哪些静态分析工具可用于 C#?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/38635/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What static analysis tools are available for C#?
提问by Paul Mrozowski
What tools are there available for static analysis against C# code? I know about FxCop and StyleCop. Are there others? I've run across NStatic before but it's been in development for what seems like forever - it's looking pretty slick from what little I've seen of it, so it would be nice if it would ever see the light of day.
有哪些工具可用于针对 C# 代码进行静态分析?我知道 FxCop 和 StyleCop。还有其他人吗?我以前遇到过 NStatic,但它一直在开发中,似乎永远都在开发中 - 从我所见的很少,它看起来非常光滑,所以如果它能够重见天日就好了。
Along these same lines (this is primarily my interest for static analysis), tools for testing code for multithreading issues (deadlocks, race conditions, etc.) also seem a bit scarce. Typemock Racer just popped up so I'll be looking at that. Anything beyond this?
按照同样的思路(这主要是我对静态分析的兴趣),用于测试多线程问题(死锁、竞争条件等)代码的工具似乎也有点稀缺。Typemock Racer 刚刚出现,所以我会看看。除此之外还有什么吗?
Real-life opinions about tools you've used are appreciated.
对您使用过的工具的真实意见表示赞赏。
采纳答案by Julien Hoarau
Code violation detection Tools:
代码违规检测工具:
Fxcop, excellent tool by Microsoft. Check compliance with .net framework guidelines.
Edit October 2010:No longer available as a standalone download. It is now included in the Windows SDKand after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe
Edit February 2018: This functionality has now been integrated into Visual Studio 2012 and later as Code Analysis
- Clocksharp, based on code source analysis (to C# 2.0)
- Mono.Gendarme, similar to Fxcop but with an opensource licence (based on Mono.Cecil)
- Smokey, similar to Fxcop and Gendarme, based on Mono.Cecil. No longer on development, the main developer works with Gendarme team now.
- Coverity Prevent? for C#, commercial product
- PRQA QA·C#, commercial product
- PVS-Studio, commercial product
- CAT.NET, visual studio addin that helps identification of security flaws Edit November 2019:Link is dead.
- CodeIt.Right
- Spec#
- Pex
Fxcop,微软的优秀工具。检查是否符合 .net 框架指南。
2010 年 10 月编辑:不再作为独立下载提供。它现在包含在Windows SDK 中,安装后可以在 Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe 中找到
2018 年 2 月编辑:此功能现已作为代码分析集成到 Visual Studio 2012 及更高版本中
- Clocksharp,基于代码源分析(到 C# 2.0)
- Mono.Gendarme,类似于 Fxcop 但具有开源许可证(基于Mono.Cecil)
- Smokey,类似于 Fxcop 和 Gendarme,基于Mono.Cecil。不再进行开发,主要开发人员现在与 Gendarme 团队合作。
- 覆盖防止?对于 C#,商业产品
- PRQA QA·C#,商业产品
- PVS-Studio, 商业产品
- CAT.NET,有助于识别安全漏洞的 Visual Studio 插件编辑 2019 年 11 月:链接已失效。
- CodeIt.Right
- 规格#
- 佩克斯
Quality Metric Tools:
质量度量工具:
- NDepend, great visual tool. Useful for code metrics, rules, diff, coupling and dependency studies.
- Nitriq, free, can easily write your own metrics/constraints, nice visualizations. Edit February 2018:download links now dead. Edit June 17, 2019: Links not dead.
- RSM Squared, based on code source analysis
- C# Metrics, using a full parse of C#
- SourceMonitor, an old tool that occasionally gets updates
- Code Metrics, a Reflectoradd-in
- Vil, old tool that doesn't support .NET 2.0. Edit January 2018:Link now dead
- NDepend,很棒的可视化工具。对代码度量、规则、差异、耦合和依赖性研究很有用。
- Nitriq是免费的,可以轻松编写您自己的指标/约束,漂亮的可视化效果。2018 年 2 月编辑:下载链接现已失效。编辑 2019 年 6 月 17 日:链接未死。
- RSM Squared,基于代码源分析
- C# 指标,使用C#的完整解析
- SourceMonitor,一个偶尔更新的旧工具
- Code Metrics,一个反射器插件
- Vil,不支持 .NET 2.0 的旧工具。2018 年 1 月编辑:链接现已失效
Checking Style Tools:
检查样式工具:
- StyleCop, Microsoft tool ( run from inside of Visual Studio or integrated into an MSBuild project). Also available as an extensionfor Visual Studio 2015 and C#6.0
- Agent Smith, code style validation plugin for ReSharper
- StyleCop,Microsoft 工具(从 Visual Studio 内部运行或集成到 MSBuild 项目中)。也可用作Visual Studio 2015 和 C#6.0的扩展
- Agent Smith,ReSharper 的代码样式验证插件
Duplication Detection:
重复检测:
- Simian, based on source code. Works with plenty languages.
- CloneDR, detects parameterized clones only on language boundaries (also handles many languages other than C#)
- Clone Detectivea Visual Studio plugin. (It uses ConQATinternally)
- Atomiq, based on source code, plenty of languages, cool "wheel" visualization
- Simian,基于源代码。适用于多种语言。
- CloneDR,仅在语言边界上检测参数化克隆(也处理除 C# 以外的许多语言)
- Clone Detective是一个 Visual Studio 插件。(它在内部使用ConQAT)
- Atomiq,基于源代码,丰富的语言,炫酷的“轮子”可视化
General Refactoring tools
通用重构工具
- ReSharper- Majorly cool C# code analysis and refactoring features
- ReSharper- 非常酷的 C# 代码分析和重构功能
回答by Kris Erickson
- Gendarmeis an open source rules based static analyzer (similar to FXCop, but finds a lot of different problems).
