How can I run NDepend from SonarQube, or import NDepend results into SonarQube?
The SonarQube C# Ecosystem Plugin supports several other C# tools, but NDepend is not one of them. Commercial and free solutions are both welcome.
If no solution is available yet, can the NDepend API be used to write a custom plugin SonarQube with reasonable effort?
Update 2014-12-11: There was an announcement by the NDepend team today that a SonarQube integration is being developed. It is expected for Q2 2015. They also mention that there is a new third-party SonarQube plugin for importing NDepend results now.
I am representing the NDepend team. Having a NDepend plugin for SonarQube is certainly a good idea and something we'd like to offer out-of-the-box in future features for NDepend vNext. It is also an idea ranked on the NDepend User Voice.
Please come back to us by email at support at ndepend dot com. We'd like to hear the details of your needs concerning import NDepend results into SonarQube.
For now writing your own plugin using NDepend.API is the way to go if you cannot wait. 100% of data collected by NDepend (structure, metrics, diff, trend...) are reachable through the API. The NDepend PowerTools source code is the right place to get started with NDepend API and see how main API usage scenarios can be implemented.
While I was writing the SonarQube .Net ReSharper plugin, I looked at the potential for an NDepend plugin. The biggest obstacle is that SonarQube requires plugins to provide the full list of possible violations (rules) at server start, which must then be manually enabled by administrators via the web UI (ie: not through an API). There is no API for adding or enabling rules via the SonarQube API during plugin execution.
Once the rules are in there, it's just an excersize in associating the NDepend results with the source code lines/files. The .Net ecosystem plugins, as well as my ReSharper plugin, are all open source and can be used for inspiration on this point.
Since a lot of NDepend's power comes from the ability to easily create your own rules, a plugin author would have to create some mechanism for getting those custom rules into SonarQube without having to frequently restart the SonarQube servers. So far, no one has taken the time to do this, although it sounds like the NDepend team is considering it based on Patrick's answer to this same question.
Related
We are using a combination of Jira, Subversion and CruiseControl.net in our workflow. With each commit, the corresponding Issue-ID is stored in a bugtraq-property of svn. Jira accesses the repository via plugin (not FishEye at the moment), and a custom svn hook updates the Jira-Issue with the branch name. So each issue is linked to all branches it relates to. Also, release notes for each issue are stored in custom fields, as we need the release notes in multiple languages.
CruiseControl runs builds on schedule, with increasingly complex build scripts to integrate the release notes into our application. As some of the branches are custom userware, only a subset of the release notes are actually used (requirements of one customer should not neccessarily be visible to other customers, whereas the customer information is generated from the branch names). I've spent quite some time on the web looking for plugins to interface Jira and CruiseControl with eachother to better automate this process. Is there anyone out there with similar problems?
Would a migration to Jira/Bamboo/FishEye solve my problem? I've downloaded the test versions and dabbled around with the tool integration, but I'm really looking for constructive advice and experience reports. The ability to start builds from within Jira certainly looks appealing, and FishEye should provide branch information to Bamboo.
I hope, I'm making sense here...
Thanks in advance.
Jira and Bamboo are obviously better integrated. SVN hooks to Jira are better than Fisheye smart commits. The only other CI product with this level of integration with Jira is Jenkins via marvelution plugin: https://marketplace.atlassian.com/plugins/com.marvelution.jira.plugins.jenkins
Our shop is a lot of Java developers, a few MS devs. Java developers mainly use a SVN/Jira/Fisheye/Jenkins combo with release notes generated automatically via Jira and Jenkins. The MS developers use TFS for their projects.
You could always bite the Microsoft bullet and use TFS 2012.
So besides the ITIL-breaking release management snieps in the question comemnts, the answer is Jira/(Jenkins|Bamboo) will solve your problem. Fisheye is just a nice to have.
I have been trying to get Sonar code analysis work on a c# project. Since it's a web project I'd also like to run analysis on JavaScript.
However, as mentioned in the following link, you cannot run multi-module projects on a .NET solution (http://sonar.15.x6.nabble.com/Multi-language-javascript-amp-c-td5011530.html).
The suggested workaround is to trigger two analysis profiles separately and then combine them with the views plugin (http://www.sonarsource.com/products/plugins/governance/portfolio-management/)
But this plugin costs about 1800$. Because Sonar has the possibility to analyse multiple projects in .NET through the solution file, it therefore disables multiple modules for .NET solutions (to prevent a specific error).
I find it really annoying that by doing this, it forces me to use a paid module (and not a cheap one) to create a sub-optimal workaround.
Are there any other better solutions for this?
No, there's currently no better solution for this case. This issue has been identified and we'll take a look at it during the next spring - but I'm not sure that it can be solved easily though.
You can and watch and vote here: http://jira.codehaus.org/browse/SONARDOTNT-291
I know that there are a number of tools for analysing .NET code and calculating the coverage, plus identifying classes/methods/properties etc that are never going to be hit.
However, I am trying to clean-up a legacy application that I am certain contains an amount of unused code - however a lot of code is accessed via some arbitrary and complex reflection tecniques that will disguise the intent to the compiler - thererfore any coverage tool that only analyses the compiled code is unlikely to generate any reliable reports on code useage within this application.
Are there any tools that work rather like profilers, whereby they listen to a running application and log what classes/methods/properties are actually hit and generate the coverage based on this data.
I hope Ive made everything clear - thanks in anticipation
we are using ncover, and it works really nicely: http://www.ncover.com/.
But it's commerical, or you use the trial version, if you just need it once.
You can use the VS2010 Code Coverage tools - they do use Instrumentation (which means reflection won't trick it). Syed Aslam Basha has a post on it in his MSDN blog on how to enable it for manual testing (which it sounds like you will need to do).
