.NET Static Analysis, Code Review, Unit Testing

Rule Management

Parasoft provides centralized management of organization-level and team-level policies for ensuring application security, reliability, performance, and maintainability as well as complying with FDA, DO-178, PCI, and other regulations. Policies are easily deployed and customized for specific projects without compromising the integrity of the corporate objectives. Policy management is centralized for simple access and policy application is automated for rapid scanning and reporting.

Organization/Team Policy Manager
Parasoft's policy manager provides a fast and easy way to ensure that policy enforcement is standardized both globally and locally. This can include a fixed set of organizational policies, as well as subsets of policies customized to suit the needs of specific projects and teams. Policy configurations for thousands of desktops can be implemented or updated once, then distributed to thousands of machines with a single click.

Rule Library
Each language-specific rule library (Java, C/C++, .NET, XML, etc.) provides configurable sets of hundreds of rules including specific (contextual) security rules. Parasoft's rule library is the most comprehensive in the industry, and is constantly being extended. To help developers understand and achieve the benefit that the rules deliver, we provide detailed documentation for each rule, including an explanation of the rule requirements and customizable enforcement parameters, the rationale behind the rule, a sample violation, and an explanation of how to bring code into compliance.

Rule Configuration/Parameterization
Since goals and technologies vary from project to project, Parasoft allows teams to customize the logic of library rules to suit the unique demands of specific projects and priorities. Rules are customized using GUI controls no coding or scripting is required. Moreover, rule names, descriptions, and severities can be matched to your organization's policies, establishing a fully-customized policy management and reporting interface.

Graphical Rule Wizard
In the event that certain internal policies cannot be matched to library rules, Parasoft's RuleWizard provides fast and easy ways to extend the rule set. Custom IL-level and C# rules can be built graphically or generated automatically by providing code that demonstrates a sample rule violation. This flexible framework supports definition of even the most complex policy requirements.

[ back to top ]

Workflow Management

Parasoft defines, automates, and monitors a workflow that improves development productivity and forms the foundation for a sustainable quality process. As quality tasks are defined and automated, process control guidelines are established to measure process progress as well as software quality. With monitorable quality gates and thresholds throughout the SDLC, your organization and team can track progress and ultimately improve the software development process.

Quality Process Definition
Quality processes and tasks are defined in the system and the workflow associated with the process is automated. The organization's expectations around quality tasks are visible and monitored. This significantly reduces the resources required to establish and maintain the quality process, resulting in increased team productivity.

Quality Process Metrics
Process control guidelines are established to measure both process progress and software quality. By establishing quality gates at specific points in the SDLC and establishing quality thresholds, organizations and teams gain the ability to track progress and ultimately improve the software development process.

Workflow Optimization

Tasks to support quality policies must be optimized so they can become an integral part of the team's existing workflow. The lack of automation, repeatability, or consistency will degrade any quality initiative that the organization intends to deploy. Parasoft optimizes the workflow to ensure that the quality process is both sustainable and scalable. For example:

• Routing each reported issue directly to the responsible developer and customizable issue prioritization both ensure that your most critical issues are addressed in a timely manner.
• Centralized configuration management to ensure that test configurations are applied consistently and can be updated effortlessly as priorities and processes evolve.
• Monitoring manual processes that require human intelligence, then converting them into automated processes relieves the team from having to repeat many manual efforts.

[ back to top ]

Issue Prioritization
Results are reported as a prioritized task list to help the team focus their attention and resources on the issues expected to have the greatest impact on quality. To ensure that the most critical policy violations are identified immediately and promptly resolved, Parasoft allows organizations to customize issue severities to match their unique project needs and priorities.

Context Suppression
Context-sensitive suppressions allow teams to prevent rules from firing under specific circumstances where they do not apply. This reduces the level of noise, ensuring that every violation reported is a real problem that should be fixed. Suppressions can be defined in the code to ensure they are always visible when code is reviewed and modified.

