Code Analysis and Code Metrics are some of the strategies to verify software quality. Quality of software as a product can be described in terms of what was expected of the software and what we actually have (or how we perceive it). This "fit for purpose" criterion is an important concept in determining software quality.
Besides meeting up to the functional requirements, we can also look at the quality of software from another point of perspective. Other stakeholders of the software (development, operations, etc.) also have an interest in the quality of the software product. These are typically expressed as quality attributes that the software product must have: reliability, resource efficiency, maintainability, testability, manageability, etc.
In order to have some objective measurements to quantify software quality attributes, process and software metrics are used. Process metrics are more related to the software development process aspects and operations: for example, the number of bug fixes for a period, the number of daily build errors, the mean time between failures, etc. Software metrics are more based on measurements of the software in its static form: the software code. Some of these measurements can be performed by tools while others require more human intervention. Besides metrics there is also another tool group that analyses code, but these tools check if the code does, for example, adhere to a particular naming convention, or if the code does not introduce a potential security bug.
Although the usage of these tools can be in an audit scenario, these tools can also be used during coding, or even be integrated into the build-process. Of course, after receiving the feedback form the tools and identifying potential problems in terms of maintainability, performance, or other quality attributes, it is time to revise the code. Re-factoring is the act of modifying the code without changing its functionality, in order to improve understand-ability and hence future maintainability of the source code.
Manual inspection is good and is the most flexible, but also the most tedious. That's why tool-support is indispensable. Although, a written check-list is still valuable to have some reference or to use as a guideline during coding (pro-active versus re-active).
Here is a list of some tools and VS2005 features to facilitate you in avoiding potential bugs and non-conformance to certain rules. It is not at all intended to be complete. I included some screenshots to give you a feel of what the tools or features do.
FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses Reflection, MSIL parsing, and callgraph analysis to inspect assemblies (latest version 1.3.5: www.gotdotnet.com).
When you run this tool on an assembly, you will get a list of warnings:
Early Warning comes with the VB.NET 2005 background compiler. It catches runtime errors while writing code. For example:
- Unused local variables
- Functions, operators without return
- Reference on possible null references
In the Compile tab, you can specify what to do when certain compilation conditions occur. As a best practice , you should enable "treat all warnings as an error" (a warning is an error in the making!). Certainly, a must for release (preferable for debug as well).
VS2005 Code Analysis
The Team Edition version of VS2005 for software developers has some additional features in the realm of quality assurance. It has an integrated version of FXCop (Code Analysis) that must be explicitly enabled (run during compilation, or you can run it on demand).
Refactoring is a disciplined technique of restructuring your existing body of code by altering its internal structure without changing its external behavior. If you have written code to perform a specific function in your application, you can refactor it into a method that you can reuse throughout your application whenever you need it. It is out-of-the box available in C#, but you need an add-on in VB.NET (for example, devExpress). Some examples:
- Extract method: split up large method
- Encapsulate field: promote to property variable
- Introduce constants: avoid multiple definitions of strings
Another much quoted player in this field is Resharper from JetBrains.
SourceMonitor is a freeware program that analyzes your source (C#, VB.NET, C++, etc.) and calculates some metrics (very fast). An interesting feature is the ability to save metrics in checkpoints for comparison during software development projects so you can compare them to see where you're heading to. Several other views on the calculated metrics are available. There is also a Kiviat graph to visualize several metrics at once.
VS 2008 (Orcas)
The new Visual Studio 2008 has the Code Metrics feature available in the Visual Studio Team Developer and Team Suite. This new feature allows users to generate code metrics for projects and solutions, and displays the results in the Code Metrics Results tool window. It currently calculates five different metrics: Maintainability Index, Cyclomatic Complexity, Depth of Inheritance, Class Coupling, and Lines of Code.
One of the most cited tools in metrics and code analysis for .NET projects is NDepend. It provides many metrics, at application level, at assembly level, at type level (LCOM, RFT…), and at IL instruction level (CC, number of instructions). It helps you detect which assemblies are potentially painful to maintain. It is non-intrusive and works (mainly) on compiled IL. For some metrics, the PDB file is required. Some metrics, though, are only available for C# code. The author Patrick Smacchia also maintains a website describing each metric. For interactive analysis, you'll be using two applications in tandem: the NDepend.Project and Visual NDepend. There is also a console program that can be integrated in the build process and it produces XML-files. One of the most powerful features is that NDepend lets you write and evaluate queries written in Code Query Language (CQL). This is a SQL-like language that lets you interrogate NDepend's internal view of your code's structure. It allows a customizable system for watching for violations of corporate coding standards. Of course, Ndepend comes with a number of pre-built CQL queries. Ndepend is fee-based.
Lutz Roeder's .NET reflector, a tool to investigate your assemblies, has add-ins to calculate some metrics and to visualize the dependencies between assemblies (www.codeplex.com).
Code Style Enforcer
Code Style Enforcer is a DXCore plug-in for Visual Studio 2005 that checks the code against a configurable code standard and best practices. It is developed for C#, but some of the rules will also work for VB.NET, though not tested. It is based on the Idesign Styleguide.
I suggest you give these tools a try. Many of these tools also come with a command-line version so you can integrate them, for example, in your build-process.
Of course, code analysis and code metrics are only a subset of Quality Assurance techniques, but those are for another article.
- 10/08/2007: updated article for incorporating remarks from several messages posted.
Alexander Nowak is .NET application developer working for Capgemini Belgium. Topics of interest are .NET Application architecture ,design and programming as well as Software development practices.