Just remember you will need to click every feature etc. while its running; or just think twice before deleting code - but it should give you a good starting point.
Two open source versions currently exist that support .NET2 and .NET4 runtimes
PartCover - is the oldest but only supports 32 bit (supported by teamcity)
and
OpenCover - is the latest, it again supports .NET2 and .NET4 but also supports 64 bit, it also has recently added branch coverage (though reporting is up to the user)
Both OpenCover and PartCover can be used with TypeMock and Moles should you need to.
Commercial versions include (but no limited to)
NCover - the most well known
dotcover - integrates well with team city when unit testing
Clover.NET can do this. But it is commercial and I didn't manage to find a link to the .NET version (I've used it several year ago).
Can't think of a tool other than a profiler, but how about using logging?
Use static analysis to discover static calls, and put logging into the reflective invocations to show what is being called. After a few runs you'll know what is being run.
After all the reflective invocation will know what's doing.
target state: Porting VB6 Code into C#, undertake the whole project with all conceivable processes that are involved.
What would be your approach if you do not have knowledge about the domain?
There is nearly any documentation, just legacy code (up to 100.000 - 300.000 lines of code and comments vb6 files that contain up to 14.000 lines of code) written in VB6.
Disclaimer: I work for Great Migrations
We rewrite large VB6/ASP/COM applications to .NET (primarily C#) for a living and we have developed a software analysis and reengineering tool to help us do it. This tool is essentially like a VB6/ASP/COM compiler and a decompiler that authors .NET codes. Of course since the VB6 platform is very different from .NET, a direct compile/decompile is not desirable or viable, so our tool has an "analyzer" that implements various code reengineering algorithms to deal with VB6-C# incompatibilities. There is also a programmable "author" that allows the migration team to prescribe rules for setting up .NET code files, restructuring the code, and doing things like replacing COM APIs and ActiveX controls with .NET classes -- depending on what the team needs or wants.
As a by product of compiling and analyzing the code our tool produces a model of the entire VB6/ASP/COM system being upgraded. This model can be used to produce extremely detailed reports about the internal structure of the system. These models can be used to help reverse-engineer the code -- if you know the right questions to ask and you would need to understand the problem domain to do a good job.
Of course once you have build-complete .NET, you can use the various analytics and code review tools that work off assemblies. Some versions of Visual Studio have these tools and there are open source tools such as FxCop, NDepends). There are also some fantastic dynamic analysis tools (EQUATEC Tracer) that I have used.
In the end though migration teams are going to very hard pressed to verify any unknown system. Even if you are staying on the same platform, you would unable to prove an application it is "correct" if you do not know how to run it and how to setup/enter expected inputs and find/verify expected outputs. We normally leave this to the customer!
If we are doing verification for the customer, we rely heavily on side-by-side testing to validate the new version of your system -- assuming we know how to run the legacy application we assume that given the same sets of inputs and usecases it should exhibit the same behaviors and produce the same results. I have heard this Approval Tests in unit testing circles.
I admit we also rely heavily on the knowledge that the VB6/COM code is a complete, detailed, formal and production tested description of the data structures and logic of the system and that we are putting this information through a tested and retested systematic transformation. We have been developing compilers since 1977 and we have worked very hard on this VB6/ASP compiler to make sure the .NET codes that we generate preserves the semantics of the original VB6. It is not 100% every time - but it is getting closer all the time. Then again doing things by hand does not guarantee 100% correct code on the first try either...
mark's answer about Great Migrations is excellent. Do be aware there are competitor automatic tools, which also have a very good reputation.
Artinsoft's VB Upgrade Companion
Francesco Balena's VB Migration Partner
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
What static analysis tools are available for C#?
Guys, I'm looking for an open source or free source code analysis tool for C#. The tool should be able to generate metrics from the source code such as cyclomatic complexity, number of lines, number of commented lines, SEI maintainability etc.
Does anyone know of any such tool?
NDepend will give you a vast number of stats for your code:
http://codebetter.com/blogs/patricksmacchia/archive/2008/11/25/composing-code-metrics-values.aspx
There is a free 'Trial' version which contains fewer features than the Professional product, but which is free to use for Open Source and Academic development. The Trial version on the download page gets updated with a new version before the previous one runs out:
http://www.ndepend.com/NDependDownload.aspx
NDepend isn't free for non-academic or open-source software use, but it is awesome, and will give you those metrics (and many others, using its built-in Code Query Language).
This question is more or less a dupe of this one: Calculate code metrics, and you'll find an entire series of good suggestions there.
Gendarme is totally open source and free. It's a subproject under mono. You can run the tools in three ways: wizard, console, NAnt. It will generate a html report which summarize all the violated rules. Worthy have a look.
SourceMonitor is a free C# metrics tool, it's fairly old but it could still be useful.
There are many plugins for reflector (which is also free):
Reflector Add-Ins
I believe the CodeMetrics plugin does what you need
Axivion Bauhaus Suite is free for academic use but not for commercial use.
It includes:
Software Architecture visualization
Software Architecture rule checking
Interface analysis
Cycle detection
Clone (copy) detection
Dead code detection
Detection of code style violations
A full set of predefined software metrics
The ability to add your own metrics and analyses...
Supports C / C++, C#, Java on various platforms
Visual Studio's Code Metrics
Most of these capabilities are included with Visual Studio 2008 Team System.
Under the Tools | Analyze menu there are options for Code Metrics. Most of your desired features are all there: Cyclomatic Complexity, LOC, and Microsoft's (a variant of the SEI maintainability index that instead goes from 0-100, where 100 is most maintainable) - as well as Depth of Inheritance, and Class Coupling as bonus features. It does not include number of commented lines.
I wrote a (completely) free code analysis app for .Net - Nitriq