nuget.org/packages/Roslynator.Analyzers
- SonarCloud analyzers - https://www.nuget.org/packages/SonarAnalyzer.CSharp/
- Check for Async/await misuses - https://www.nuget.org/packages/AsyncFixer
- An implementation of StyleCop's rules using Roslyn - https://www.nuget.org/packages/StyleCop.Analyzers/
Security analyzers
- Security static code analyzer for .NET - https://www.nuget.org/packages/SecurityCodeScan.VS2019/
- DevSkim is a framework and language analyzer that provides inline security analysis - https://www.nuget.org/packages/Microsoft.CST.DevSkim/
Different CI tools may provide their own tool for security analysis:
- Only Azure DevOps - https://secdevtools.azurewebsites.net/helpcredscan.html
- Only GitLab - https://docs.gitlab.com/ee/user/application_security/sast/index.html
- GitHub - https://github.com/marketplace?category=code-quality&type=apps Last but not least. GitHub's community driven marketplace provides so many tools for code quality, security and everything else you can think of.
NuGet packages for the Test projects
- Provides diagnostic analyzers to warn about incorrect usage of NSubstitute in C# - https://www.nuget.org/packages/NSubstitute.Analyzers.CSharp
- Code Analyzers for projects using xUnit.net - https://www.nuget.org/packages/xunit.analyzers
External services
- SonarCloud - https://sonarcloud.io/ My go-to tool for .NET projects. They even have a separate scanner for .NET. Pretty nice integration with Azure DevOps. Free for public projects.
- Embold - https://embold.io/ Fairly new tool with Free plan for 1M executable-lines-of-code for public repositories.
- CodeBeat - https://codebeat.co/ Free for public repositories.
- CodeFactor - https://www.codefactor.io/ 1 private and unlimited free repositories.
- CodeClimate - https://codeclimate.com/ 50 free repositories.
- Codacy - https://www.codacy.com/ Paid service.
And many more counting. These are the one I found easy to get started without installing and configuring additional software.
Conclusion
In first issues raised by static code analysis might be considered as overhead, but static code analysis brings huge benefits in long term which can be summarized to but not only:
- You have the confidence to release more frequently.
- This results in having a quicker TTM (Time to Market).
- Reduce business risks (data loss, vulnerabilities, application failures, ..)
Rules may sometimes get on your way and slow down your development, but you and your team are in charge to establish given rules or completely ignore/disable them.
In the next post I will configure SonarCloud for ASP.NET Core + React SPA so stay tuned.
Which are your favorite static code analysis tools? Please share your thoughts in the comments or create a PR in GitHub.
Happy analyzing :)
Resources
https://docs.microsoft.com/en-us/visualstudio/code-quality/?view=vs-2019
Latest comments (3)
Hello Georgi,
Thank you for your post. It's great to see you talk about static analysis! :)
As far as static analyzers for C# go, I would like to mention PVS-Studio. You can integrate this analyzer into a pipeline or use it from within your IDE. PVS-Studio provides plugins for Visual Studio and Rider. The PVS-Studio analyzer is a paid tool, but free use is possible for certain projects and developers.
You can find more information about the tool on the official website: pvs-studio.com/en/pvs-studio/
Do you think it might be worth mentioning PVS-Studio in one of your article's sections?
Thanks!
Hi Sergey,
Thanks for reaching out. I saw PVS-Studio when I did my research on the topic, but their pricing model stopped me from investigate it further.
I will try to obtain free licence for open source projects and have a more closer look.
Once I have that I can share my observations and probably include it in the post :)
Thank you, I look forward to hearing about your experience. :)