Regulatory Compliance

To help teams achieve and demonstrate regulatory compliance, we establish an in-line continuous quality process that ensures mandated practices are not only deployed across every stage of the SDLC, but also ingrained into the team's workflow.
Parasoft supports:

• FDA
• PCI DSS
• OWASP
• CWE/SANS
• SAMATE

After each test, a list of tasks required for compliance is generated and prioritized. The responsible developers are notified immediately, and their assigned tasks are distributed directly to their IDEs. Archived reports and trend graphs document validation efforts and quality improvements.

[ back to top ]

Parasoft's static analysis monitors whether code meets uniform expectations around security, reliability, performance, and maintainability—delivering real-time training based on corporate policy. By exposing structural errors and preventing entire classes of errors, this provides a foundation for producing solid code. Our static analysis includes static code analysis, data flow static analysis, and code metrics analysis. All are centrally managed and highly automated. Moreover, an automated framework is provided to ensure consistency across development languages, development teams, and third-party partners.

Parasoft's static code analysis monitors whether code follows industry-standard or customized rules for ensuring that code meets uniform expectations around security, reliability, performance, and maintainability. Over 15 years of research and development have gone into optimizing Parasoft's patented static code analysis engine and knowledge base. Our static code analysis solutions feature:

• A centralized, integrated system for automated monitoring of code compliance across heterogeneous environments (Java, C/C++, C#, VB.NET, JavaScript, etc.), core industry standards (WS-*, Section 508, FDA, PCI, MISRA, etc.), and organization-specific policies (security, branding, etc.).
• Rule sets that are the most comprehensive in the industry and are constantly being extended.
• Fast, easy ways to define and check custom rules that prevent application-specific errors from reoccurring and monitor adherence to organization-specific policies.
• Automated task assignment and customizable issue prioritization to ensure that the most critical issues are addressed in a timely manner.
• Extensive support for policy management, workflow management, and workflow optimization to facilitate code improvement without impeding project progress or team productivity.

The .NET quality solution includes 200+ rules that check compliance with Microsoft's ".NET Framework Design Guidelines." Additional sets of rules cover CLS Compliance, Object Oriented Metrics, and Security. In addition to rules that examine the IL code, We also provides rules that examine the C# source code; this enables us to check for many code issues that cannot be identified by IL-level analysis (for example, formatting issues, empty blocks, misuse of operators, etc.).

[ back to top ] Policy Enforcement
Parasoft's static code analysis can easily be configured to automatically monitor adherence to organization, team, and project policies for security, compliance, etc. The rule library includes hundreds of rules that deliver "out-of-the-box" monitoring of many common policy requirements. These static analysis rules can be customized as needed to match specific policy requirements, and the rule set can be rapidly extended to address even the most complex and unique requirements. Moreover, rule names, descriptions, and severities can be mapped to the organization's policies, establishing a fully-customized policy management and reporting interface.

Security
In addition to enforcing organizations' unique security policies, Parasoft automatically identifies common security vulnerabilities with the most comprehensive rule set in the industry. Our solutions are configured to deliver an instant assessment of compliance with PCI DSS section 6 security guidelines. This enables teams to rapidly assess the level of compliance—without spending time reading the PCI DSS specification and determining how the requirements translate to code. We also provide an automated assessment of your risks regarding the most critical application security vulnerabilities (as listed in the OWASP Top 10).

Expert Best Practices
Industry leaders have built an extensive knowledge base of guidelines for preventing the most serious and common software defects. Parasoft's static code analysis provides expert code feedback in seconds by automatically applying the wisdom of Microsoft experts and others. Identifying and fixing the reported violations improves code security, reliability, performance, and maintainability.

Technology Guidelines and Standards
To help developers understand and negotiate the unique pitfalls involved in working with certain technologies, Parasoft's static code analysis automatically monitors code compliance to technology-specific guidelines and standards. Parasoft's static code analysis provides out-of-the-box support for preventing mistakes related to common technologies/frameworks such as Microsoft's ".NET Framework Design Guidelines," CLS Compliance, and more. Moreover, our flexible static code analysis framework can easily be extended to support more specialized needs.

