Avoiding the Hotfix
Code analysis is gaining a lot more attention these days, especially from Microsoft. Most people are well-acquainted with FxCop and PREfast. But the folks in Redmond are looking at code analysis as a key feature of Visual Studio (VS) 2010. Some of the preview functionality evidenced in the early CTPs includes rule sets -- Microsoft All Rules, Microsoft Security Rules, Microsoft Minimum Recommended Rules -- a gated check-in policy and more advanced dataflow rules, some specifically targeted at preventing SQL injection.
Microsoft and its proponents have also demonstrated upcoming Visual Studio Team System 2010 features such as a historical debugger and impact analysis. Ironically, the demo I saw was so buggy that the presenter had to make jokes and entertain the audience as he continually tried to reboot the very early software.
In many scenarios, companies may need to extend the code analysis and metrics in VS with third-party analysis tools. Last week, Coverity released an upgraded version of its Prevent static analysis software which supports VS and Eclipse. The latest version beefs up the VS integration and adds support for Windows Mobile, Windows Automotive and Xbox. It also offers C# concurrency defect detection, which according to the company makes Prevent the first product to support this functionality. Prevent already offered concurrency features for Java and C++.
Upcoming tooling will take advantage of Microsoft's efforts to put annotations into its system header files. "There is no way a static analysis tool can automatically pick up these things," said Andy Chou, Coverity's chief scientist and co-founder. "You really need someone to annotate the code and that is a huge benefit to customers who are using this platform."
Earlier this week, NCover, a .NET specialist in code coverage analysis, released version 3 of its flagship product -- available in a community edition and the more advanced commercial products. Code coverage, often employed in Agile and test-driven development, makes sure the test cases touch all of the code by measuring how many times each line of code is executed. NCover version 3 improves coverage loading performance, according to the company, and adds new metrics such as cyclomatic complexity and method visit coverage.
As security exploits continue to make headlines and the economic downturn leaves little room for missteps, best practices for code analysis should be on everybody's radar. Every security bulletin issued by Microsoft is estimated to cost $100,000, said Ravs Kaur, test lead in Redmond, who stressed the importance of "driving quality upstream."
During a session at the Professional Developers Conference in October, Kaur outlined some of the best practices that Microsoft recommends:
- Bake quality into the build.
- Prevent new issues.
- Set up Code Analysis Check-in policy.
- Don't defer potential security issues.
- Enable Code Analysis Team Build.
Express your thoughts on Visual Studio code analysis and the tenets of quality code at email@example.com.
Posted by Kathleen Richards on 02/05/2009 at 12:54 PM