Thursday, 19 July 2007

Code analysis and metrics in .NET applications

Code Analysis and Code metrics are some of the strategies to verify software quality. Quality of software as a product can be described in terms of what was expected of the software and what we actually have (or how we perceive it). This “fit for purpose” criterion is an important concept in determining software quality.

Besides meeting up to the functional requirements we can also look at quality of software from another point of perspective. Other stakeholders of the software (development, operations, etc) also have an interest in the quality of the software product. These are typically expressed as quality attributes that the software product must have; Reliability, resource efficiency, maintainability, testability, manageability, etc.

In order to have some objective measurements to quantify the software quality attributes, process and software metrics are used. Process metrics are more related to the software development process aspects and operations: for example number of bug fixes for a period, number of daily build errors, mean time between failures, etc. Software metrics are more based on measurements of the software in its static form; the software code. Some these measurements can be performed by tools while others require more human intervention.
Besides metrics there is also another tool group that analyse code but these tools check if the code does for example adhere to a particular naming convention, or if the code does not introduce a potential security bug.

Although the usage of these tools can be used in an audit scenario, these tools can also be used during coding or even be integrated into the build-process. Of course after receiving the feedback form the tools and identifying potential problems in terms of maintainability, performance or other quality attribute, it is time to revise the code. Re-factoring is the act of modifying the code without changing its functionality in order to improve understand-ability and hence future maintainability of the source code.

Manual inspection is good and is the most flexible but also the most tedious. That's why tool-support is indispensable. Although a written check-list is stil valuable to have some reference or to use a guideline during coding (pro-active versus re-active).

Here is a list of some tools and VS2005 features to facilitate you in avoiding potential bugs and non-conformance to certain rules. It is not at all intended to be complete. I included some screenshots to give you a feel what the tools or features do.

FxCop is a code analysis tool that checks .NET managed code assemblies for conformance to the Microsoft .NET Framework Design Guidelines. It uses reflection, MSIL parsing, and callgraph analysis to inspect assemblies (latest version 1.3.5 :

Early Warning with the VB.NET 2005 background compiler. It catches runtime errors while writing code. For example ;
- Unused local variable
- Function, operator without return
- Reference on possible null reference

In the compile tab , you can specify what to do when certain compilation condition occurs . As a best practice , you should enable “treat all warnings as an error” (a warning is an error in the making!). Certainly a must for release (Preferable for debug as well).

The Team Edition version of VS2005 for software developers has some additional features in the realm of quality assurance. It has an integrated version of FXCop (Code Analysis) that must be must be explicitly enabled (Run during compilation or it you can run it on demand)

Refactoring is a disciplined technique of restructuring your existing body of code by altering its internal structure without changing its external behavior. If you have written code to perform a specific function in your application, you can refactor it into a method that you can reuse throughout your application whenever you need it. It is out-of-the box available in C#, but you need an add-on in VB.NET (for example devExpress). Some examples
- Extract Method : split up large method
- Encapsulate field : promote to property variable
- Introduce constants : avoid multiple definitions of strings

SourceMonitor ( is a freeware program that analyzes your source (C# , , C++ , etc.) and calculates some metrics (very fast) . An interesting feature is the ability to save metrics in checkpoints for comparison during software development projects so you can compare them to see if we’re you’re heading. Several other views on the calculated metrics are available. There is also a Kiviat graph to visualize several metrics at once.

The new Visual Studio 2008 has Code Metrics feature available in Visual Studio Team Developer and Team Suite. This new feature allows users to generate code metrics for projects and solutions and displays the results in the Code Metrics Results tool window. It currently calculates five different metrics; Maintainability Index, Cyclomatic Complexity, Depth of Inheritance, Class Coupling, and Lines of Code.

One of the most cited tools in metrics and code analysis for .NET projects is NDepend. It provides many metrics, at application level, at assembly level, at type level (LCOM, RFT…) and at IL instruction level (CC, number of instruction). It helps you detect which assemblies are potentially painful to maintain. It is non-intrusive .Works (mainly) on compiled IL . For some metrics the PDB file is required. Some metrics though are only available for C# code. The author Patrick Smacchia also maintains a website ( describing each metric. For interactive analysis, you'll be using two applications in tandem. The NDepend.Project and Visual NDepend. There is also a console program that can be integrated in the build process and produces xml-files. One of the most powerful features is that NDepend lets you write and evaluate queries written in Code Query Language (CQL). This is a SQL-like language that lets you interrogate NDepend's internal view of your code's structure. It allows a customizable system for watching for violations of corporate coding standards. Of course Ndepend comes a number of pre-built CQL queries.

Lutz Roeder’s .NET reflector , a tool to investigate your assemblies, has also add-ins to calculate some metrics and to visualize the dependencies between assemblies (

Code Style Enforcer is a DXCore plug-in for Visual Studio 2005 that checks the code against a configurable code standard and best practices. It is developed for C#, but some of the rules will also work for VB .NET, though not tested ( It based on Idesgn Styleguide (

Of course code analysis and code metrics are only a subset of Quality Assurance techniques but those are for another post.



sergeb said...

Hi Alexander,

This is great Code Analysis review.

I was trying to get in touch with you to see if you share you expert opinion on our new Static Analysis tool CodeIt.Right

Please let me know if you are interested and I will provide you with details.

anowak said...



I haven't used your tool yet but based on the information on your website it looks very promising.

I will certainly try it out (soon).

Best regards,


sergeb said...

Thank you, Alexander!

Please be sure and take a look that the Flash presentation(s).

If you have any questions, feel free to contact me at or in the submain community forums.

Aeldra Robinson said...

I was trying to get in touch with you to see if you share you expert opinion on our new Static Analysis tool CodeIt
Please let me know if you are interested and I will provide you with details.
run code analysis