What tools are there available for static analysis against C# code? I know about FxCop and StyleCop. Are there others? I've run across NStatic before but it's been in development for what seems like forever - it's looking pretty slick from what little I've seen of it, so it would be nice if it would ever see the light of day.
Along these same lines (this is primarily my interest for static analysis), tools for testing code for multithreading issues (deadlocks, race conditions, etc.) also seem a bit scarce. Typemock Racer just popped up so I'll be looking at that. Anything beyond this?
Real-life opinions about tools you've used are appreciated.
This question is tagged with
~ Asked on 2008-09-01 23:54:02
Code violation detection Tools:
Fxcop, excellent tool by Microsoft. Check compliance with .net framework guidelines.
Edit October 2010: No longer available as a standalone download. It is now included in the Windows SDK and after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe
Edit February 2018: This functionality has now been integrated into Visual Studio 2012 and later as Code Analysis
Clocksharp, based on code source analysis (to C# 2.0)
Coverity Prevent™ for C#, commercial product
PRQA QA·C#, commercial product
PVS-Studio, commercial product
CAT.NET, visual studio addin that helps identification of security flaws Edit November 2019: Link is dead.
SonarQube, FOSS & Commercial options to support writing cleaner and safer code.
Quality Metric Tools:
Checking Style Tools:
General Refactoring tools
~ Answered on 2008-09-19 07:55:39
The tool NDepend is quoted as Quality Metric Tools but it is pretty much also a Code violation detection tool. Disclaimer: I am one of the developers of the tool
With NDepend, one can write Code Rule over LINQ Queries (what we call CQLinq). More than 200 CQLinq code rules are proposed by default. The strength of CQLinq is that it is straightforward to write a code rule, and get immediately results. Facilities are proposed to browse matched code elements. For example:
Beside that, NDepend comes with many others static analysis like features. These include:
~ Answered on 2008-12-18 16:32:46
Have you seen CAT.NET?
From the blurb -
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
I used an early beta and it did seem to turn up a few things worth looking at.
~ Answered on 2009-05-26 09:10:23
~ Answered on 2008-09-02 17:11:07
Aside from the excellent list by madgnome, I would add a duplicate code detector that is based off the command line (but is free):
~ Answered on 2009-04-19 02:07:51
Axivion Bauhaus Suite is a static analysis tool that works with C# (as well as C, C++ and Java).
It provides the following capabilities:
These features can be run on a one-off basis or as part of a Continuous Integration process. Issues can be highlighted on a per project basis or per developer basis when the system is integrated with a source code control system.
~ Answered on 2009-11-17 18:50:09
Optimyth Software has just launched a static analysis service in the cloud www.checkinginthecloud.com. Just securely upload your code run the analysis and get the results. No hassles.
It supports several languages including C# more info can be found at wwww.optimyth.com
~ Answered on 2011-10-07 13:22:41
Klocwork has a static analysis tool for C#: http://www.klocwork.com
~ Answered on 2010-05-01 02:13:52