Coding Horror

programming and human factors

Managed Code Analysis Tools

Navigating a new codebase can feel like like landing on an alien planet. That's where static code analysis tools come in handy; they're akin to software tricorders. They provide a general snapshot of unfamiliar code: Is it normal? Is it unusual? Is it dangerous?*

Classic Star Trek Tricorder

There's an element of "correctness" associated with static code analysis, but I think this should be de-emphasized. The last thing developers want is a Code Nazi peering over their shoulder. I prefer to think of these tools as software tricorders, collecting a bunch of recommendations and metrics about our code. What we choose to do with that data is up to us.

The most famous static code analysis tool for .NET is, of course, Microsoft's FxCop. If you haven't tried FxCop in a while, I recommend running the latest version across one of your compiled assemblies. You'd be surprised how helpful it is, particularly for identifying unused variables and functions. You may also be surprised how annoying some of the rules are; that's why the entire list of rules can be selectively enabled or disabled and saved as profiles. You can even write your own custom FxCop rules-- how about a custom rule that requires XML documentation for each assembly, as illustrated in this June 2004 MSDN article?

FxCop is currently a standalone .exe in an informal GotDotNet workspace, but in Visual Studio 2005, it's an integrated part of the build process. You can enable output from the console version of FxCop by ticking the checkbox on the Code Analysis tab of the project properties. Any FxCop warnings or errors then show up as you would expect in the standard Task List tab.**

There's at least one commercial tool that also does .NET static code analysis, namely FMS Total .NET Analyzer. I tried the evaluation version which is limited to identifying only one issue for each category. It's nice enough, but it also seems to overlap quite a bit with FxCop. And it's pricey.

In addition to those well-known tools, Raymond Lewallen and Robin Curry found some additional lesser known managed code analysis tools:

I've heard good things about NDepends in particular, but I haven't had a chance to check it out yet.

* Don't bother if you're wearing a red shirt. In classic Trek fashion, you may not be around long enough to care.
** at least in VS.NET 2005 beta 2, you can.

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: https://infosec.exchange/@codinghorror