DEV Community

Georgi Marokov
Georgi Marokov

Posted on • Updated on • Originally published at worldwildweb.dev

Static Code Analysis for your .NET projects

What is Static Code Analysis

Every developer wants to write predictive, maintainable and high quality software. Unfortunately that's not always the case because of our human nature - we do make mistakes. That's why we try to automate all the things related to software development lifecycle: testing, deploying, running applications.

But what about the codebase? What do we do to enforce minimally complex and maintainable code, ensure proper code styles standards, prevent common pitfalls and violations, and predict what the code would do at runtime?

By applying RULES defined by your team, the platform or the programming language. And that's what Static Code Analysis is all about.

Static Code Analysis can be simple manual inspection such as code review or automated via some of the tools we will overview in this blog post.

Keep digging

Eric Dietrich wrote very explanatory article about what exactly Static Analysis is here:

https://blog.ndepend.com/static-analysis-explanation-everyone/

If you are curious about Dynamic Analysis you can also check out these articles:

https://securityboulevard.com/2021/02/dynamic-code-analysis-a-primer/

https://github.com/analysis-tools-dev/dynamic-analysis

https://www.overops.com/blog/static-vs-dynamic-code-analysis-how-to-choose-between-them/

This post is Part 1 from the Static Analysis series. In the next post we will setup SonarCloud for a ASP.NET Core + React SPA project in CI pipeline. Check it out here.

Where to use Static Code Analysis

I found plenty of NuGet packages, IDE extensions and external services available on the market. That was hard to digest and probably I might miss some very helpful tools. Would be great if you guys share your opinion or favorite tools for the job.

In development

Using build-time code analysis in Visual Studio /Code (or other preferred tool), we enable developers to quickly understand what rules are being broken. This enables them to fix code earlier in the development lifecycle, and we can avoid builds that fail later.

Extensions for Visual Studio Code

Extensions for Visual Studio

Other tools

In build pipelines

NuGet packaged analyzers are the easiest, and they will automatically run as your project builds on the build agents. When a build encounters a code quality error, you can immediately fail the build, send alerts, or apply any other actions you and your team needs.

.NET Core SDK 3.0 or later, comes with included analyzers for Open APIs previously known as Swagger. To enable the analyzer in your project, include the IncludeOpenAPIAnalyzers property in the project file:

<PropertyGroup>
    <IncludeOpenAPIAnalyzers>true</IncludeOpenAPIAnalyzers>
</PropertyGroup>
Enter fullscreen mode Exit fullscreen mode

NuGet packages

Security analyzers

Different CI tools may provide their own tool for security analysis:

NuGet packages for the Test projects

External services

And many more counting. These are the one I found easy to get started without installing and configuring additional software.

Conclusion

In first issues raised by static code analysis might be considered as overhead, but static code analysis brings huge benefits in long term which can be summarized to but not only:

  • You have the confidence to release more frequently.
  • This results in having a quicker TTM (Time to Market).
  • Reduce business risks (data loss, vulnerabilities, application failures, ..)

Rules may sometimes get on your way and slow down your development, but you and your team are in charge to establish given rules or completely ignore/disable them.

In the next post I will configure SonarCloud for ASP.NET Core + React SPA so stay tuned.

Which are your favorite static code analysis tools? Please share your thoughts in the comments or create a PR in GitHub.

Happy analyzing :)

Resources

https://blog.tdwright.co.uk/2018/12/10/seven-reasons-that-roslyn-based-code-analysers-are-awesome/?preview=true

https://docs.microsoft.com/en-us/visualstudio/code-quality/?view=vs-2019

https://github.com/analysis-tools-dev/static-analysis

Top comments (3)

Collapse
 
_sergvasiliev_ profile image
Sergey Vasiliev

Hello Georgi,
Thank you for your post. It's great to see you talk about static analysis! :)

As far as static analyzers for C# go, I would like to mention PVS-Studio. You can integrate this analyzer into a pipeline or use it from within your IDE. PVS-Studio provides plugins for Visual Studio and Rider. The PVS-Studio analyzer is a paid tool, but free use is possible for certain projects and developers.

You can find more information about the tool on the official website: pvs-studio.com/en/pvs-studio/

Do you think it might be worth mentioning PVS-Studio in one of your article's sections?
Thanks!

Collapse
 
gmarokov profile image
Georgi Marokov

Hi Sergey,
Thanks for reaching out. I saw PVS-Studio when I did my research on the topic, but their pricing model stopped me from investigate it further.
I will try to obtain free licence for open source projects and have a more closer look.
Once I have that I can share my observations and probably include it in the post :)

Collapse
 
_sergvasiliev_ profile image
Sergey Vasiliev

Thank you, I look forward to hearing about your experience. :)