17. Used effectively, static analysis is cheaper than other techniques for catching the same bugs - Bill Pugh
18. If you are not using them [static Analysis tools], then basically you are negligent, and you should prepare to be sued by the army of lawyers that have already hit the beach - Gary McGraw
19. Combining inspections, static analysis, and testing is cheaper than testing by itself and leads to much better defect removal efficiency levels. - Capers Jones
20. At my company, sometimes I feel less like Chief Architect, and more like Chief Debugger or Chief Code Reader. Sometimes I get to caught up in trying to read code in order to understand the big picture. This is my own failing, as I often try to use a microscope when I need a telescope. - Scott Hanselman
21. Once I realized the depth and breadth of the information I was looking at it, I was like a kid in a candy shop - Scott Hanselman
22. An average of 17% cost savings would have been possible if the static analysis tool was used - Dejan Baca, BengtCarlsson, Lars Lundberg “Evaluating the Cost Reduction of Static Code Analysis for Software Security” (2008)
62. Links & References # List of static code analysis tools http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis # General: Defective Java: Mistakes that matter - Bill Pugh – Øredev 2010 http://vimeo.com/17157772 How and to who should you report static analysis results to http://codeintegrity.blogspot.com/2010/12/static-analysis-reporting-for-success.html Software Engineering Radio - Static Code Analysis (Episode 59, 2006) http://www.se-radio.net/2007/06/episode-59-static-code-analysis/
63. Links & References # NDepend: Link http://www.ndepend.com/ Tips http://www.ndepend.com/Tips.aspx Metrics: http://www.ndepend.com/Metrics.aspx Hanselmanpodcast on static code analysis and NDependhttp://www.hanselman.com/blog/HanselminutesPodcast51StaticCodeAnalysisWithNDepend.aspx Success story on large project http://codebetter.com/patricksmacchia/2009/01/04/using-ndepend-on-large-project-a-success-story/ Hanselman/Caudwell NDepend metrics posterhttp://www.hanselman.com/blog/content/binary/NDepend%20metrics%20placemats%201.1.pdf Discussions with NHibernate contributor on value of these tools (read comments) http://codebetter.com/blogs/patricksmacchia/archive/2009/07/21/nhibernate-2-1-changes-overview.aspxhttp://ayende.com/blog/4072/answering-to-nhibernate-codebase-quality-criticismhttp://ayende.com/blog/4079/nhibernate-and-ndepend-skimming-the-surface
64. Links & References Links to various NDepend analyses http://codebetter.com/blogs/patricksmacchia/archive/2009/01/11/lessons-learned-from-the-nunit-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/05/21/a-quick-analyze-of-the-net-fx-v4-0-beta1.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/26/the-big-picture-of-the-sharpdevelop-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/04/23/ndepend-and-the-quality-of-the-cruise-control-net-code-base.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2009/01/19/mono-vs-net-framework-public-api-compatibility.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/10/01/comparing-silverlight-and-the-net-framework.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/26/nhibernate-2-0-changes-overview.aspxhttp://codebetter.com/blogs/patricksmacchia/archive/2008/08/13/net-3-5-sp1-changes-overview.aspxspring.nethttp://unhandled-exceptions.com/blog/index.php/2010/07/21/analyzing-spring-net-with-ndepend3/ CQL examples http://codebetter.com/patricksmacchia/2008/05/11/write-active-conventions-on-your-code-base/ http://mookid.dk/oncode/archives/1052 http://blogs.lessthandot.com/index.php/Architect/DesigningSoftware/cql-from-visual-studio-with-ndepend-3
65. Links & References # Visual Studio Code Analysis: Visual Studio Code Analysis and Code metrics forum http://social.msdn.microsoft.com/forums/en-US/vstscode/threads/ Rules http://msdn.microsoft.com/en-us/library/ee1hzekz.aspx How to write custom static code analysis rules and integrate them into VS2010 http://blogs.msdn.com/b/codeanalysis/archive/2010/03/26/how-to-write-custom-static-code-analysis-rules-and-integrate-them-into-visual-studio-2010.aspx Data flow analysis in VS2010 (Whatis not in FxCop) http://blogs.msdn.com/b/codeanalysis/archive/2010/04/14/data-flow-analysis-rules-in-visual-studio-2010.aspx Integrate VS2010 Code analysis in CI or MsBuild Part 1 Introduction - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio.html Part 2 The steps - http://kentb.blogspot.com/2011/01/code-analysis-without-visual-studio_6701.html Visual Studio and ReSharper C# coding guidelines (VS Rule set, R# code style) http://csharpguidelines.codeplex.com/
66. Links & References # FxCop: Download http://www.microsoft.com/downloads/en/details.aspx?FamilyID=917023F6-D5B7-41BB-BBC0-411A7D66CF3C Intro and integrate with CI http://www.developertutorials.com/tutorials/miscellaneous/continuous-code-analysis-fx-cop-805/ Share rules: http://stackoverflow.com/questions/3770696/how-to-share-fxcop-rules-amongst-all-developers How to manage big FxCop backlog (2007)http://msmvps.com/blogs/calinoiu/archive/2007/06/02/fxcop-backlog-tools-fxcop.aspx How to get the suppress-messages in code to work with FxCopgui http://blogs.msdn.com/b/codeanalysis/archive/2006/03/23/559149.aspx # StyleCop: Link http://stylecop.codeplex.com/ StyleCop on legacy projects http://blogs.msdn.com/b/sourceanalysis/archive/2008/11/11/introducing-stylecop-on-legacy-projects.aspx StyleCop in CI build http://blogs.msdn.com/b/sourceanalysis/archive/2008/05/24/source-analysis-msbuild-integration.aspx
67. Links & References # ReSharper Link: www.jetbrains.com/resharper/ Code Quality Analysis http://www.jetbrains.com/resharper/features/code_analysis.html Structural Search Replace http://blogs.jetbrains.com/dotnet/2010/04/introducing-resharper-50-structural-search-and-replace/ ReSharper Settings Manager http://rsm.codeplex.com/ # List of rules from other tools: Fortify (HP): https://www.fortify.com/vulncat/en/vulncat/index.html