NDepend 2017.3.2.9010 Professional Edition
Teodolinda Mattson
Combining these types of analysis should help to find near 95% of the faults, provided that the analysis is performed by a person, who understands the source code. However, both of them have their own weak sides. For example, code analyzers have no understanding of code author intent and may report false positives (a possible vulnerability that in fact does not exist), or false negatives (vice versa, when a vulnerability exists but the tool does not report about it). It cannot either guarantee the full test coverage of the source code and cannot check the correctness of a code operation (i.g. it cannot verify that your code works as your customer expects).
As a .NET development company, we have a great deal of experience with different tools that improve the code. In this article, we will focus on static code analyzers, and also consider NDepend, a static analysis tool for .NET managed code.
So, let us imagine you decide to use a static analysis tool. The choice of suitable tool is always an individual process. Some developers use static analyzers plugged into their IDE, some prefer third-party solutions. Here are a few common things to consider when deciding which tool is right for you:
Keep in mind that using only static analyzers is not a way out. First of all, strong processes can ensure application security and code quality from the very beginning. Except this, you also need someone who can review the results of analyzing and decide what should be done when problems are found.
Redwerk provides full-cycle development from initial concept to a live solution and we are very attentive to the quality of the code. That is why, when we received a request from Patrick Smacchia, the lead developer of NDepend, to try out their tool, we agreed with this proposition and as a result, we decided also to provide some overview of this tool. At the moment of writing the article, the version of NDepend was 1.9.
NDepend tool supports a large number of code metrics, including dependency graphs and dependency matrix to explore the code structure. We will review the standalone UI NDepend Professional program. Except this, NDepend provides a number of integration variants:
As you can see NDepend provides wide variants of its use. They also provide a free trial with a batch of the professional edition functionality. In this article, we will try to provide a step-by-step guide of working with NDepend and, hope, this will help readers to decide whether it is presently suitable for their current projects or not. As a piece of advice, if you think that such a tool is not needed at the moment, you can review NDepend anyway, because when you need some static analyzer, you will reduce the search time for a helpful tool.
All predefined rules have comments that provide you with a more comprehensive description. To see such an explanation, you just need to click on the rule, which you are interested in, and on the left side, you will see it CQL query and a description.
Let us summarize all the discussed in the article. Using code analyzer tools does not mean that your code quality will, by magic, become perfect. You need to systematically check the code quality for early detection of problems and analyzers are meant to help with this.
As for NDepend, we tried to make as comprehensive a review as possible without bias. We got the license for free, without any pressure from the NDepend team to write the article or to provide with positive feedback. In defiance of this, after using for some time, we decided that this tool can be really helpful and deserves at least a brief overview of its features. NDepend is a really powerful tool, which provides an objective, impartial review of your code. The ability to customize the analysis for each project carries huge potential. In any case, the only way to decide whether it is 100% suitable for you is to try it out yourself, especially considering that they have a trial version.
Back in September of this year, I was contacted by Patrick Smacchia, the lead developer from the NDepend team. If you're not familiar with NDepend, it's a static analysis tool for .NET. Patrick had asked me if I would be interested in reviewing the software. I don't normally write software reviews on my blog, but on this occasion, I was intrigued. I'm a long time user of ReSharper in my day to day work and ReSharper offers some amount of static analysis of your code whilst you write it. I'd also been watching certain open source projects that had appeared since the introduction of the Roslyn compiler technology such as RefactoringEssentials, Code Cracker & SonarAnalyzer. I've been thinking a lot about static analysis of code recently, especially since I discovered Connascence and started using that as a way to reason about code.
Full Disclosure: NDepend is a commercial tool with a trial period. Patrick agreed to provide me with a complimentary professional license for the software if I wrote a review of the software on my blog. I agreed on the condition that the review would be my own, honest opinion of the software, good or bad. What follows is that personal opinion.