- Clone Detectiveis a nice plug-in for Visual Studio that finds duplicate code.
- Also speaking of Mono, I find the act of compiling with the Mono compiler (if your code is platform independent enough to do that, a goal you might want to strive for anyway) finds tons of unreferenced variables and other Warnings that Visual Studio completely misses (even with the warning level set to 4).
- Gendarme是一个基于开源规则的静态分析器(类似于 FXCop,但发现了很多不同的问题)。
- Clone Detective是一个很好的 Visual Studio 插件,用于查找重复代码。
- 还说到 Mono,我发现使用 Mono 编译器进行编译的行为(如果您的代码平台独立性足以做到这一点,那么无论如何您可能都想争取一个目标)会发现大量未引用的变量和 Visual Studio 完全错过的其他警告(即使警告级别设置为 4)。
回答by Hamish Smith
I find the Code Metricsand Dependency Structure Matrixadd-ins for Reflector very useful.
我发现Reflector的Code Metrics和Dependency Structure Matrix插件非常有用。
回答by Patrick from NDepend team
The tool NDependis quoted as Quality Metric Toolsbut it is pretty much also a Code violation detectiontool. Disclaimer: I am one of the developers of the tool
工具NDepend被引用为质量度量工具,但它几乎也是一个代码违规检测工具。免责声明:我是该工具的开发人员之一
With NDepend, one can write Code Rule over LINQ Queries (what we call CQLinq). More than 200 CQLinq code rulesare proposed by default. The strength of CQLinq is that it is straightforward to write a code rule, and get immediatelyresults. Facilities are proposed to browse matched code elements. For example:
使用 NDepend,您可以编写代码规则对 LINQ 查询(我们称之为 CQLinq)。超过200条CQLinq编码规则是默认设置的。CQLinq 的优势在于它可以直接编写代码规则,并立即获得结果。建议设施浏览匹配的代码元素。例如:
Beside that, NDepend comes with many others static analysis likefeatures. These include:
除此之外,NDepend 还带有许多其他静态分析,如功能。这些包括:
- Smart Technical Debt Estimation
- Dependency Graph
- Dependency Matrix
- Code Diff capabilities
- NDepend.APIthat lets write you own static analysis tool. With NDepend.APi we even developed a tool to detect code duplicate (details in this blog post: An Original Algorithm to Find .NET Code Duplicate).
- 智能技术债务估算
- 依赖图
- 依赖矩阵
- 代码差异功能
- NDepend.API可以让您编写自己的静态分析工具。使用 NDepend.APi,我们甚至开发了一个工具来检测代码重复(这篇博文中的详细信息:查找 .NET 代码重复的原始算法)。
回答by torial
Aside from the excellent list by madgnome, I would add a duplicate code detector that is based off the command line (but is free):
除了 madgnome 的优秀列表之外,我还会添加一个基于命令行的重复代码检测器(但免费):
回答by markdevilliers
Have you seen CAT.NET?
你见过CAT.NET吗?
From the blurb -
从简介——
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
CAT.NET 是一种二进制代码分析工具,可帮助识别某些普遍存在的漏洞的常见变体,这些漏洞可能会引起常见的攻击媒介,例如跨站点脚本 (XSS)、SQL 注入和 XPath 注入。
I used an early beta and it did seem to turn up a few things worth looking at.
我使用了一个早期的测试版,它似乎确实出现了一些值得一看的东西。
回答by Mark Dalgarno
Axivion Bauhaus Suiteis a static analysis tool that works with C# (as well as C, C++ and Java).
Axivion Bauhaus Suite是一个静态分析工具,适用于 C#(以及 C、C++ 和 Java)。
It provides the following capabilities:
它提供以下功能:
- Software Architecture Visualization (inlcuding dependencies)
- Enforcement of architectural rules e.g. layering, subsystems, calling rules
- Clone Detection - highlighting copy and pasted (and modified code)
- Dead Code Detection
- Cycle Detection
- Software Metrics
- Code Style Checks
- 软件架构可视化(包括依赖关系)
- 执行架构规则,例如分层、子系统、调用规则
- 克隆检测 - 突出显示复制和粘贴(和修改的代码)
- 死代码检测
- 循环检测
- 软件指标
- 代码风格检查
These features can be run on a one-off basis or as part of a Continuous Integration process. Issues can be highlighted on a per project basis or per developer basis when the system is integrated with a source code control system.
这些功能可以一次性运行,也可以作为持续集成过程的一部分运行。当系统与源代码控制系统集成时,可以基于每个项目或每个开发人员突出显示问题。
回答by Alen
Klocwork has a static analysis tool for C#: http://www.klocwork.com
Klocwork 有一个 C# 的静态分析工具:http: //www.klocwork.com
回答by Javier Salado
Optimyth Software has just launched a static analysis service in the cloud www.checkinginthecloud.com. Just securely upload your code run the analysis and get the results. No hassles.
Optimyth Software 刚刚推出了云中的静态分析服务www.checkinginthecloud.com。只需安全地上传您的代码运行分析并获得结果。没有麻烦。
It supports several languages including C# more info can be found at wwww.optimyth.com
它支持多种语言,包括 C# 更多信息可以在www.optimyth.com上找到