简体繁体 English

静态代码分析 - 首先打开哪些？

[英]Static Code Analysis - Which ones to turn on first?

原文 2009-10-26 16:51:15 2 5 c#/ visual-studio-2008/ code-analysis/ static-analysis

We're using VS2008 with the built in static code analysis rule set. 我们正在使用带有内置静态代码分析规则集的VS2008。
We've got a relatively large C# solution (150+ projects) and while some of the projects (< 20) are using static code analysis religiously, most are not. 我们有一个相对较大的C＃解决方案（150多个项目），而一些项目（<20）正在虔诚地使用静态代码分析，大多数不是。 We want to start enforcing static code analysis on all projects, but enabling all rules would create a massive distraction to our current projects. 我们希望开始对所有项目实施静态代码分析，但启用所有规则会对我们当前的项目造成巨大的干扰。 Which of the many static code analysis rules that are available should we turn on first? 我们应该首先启用哪些静态代码分析规则？ Which rules have the biggest bang for the buck? 降压哪个规则最大？ If you could give me your prioritized top 20, I'd greatly appreciate it. 如果你能给我优先考虑的前20名，我会非常感激。
Thanks in advance, 提前致谢，
--Ed.S. --Ed.S。

5 个解决方案

Given that the Studio ones are similar to FxCop's rules, I can tell you which ones I'd turn on last . 鉴于Studio的规则类似于FxCop的规则，我可以告诉你我最后会打开哪些规则。

If internationalization is not on the horizon, turn off Globalization Rules. 如果国际化尚未实现，请关闭全球化规则。

Turn off Performance Rules initially. 最初关闭性能规则。 Optimize when you need to. 在需要时进行优化。

Fit the others to your team and your projects. 让其他人适合您的团队和项目。 Turn off individual rules that aren't applicable. 关闭不适用的个别规则。 In particular, Naming Rules may need to be adjusted. 特别是，可能需要调整命名规则。

EDIT: The most important thing is to reduce noise. 编辑：最重要的是减少噪音。 If every project has 200 warnings and stays that way for months, everyone will ignore them. 如果每个项目都有200个警告并且持续数月，那么每个人都会忽略它们。 Turn on the rules that matter to your team, clean up the code to get 100% passing (or suppress the exceptions - and there will be exceptions; these are guidelines), then enforce keeping the code clean. 打开对您的团队至关重要的规则，清理代码以获得100％的传递（或抑制异常 - 并且会有异常;这些是指导原则），然后强制保持代码清洁。

The very first rules you should activate for a project are those for which you don't yet have any violations in that project. 您应该为项目激活的第一个规则是那些您在该项目中没有任何违规的规则。 This will allow you to avoid introducing new problems without costing you any additional clean-up effort. 这样您就可以避免引入新问题，而无需花费任何额外的清理工作。

As for the rest, given that you're already using code analysis on other projects, your best input for which rules are most likely to be broken with serious consequences is probably the developers who work on those projects. 至于其他项目，鉴于您已经在其他项目上使用代码分析，那么最有可能打破规则的最佳输入可能是那些项目工作的开发人员。 If you don't have enough overlap between projects to get meaningful feedback from developers, you might want to consider starting with the rules that are included in the Microsoft Minimum Recommended Rules rule set in Visual Studio 2010. 如果项目之间没有足够的重叠以从开发人员那里获得有意义的反馈，则可能需要考虑从Visual Studio 2010中的Microsoft最低建议规则规则集中包含的规则开始。

If you are planning on actually cleaning up existing violations in any given project, you may want to consider using FxCop instead of VS Code Analysis until the clean-up is complete. 如果您计划实际清除任何给定项目中的现有违规，则可能需要考虑使用FxCop而不是VS代码分析，直到清理完成为止。 This would allow you to activate rules immediately while keeping "for clean-up" exclusions of existing violations outside your source code. 这将允许您立即激活规则，同时保持“清理”排除源代码之外的现有违规。

If you going to localize your project/ it is going to be used in different countries, then definitely enable localization rules. 如果您要本地化您的项目/它将在不同的国家/地区使用，那么肯定启用本地化规则。 It will find all call to all sort of Format/Parse functions that do not specify CultureInfo. 它会发现所有调用所有未指定CultureInfo的Format / Parse函数。 Bugs involving not specified CultureInfo are hard to find in testing, but they will really bite you in the ass, when your French client will ask: why your program does not work/crash on numbers with "," as decimal separator. 涉及未指定CultureInfo的错误在测试中很难找到，但是当你的法语客户端会问：为什么你的程序不能正常工作/为什么你的程序在“，”作为小数分隔符时崩溃。

In my experience code analysis warnings of all types show 'hidden' bugs or flaws in your code. 根据我的经验，所有类型的代码分析警告都会在代码中显示“隐藏”的错误或缺陷。 Fixing these can solve some real problems. 修复这些可以解决一些实际问题。 I have not found a list of warnings that I would like to disable. 我还没有找到我想要禁用的警告列表。

Instead, I would turn them on one project at a time and fix all the warnings in that project before moving to the next. 相反，我会一次打开一个项目，并在移动到下一个项目之前修复该项目中的所有警告。

If you want to turn things off I would consider not checking the Naming rules (unless you are shipping a library, APIs or other externally exposed methods) and Globalization rules. 如果你想要关闭，我会考虑不检查命名规则（除非你是运送库，API或其他外部公开的方法）和全球化规则。 (unless your applications make active use of Globalization). （除非您的应用程序积极使用全球化）。 It depends a bit on your situation which make sense. 这有点取决于您的具体情况。

I somewhat agree with Jeroen Huinink's answer . 我有点同意Jeroen Huinink的回答。

I would turn on all the rules that you think a project should follow and fix them as soon as possible. 我会打开您认为项目应该遵循的所有规则并尽快修复它们。 You don't have to fix them all now, but as you go through and fix a defect or refactor a method in a module, you can always clean up the issues found by static analysis in that method or module. 您现在不必全部修复它们，但是当您通过修复缺陷或重构模块中的方法时，您始终可以清除该方法或模块中静态分析所发现的问题。 New code should adhere to your rules and existing code should be transformed into adherence as quickly as possible, but you don't need to drop everything to make that happen. 新代码应遵循您的规则，现有代码应尽快转换为遵守，但您不需要放弃所有代码来实现。

Your development team can also look at the issues for a project and prioritize them, perhaps filing defects in your issue tracking system for the most critical problems so that they are addressed quickly and by the appropriate developer. 您的开发团队还可以查看项目的问题并确定其优先级，或者在问题跟踪系统中为最关键的问题提交缺陷，以便他们能够由相应的开发人员快速解决。