What static analysis tools are available for C#?

Question

What tools are there available for static analysis against C# code? I know about FxCop and StyleCop. Are there others? I've run across NStatic before but it's been in development for what seems like forever - it's looking pretty slick from what little I've seen of it, so it would be nice if it would ever see the light of day.

Along these same lines (this is primarily my interest for static analysis), tools for testing code for multithreading issues (deadlocks, race conditions, etc.) also seem a bit scarce. Typemock Racer just popped up so I'll be looking at that. Anything beyond this?

Real-life opinions about tools you've used are appreciated.

Answer 1

The wikipedia page, List of tools for static analysis may be useful here.

Answer 2

NDepend looks pretty promising for doing static analysis. I haven't used it, but I've been meaning to download the free edition (not for long-term use on commercial projects)

I also like a DSM plugin that works with reflector, available here

Answer 3

Simian can be used to find duplicate lines of code, that can help you refactor quite a bit. It's written in Java but you can evaluate C# files.

Answer 4

I would strongly recommend NDepend, but be aware that this tool has A LOT of information so if you're going to use it, be prepared to spend some time watching the tutorial videos so you can get a good handle on what is going to be useful to you and what isn't.

Answer 5

• Gendarme is an open source rules based static analyzer (similar to FXCop, but finds a lot of different problems).
• Clone Detective is a nice plug-in for Visual Studio that finds duplicate code.
• Also speaking of Mono, I find the act of compiling with the Mono compiler (if your code is platform independent enough to do that, a goal you might want to strive for anyway) finds tons of unreferenced variables and other Warnings that Visual Studio completely misses (even with the warning level set to 4).

Answer 6

Uhm, I hate to start posting by pitching our own tool, but this is the kind of question I can answer well :)

CodeIt.Right is the static analysis tool we developed and it will correct the found violations too (along with lots of other features).

I hope you don't mind the post - I may be too excited about the tool bu I truly believe it is very useful.

Answer 7

Code violation detection Tools:

• Fxcop, excellent tool by Microsoft. Check compliance with .net framework guidelines.(No longer available as a standalone download. It is now included in the Windows SDK and after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe)
• Clocksharp, based on code source analysis (to C# 2.0)
• Mono.Gendarme, similar to Fxcop but with an opensource licence (based on Mono.Cecil)
• Smokey, similar to Fxcop and Gendarme, based on Mono.Cecil. No longer on development, the main developer works with Gendarme team now.
• Coverity Prevent™ for C#, commercial product
• CAT.NET , visual studio addin that helps identification of security flaws

Quality Metric Tools:

• NDepend, great visual tool. Useful for coupling and dependency studies.
• RSM Squared, based on code source analysis
• SourceMonitor, old tool EDIT a new version is out
• Code Metrics, a Reflector add-in
• Vil, old tool that doesn't support .NET 2.0

Checking Style Tools:

• StyleCop, Microsoft tool ( run from inside of Visual Studio or integrated into an MSBuild project)
• Agent Smith, code style validation plugin for ReSharper

Duplication Detection:

• Simian, based on source code. Works with plenty languages.
• Clone Detective a Visual Studio plugin. (It uses ConQAT internally)

Answer 8

Also see:

• Spec#

• Pex

Answer 9

I find the Code Metrics and Dependency Structure Matrix add-ins for Reflector very useful.

Answer 10

FYI - A new Typemock Racer build was recently released.

Typemock Racer helps find possible deadlocks in your code.

Answer 11

ReSharper - Majorly cool C# code analysis and refactoring features... bit of a learning curve but well worth it.

Answer 12

I would advise NDepend too.

See the list of features here http://www.NDepend.com/Features.aspx :
- Code Query Language (CQL)
- Compare Builds
- 82 code metrics
- Manage Complexity and Dependencies
- Detect Dependency Cycles
- Harness Test Coverage Data
- Enforce Immutability and Purity
- Warnings about the health of your Build Process
- Generate custom report from your Build Process
- Diagrams
- Facilities to cope with real-world environment

Answer 13

Coverity has releases a C# product.

http://www.coverity.com/html/coverity-prevent-for-c%23.html

Answer 14

Aside from the excellent list by madgnome, I would add a duplicate code detector that is based off the command line (but is free):

http://sourceforge.net/projects/duplo/

Answer 15

Have you seen CAT.NET - www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en?

From the blurb -

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

I used an early beta and it did seem to turn up a few things worth looking at.

Answer 16

Axivion Bauhaus Suite is a static analysis tool that works with C# (as well as C, C++ and Java).

It provides the following capabilities:

• Software Architecture Visualization (inlcuding dependencies)
• Enforcement of architectural rules e.g. layering, subsystems, calling rules
• Clone Detection - highlighting copy and pasted (and modified code)
• Dead Code Detection
• Cycle Detection
• Software Metrics
• Code Style Checks

These features can be run on a one-off basis or as part of a Continuous Integration process. Issues can be highlighted on a per project basis or per developer basis when the system is integrated with a source code control system.

Answer 17

Klocwork has a static analysis tool for C#: http://www.klocwork.com

Answer 18

Semantic Designs provides the following C# static analysis tools:

• C# Metrics: Computes standard metrics (Cyclomatic, Halstead, conditional nesting, ...) for C#
• CloneDR: Finds exact and near-miss duplicates in large C# software systems
• SmartDifferencer: Compares two C# files to determine minimal "diff" in terms of language structures (variables, expressions, statements, blocks) and meaningful editing operations (insert, delete, move, copy, rename)

See our C# Tools for details. The site describes other C# tools for dynamic analysis, also.