Analyse your code

Create a plan

You MUST conduct code analysis and address the issues you find. Doing this in both your IDE and build & integration pipelines will improve your code, making it easier to maintain, faster, and more secure.

Code analysis can be complex, but this section outlines the steps you SHOULD follow. Create a tailored plan for your team that you regularly review and improve.

Calculate code metrics to spot problems

Calculate code metrics for each project in your solution and address any that exceed acceptable limits. The table below shows RECOMMENDED levels for each metric.

Calculate code coverage

Calculate test coverage and use the results to identify areas for improvement.

Generate and publish a code coverage report in your pipelines.

Check code for style and quality

Ensure your code follows the style (naming, layout, language) and quality conventions described or referenced in this document.

Code Style Options and Analyser Rules

Visual Studio offers a code style options box and Roslyn analyser code style rules. With newer versions of Visual Studio and the .NET SDK, you can run these rules at build time.

Use the dotnet format tool in your build and integration pipelines to check for code style. See later in this section for details.

Use roslyn analysers to ensure .NET code quality

Use Roslyn compiler analysers to check .NET code for style, quality, maintainability and other issues. They are available from Microsoft and third-party providers.

How Roslyn Analysers work:

• Design-Time Analysis: Analysers run on open files in the IDE, providing immediate feedback.

• Build-Time Analysis: Can be configured to run during builds to enforce consistent standards.

Use NuGet packages to integrate analysers directly in your code. Avoid relying solely on IDE-specific tools like Visual Studio extensions, ReSharper and SonarQube.

Default Analysers in .NET SDKs

The latest .NET SDKs include many Roslyn analysers pre-installed. The image below shows the analysers available when creating an ASP.NET project targeting .NET 8.0 in Visual Studio.

If using older SDKs, add analysers like Microsoft.CodeAnalysis.NetAnalyzers NuGet package.

Figure 1 Use Roslyn analysers to check your code

{IMAGE PLACEHOLDER}

Third-party Analysers

Include a security analyser, such as SonarAnalyzer.CSharp or SecurityCodeScan.VS2019. For assistance, ask the Software Development Manager or Cyber Security team.

Enabling Rules

Roslyn analysers allow you to configure specific rules. In a .NET 6.0+ project, created with Visual Studio, only a few rules are enabled by default. Enable all relevant rules, disabling only those that produce false positives or are not relevant.

Configure code analysis rules

Follow these steps when configuring code analysis:

You MAY develop team-specific styles if the provided conventions don't meet your needs.

Run code analysis in your pipelines as well as the IDE

Run code analysis during builds catch issues early, using tools like MSBuild & dotnet format.

Check third-party packages

Check for vulnerabilities and licence issues in third-party dependencies by integrating tools like GitHub Advanced Security for Azure DevOps.

Publish and review metrics

Track code health by publishing metrics from analysis tasks to server dashboards.

Regularly review these metrics and address problem areas to maintain quality.

Recap