This is a fairly long blog post so if you want the TL;DR skip to the end and the "Conclusion" section, but I suggest that you do read this whole post to better understand my complete experience using the NDepend product.
The first thing to getting up and running with NDepend was to download the software from the NDepend website. This was easy enough, simply by following the relevant links from the NDepend homepage. The version of NDepend that is current as I write this is v2017.3.2. As I already had a license, I was able to enter my license key that had been previously supplied to me via email and begin the download. NDepend comes as a .zip archive file rather than an MSI or other installer program. This was somewhat unusual as a lot of software is delivered via a setup installer package these days, but I'm an old-school, command line kind of guy and I liked that the program was supplied as a .zip file that you simply extract into a folder and go. After having done that, there's a couple of ways you can launch NDepend. There's a few executable files in the extracted folder, so it's not immediately obvious what you execute first, but NDepend does have a helpful getting started guide on their website that's easy enough to follow along with.
For usage on a development machine, you're likely to be using either the stand alone Visual NDepend IDE (VisualNDepend.exe) or, perhaps more likely, the Visual Studio plugin for interacting with NDepend (installed by running the NDepend.VisualStudioExtension.Installer.exe installer). As well as being used on a developer's machine, NDepend can also run on your build machine, and this is most likely to be integrated into your build process via the NDepend command line tool (NDepend.Console.exe).
NDepend also ships with an executable called NDepend.PowerTools.exe and its source code in the NDepend.PowerTools.SourceCode folder. This is a kind of optional extra utility which is run from the command line and contains a number of predefined metrics that can be run against some .NET code. NDepend also provides an API with which we can integrate and use the NDepend functionality from our own code. Many of the metrics of the NDepend Powertools are also used within the "main" NDepend tool itself, but as the source code is supplied to the Powertools utility, we can see exactly how those metrics are calculated and exactly how the various statistics around the code that NDepend is analysing is gathered from the NDepend API. In essence, as well as providing some handy metrics of its own, the NDepend Powertools also serves as kind of demonstration code for how to use the NDepend API.
After installing the Visual Studio plugin and launching Visual Studio, I loaded in a solution of source code that I wanted to analyse. I opted to initially launch NDepend via the installed Visual Studio plugin as I figured that is the place I'd be interacting with it most. NDepend installs itself as a extra menu option in the Visual Studio menu bar, much like other extensions such as ReSharper does. When you first view this menu on a new solution, most of the menu options are greyed out. Initially I was slightly confused by this but soon realised that as well as you having a Visual Studio solution and one or more project files for your own code, so too does NDepend have its own project files, and you need to create one of these first before you can perform any analysis of the current loaded solution. NDepend helpfully allows this with one simple click on the "Attach New NDepend project to current VS Solution" menu item. Once selected, you're asked which assemblies within your solution you wish to have analysed and then NDepend will go off and perform an initial analysis of your code.
NDepend uses both your solution's source code as well as the compiled assemblies to perform its analysis. Most of the analysis is done against the compiled code and this allows NDepend to provide statistics and metrics of the IL (or Common Intermediate Language) that your code will compile to as well as statistics and metrics of other code areas. NDepend uses the solution's source code during analysis in order to gather metrics relating to things not present inside the IL code such as code comments and also to gather statistics allowing NDepend to locate code elements such as types, methods and fields when these are shown as part of a query or search (see later for further details).
Once the analysis is complete, you'll get a pop-up window informing you of the completion of the initial analysis and asking you what to do next. You'll probably also get a new browser tab open up in your default browser containing the NDepend Analysis report. It was at this point, I was initially quite confused. Having multiple things pop-up after the analysis was complete was a little startling and quite overwhelming. One thing I'd have rather seen is for the browser based report to not be loaded initially, but to have been a button to be clicked on ("View Analysis Report" on something similar) within the pop-up window. This way, only one "pop-up" is appearing, which to me is a lot less jarring.
7fc3f7cf58