Static Code Analysis for your .NET projects

What is Static Code Analysis

Every developer wants to write predictive, maintainable and high quality software. Unfortunately that’s not always the case because of our human nature – we do make mistakes. That’s why we try to automate all the things related to software development lifecycle: testing, deploying, running applications.

But what about the codebase? What do we do to enforce minimally complex and maintainable code, ensure proper code styles standards, prevent common pitfalls and violations, and predict what the code would do at runtime?

By applying RULES defined by your team, the platform or the programming language. And that’s what Static Code Analysis is all about.

Static Code Analysis can be simple manual inspection such as code review or automated via some of the tools we will overview in this blog post.

Keep digging

Eric Dietrich wrote very explanatory article about what exactly Static Analysis is here:

https://blog.ndepend.com/static-analysis-explanation-everyone/

If you are curious about Dynamic Analysis you can also check out these articles:

https://securityboulevard.com/2021/02/dynamic-code-analysis-a-primer/

https://github.com/analysis-tools-dev/dynamic-analysis

https://www.overops.com/blog/static-vs-dynamic-code-analysis-how-to-choose-between-them/

This post is Part 1 from the Static Analysis series. In the next post we will setup SonarCloud for a ASP.NET Core + React SPA project in CI pipeline.

Where to use Static Code Analysis

I found plenty of NuGet packages, IDE extensions and external services available on the market. That was hard to digest and probably I might miss some very helpful tools. Would be great if you guys share your opinion or favorite tools for the job.

In development

Using build-time code analysis in Visual Studio /Code (or other preferred tool), we enable developers to quickly understand what rules are being broken. This enables them to fix code earlier in the development lifecycle, and we can avoid builds that fail later.

Extensions for Visual Studio Code

Extensions for Visual Studio

Other tools

In build pipelines

NuGet packaged analyzers are the easiest, and they will automatically run as your project builds on the build agents. When a build encounters a code quality error, you can immediately fail the build, send alerts, or apply any other actions you and your team needs.

.NET Core SDK 3.0 or later, comes with included analyzers for Open APIs previously known as Swagger. To enable the analyzer in your project, include the IncludeOpenAPIAnalyzers property in the project file:

<PropertyGroup>
    <IncludeOpenAPIAnalyzers>true</IncludeOpenAPIAnalyzers>
</PropertyGroup>

NuGet packages

Security analyzers

Different CI tools may provide their own tool for security analysis:

NuGet packages for the Test projects

External services

And many more counting. These are the one I found easy to get started without installing and configuring additional software.

Conclusion

In first issues raised by static code analysis might be considered as overhead, but static code analysis brings huge benefits in long term which can be summarized to but not only:

  • You have the confidence to release more frequently.
  • This results in having a quicker TTM (Time to Market).
  • Reduce business risks (data loss, vulnerabilities, application failures, ..)

Rules may sometimes get on your way and slow down your development, but you and your team are in charge to establish given rules or completely ignore/disable them.

In the next post I will configure SonarCloud for ASP.NET Core + React SPA so stay tuned.

Which are your favorite static code analysis tools? Please share your thoughts in the comments or create a PR in GitHub.

Happy analyzing 🙂

Resources

https://blog.tdwright.co.uk/2018/12/10/seven-reasons-that-roslyn-based-code-analysers-are-awesome/?preview=true

https://docs.microsoft.com/en-us/visualstudio/code-quality/?view=vs-2019

https://github.com/analysis-tools-dev/static-analysis

Comments: