By Mike Gunderloy

Sometimes software consultants seem to put themselves in the position of the cobbler’s children: The cobbler is too busy to make shoes for his own children, so they’re forced to go barefoot. In the same way, many consultants write fabulous code to solve their clients’ problems, without ever thinking to turn code and tools on their own difficulties.

A case in point is code reviews. It’s fairly well established that a solid system of code reviews can catch up to 90 percent of all coding errors. But is all of the code from your company reviewed, or does some slip through the cracks? If it’s reviewed, does it all get reviewed as often as you’d like? Have you considered using one of the many tools out there to help with code reviews?

Don’t get me wrong: The gold standard for code reviews is still to have an experienced developer or group of developers walk through every line of code you write, questioning you about potential problems. What an automated tool can do is make such full-blown reviews easier by helping you identify and correct many errors before the code ever leaves your machine. And that in turn can translate to getting better code out the door quicker.

I’ll introduce you to three tools that provide varying levels of automated code review:

  • FxCop
  • SSW Code Auditor
  • Total .NET Analyzer

FxCop comes straight from the horse’s mouth—that is, from the team at Microsoft responsible for the .NET Framework. You can download a copy and the very useful .NET Framework Design Guidelines. FxCop is primarily aimed at class libraries, though it can be used with any assembly where you’re interested in following Microsoft’s design guidelines.

To run FxCop, you select one or more assemblies, one or more rules (FxCop supplies a default set), and zero or more exclusions (which remove particular rule violations from the set that FxCop considers). Then click the Analyze button and you’re off. FxCop uses reflection to look inside the specified assemblies for rule violations. Very quickly you’ll get a list back—and it may be quite extensive, as shown in Figure A.

Figure A

FxCop is particularly strong at enforcing naming conventions on your code. Other areas covered by its analysis include localization, security, and performance. There’s also an FxCop SDK (which is installed as part of the regular setup) that lets you add your own rules to those that FxCop checks.

Rule creation is not for the faint of heart; you’ll require a good familiarity with using reflection to succeed. But if you know what you’re doing, FxCop offers almost unlimited flexibility for customization to meet your corporate standards.

Finally, in addition to the GUI version, the FxCop package also includes a command line version. Couple this with the ability to save the output as XML, and you end up with an easy way to integrate automated code checking directly into your daily build process. Imagine surfing to a page on the corporate intranet containing a list of all your library’s standards violations after every build; with FxCop and a bit of XSLT programming, that can be a reality.

SSW Code Auditor
Of course, Microsoft isn’t the only game in town. Australia’s SSW has been shipping products to improve the lot of Microsoft-centric developers for a long time, and SSW Code Auditor is one of the results. Code Auditor takes a simpler approach to code reviews than does FxCop, and accordingly, an easier one to modify. Rather than use reflection to test code, Code Auditor uses regular expressions.

To define a rule, you can specify a regular expression and a file type, and tell Code Auditor whether the expression should be found or not in the file. One big plus here is that there’s a regular expression builder included with the product, which will help anyone who’s shaky on this sometimes complex pattern-matching syntax.

After you’ve defined your rules (there’s a small set included in the product, mainly aimed at Web applications), running Code Auditor is simple: A wizard guides you through selecting what to audit and which rules to apply, and the results are presented in an XML report, as shown in Figure B. They’re also saved to a database for future reference.

Figure B

One interesting (and potentially dangerous) feature sets SSW Code Auditor apart from the rest of the tools I’ve used. In addition to defining a search pattern, you can define a replacement string. So if, for example, you insist that all hyperlinks in your Web site include target=”_blank,” you can actually enforce this during the auditing process. You’ll want to use this facility with care, of course.

You can learn more about SSW Code Auditor or download a trial version from the Superior Software for Windows Web site. The full, registered version sells for $99.

Total .NET Analyzer
If you’re a developer who prefers to work within the Visual Studio .NET interface, take a look at Total .NET Analyzer from FMS. The FMS folks have been developing analysis tools for a good long while, and this is a mature and dependable product. It’s also completely integrated with Visual Studio .NET. Total .NET Analyzer provides its own dockable ToolWindow in which all analysis is performed, as shown in Figure C.

Figure C

One thing you’ll notice if you run Analyzer is that it’s fast. That’s because, as a VS.NET add-in, it keeps an eye on your code as you type it. Analyzer constantly runs your code through its own parsing engine so that when you want results back it can deliver quickly.

The other benefit to this parsing is that Analyzer can perform some quite sophisticated analyses. For example, it can warn you about code that’s never executed because a logical condition can never be true. Other rules cover everything from variable naming that doesn’t conform to the design guidelines through warnings about the cost of boxing and unboxing.

Of the products I’ve looked at here, Total .NET Analyzer takes the most detailed look at code from all angles of best practices.

There are other benefits to Visual Studio .NET integration as well. You don’t have to search to find the line of code that’s causing a warning; just click in the ToolWindow, and you’ll be taken directly there. Also, you can get more details about errors at any time by clicking a button in the Analyzer interface; these details open as help pages within the IDE.

Of course, no product is perfect. Although there is some customizability here (you can adjust the severity or category of a rule or add your own notes), you can’t extend the list with your own rules. So if your corporate standards don’t agree with those suggested by FMS, this product could be a poor fit. Fortunately, the entire rules list is online (along with other information and a trial download) at the FMS Web site. The full product costs $499.

Standards and best practices
Of course, no tool is the magic bullet that’s going to make your code perfect. There’s no substitute for having a process in place to ensure that bad code doesn’t get out the door. What some consultants miss is that there’s no hard and fast standard for what is good or bad code. Instead, it’s incumbent on your organization to set its own standards. Whether you decide to use camel-case or Pascal-case for variables is far less important than the simple fact that you make a decision that all developers involved in the project will follow.

But making your own decisions doesn’t prevent you learning from others. One valuable thing that a product such as FxCop or SSW Code Auditor or Total .NET Analyzer can do is run through your code and give you a sense of what might trouble other experts. Armed with this knowledge, you’ll know what areas you need to pay attention to when setting standards. Then it’s time to close the loop: Set the standards, ensure compliance with the standards (ideally by using an automated tool such as those I’ve looked at), and then concentrate on the higher-level review of logic and meeting requirements. I’ve found this to be a winning way to ship higher quality code faster, which is ultimately one of the most profitable things that a consultant can do.