NDepends... or How to pass your code quality audit ?

If you belong to a large organization, when developing an application, you might have to go through a code quality audit, done by a third party company that has the power to say 'Go' or 'No go', and provide advices if not good.

As far as I am concerned, I appreciate it because it forces us to care even more about code Quality and maintainability (which includes security, performance, Design...). Maintainability is particularly important because once in production, the Dev team will hand-over their code to the Maintenance Team.

Because such audit consists in watching numerous aspects, it all brings me back to an old post of mine listing the number of rules that FxCop and StyleCop monitors. Where the various rules are grouped into  the following categories :

FxCop (or its variation integrated within Visual Studio called Code Analysis, or CA, that compiles your code then analyse it):

• Design
• Globalization
• Interoperability
• Maintainability
• Mobility
• Naming
• Performance
• Portability
• Reliability
• Security
• Usage

StyleCop (or Source Analysis)

• Documentation
• Layout
• Maintenability
• Naming
• Ordering
• Readability
• Spacing

It totals about 400 rules. After having enforced most of them on various projects, it can be noticed the following pattern:

1. Developers find it painful to comply to containing rules, as opposed to "no rules" at all of "his own home-made rule",
2. Since the developers DONT have to learn all 400 rules at before hand, but ONYL progressively, it is not too bad. Moreover, with the help of Resharper, this tool reformats tedious painful and repetitive work automatically (Resharper can connect to FxCop and StyleCop so that it changes your code accordingly)
3. Because of the Software Factory preventing check-in in any code that is NOT compliant to the given rules (NOTE: You have to determine with your team, which rule are compulsory, and which ones are not), the developers HAVE to follow the rules,
4. Finally, within few months of coding, a survey done in the teams I have been working with shows that developers got used to it,
5. And last, it becomes irritating for them to read code that IS NOT compliant (just like reading a book with plenty of grammar and spelling mistakes).

 Now that you've reached step 5, what should you do about the external audit that has been enforced by your sponsors or the Quality Management team ?


It's where NDepends enters into play ! It's a software that I have been using for nearly 10 years, written by Patrick Smacchia (author of books and blog dedicated to .Net, C# and Code Quality).

As far as we are concerned, the auditor came in and has inspected meticulously all aspects of our projects technically (the audit consisting in evaluating our Agility/Scrum process was done by another company) :

• all our source code,
• our DLLs and PDBs
• our web services
• and architectural diagrams

One snapshot will not be sufficient, because it's only when you can play visually with your code through Drill-Down (up until the exact line of code) that you could understand its power.

Where to start ?

You have to "feed" NDepend with as much info as you can (*.Sln, *.csproj, DLLs, PDB, ...) in a Drag & Drop manner, then it could "answer" many of your technical questions concerning your projects.

Indeed, for me it considers your "project" (Source Code, PDB, DLLs, previous version of your source code, new code, ...) as a LARGE database, wich MANY different views (too much to fit in a single Snap shoot):

 where you could :

• Query your code as if it was a SQL Database, based on the CQLinq (Code Query Linq language is based on LINQ).

           Simple example:

from m in Application.Methods  
where m.NbLinesOfCode >  30  && m.IsPublic
select m

           More sophisticated sample:

// UI layer shouldn't use directly DB types

warnif count > 0


// UI layer is made of types in namespaces using a UI framework
        let uiTypes = Application.Namespaces.UsingAny(
                 Assemblies.WithNameIn("PresentationFramework", "System.Windows",
                                       "System.Windows.Forms", "System.Web")
              ).ChildTypes()

// You can easily customize this line to define what are DB types.let dbTypes = ThirdParty.Assemblies.WithNameIn("System.Data",
"EntityFramework", "NHibernate").ChildTypes()
              .Except(ThirdParty.Types.WithNameIn(
"DataSet", "DataTable", "DataRow"))

from uiType in uiTypes.UsingAny(dbTypes)
let dbTypesUsed = dbTypes.Intersect(uiType.TypesUsed)
select new { uiType, dbTypesUsed }

Identify through its build-in Quality rules (that extend considerably FxCop and StyleCop quality rules, or you could create your own ones)
    The list of the thousands of build-in rules is listed here.

Share a large amount of static results as a website, such as the one below that helps you find within seconds whether you have poorly designed components or not, and follow its evolution

• Among the various features, I noticed the feature consisting in monitoring shifts in your code coverage and another one to prevent code quality regression, but I did not have the chance to use it: http://codebetter.com/patricksmacchia/2013/02/07/ruling-code-quality-regression

Having a professional auditor in front of us, it took him only 1 day to decompose our work and start providing us feedback. Within this very same time, he managed to better understand part of our code than our developers ! To do so, he used many tools ... including one called ... NDepend !

After having eliminated many "false positive" (since he does not know the context of our project), we managed to pass our audit with success and excellent grades !

As per today, I am using the version 4.1.0.6871 (which incorporates a stand alone version as well as a VS 2010 and VS 2012 add on to play directly with your source code).

Have a great audit !