[ back to top ]

Regulatory Compliance Standards

To help teams achieve and demonstrate regulatory compliance, we establish an in-line continuous quality process that ensures mandated practices are not only deployed across every stage of the SDLC, but also ingrained into the team's workflow.

Our static code analysis enables teams to rapidly assess the level of compliance to various regulatory standards—without spending time reading the related specifications and determining how the requirements translate to code.

Parasoft supports:

• FDA
• PCI DSS
• OWASP
• CWE/SANS
• SAMATE

Moreover, our flexible static code analysis framework can easily be extended to support more specialized needs.

Each issue detected is prioritized, automatically correlated to the developer who introduced it, then distributed to his or her IDE with direct links to the problematic code. Eventually, developers start writing compliant code as a matter of habit. Moreover, through integration with the development infrastructure, results are correlated with requirements, bugs, and source code changes converting data into actionable information.

Archived reports and trend graphs document validation efforts and quality improvements.

Application-Specific Errors

Parasoft provides fast and easy ways to define custom static code analysis rules that prevent the recurrence of application-specific defects after a single instance has been found. By ensuring that the team does not make the same mistake twice, this significantly improves team productivity and product quality.

FxCop Support

dotTEST can run selected MS FxCop rules and report violations in the normal manner. The workflow with FxCop rules and violations is the same as the workflow with dotTEST static analysis rules.

StyleCop Support

dotTEST can run selected StyleCop C# rules and report violations in the normal manner. The workflow with StyleCop rules and violations is the same as the workflow with dotTEST static analysis rules.

Unused and Duplicate Code

Parasoft's static code analysis automatically detects and refactors both unused code and duplicate code. This results in a code base that is more maintainable and less error prone— enabling more rapid responses to changing requirements.

[ back to top ]

Parasoft's data flow analysis provides automated detection of runtime errors without requiring the software to actually be executed. This enables early and effortless detection of critical runtime errors that might otherwise take weeks to find. We statically simulate application execution paths which may cross multiple units, components, and files to identify paths that could trigger runtime errors such as resource leaks, SQL injections, and other security vulnerabilities. To simply defect analysis, a complete analyzed path trace for each potential defect is reported in the IDE, and automatic cross-links to code help users quickly jump to any point in the highlighted analysis path.

This ability to expose these errors without executing code is especially valuable for teams with legacy code bases lacking robust test suites or embedded code, where runtime analysis and detection of such errors is not effective or possible.

Static Detection of Complex Runtime Errors

Parasoft data flow analysis enables you to find potentially crash-causing defects such as NullReferenceExceptions and resource leaks without having to create, execute, or maintain test cases. This provides a fast and easy way to identify reliability and performance problems without having to actually execute the application.

Static Detection of Security Vulnerabilities

For security vulnerability detection, Parasoft's data flow analysis detects whether actual application execution paths could lead to injection vulnerabilities, XSS, exposure of sensitive data, and other vulnerabilities.

Legacy Code Audit

Parasoft's data flow analysis can be applied to a large code base for fast, effortless detection of complex runtime problems. This provides a practical way to identify critical problems in a large code base when testing resources are limited. Moreover, data flow helps you audit the effectiveness of your quality policies. If proper quality policies are in place, no problems should be reported by data flow analysis. An issue detected by data flow analysis indicates that the quality policy was not comprehensive enough or was not applied properly.

[ back to top ]

Parasoft's code metrics analysis calculates a customizable set of industry-standard metrics, as well as identifies specific pieces of code that exceed industry-standard or customized metrics thresholds. This helps organizations identify brittle or overly-complex code that could impede agility or reuse.

Calculation

Parasoft's metrics calculation capability provides organizations visibility into code complexity and the potential impacts of an anticipated code change. This enables them to make more informed decisions as to how to modify, refactor, and test it. Metrics calculations provided include Cyclomatic Complexity, Inheritance Depth, Nested Block Depth, and more.

Limit-Based Analysis

Parasoft enables organizations to customize the boundaries and thresholds for available metrics so that team members are alerted when metrics are outside of the prescribed range. Leveraging this automation, the team is freed to focus on analyzing and improving the problematic code-tasks that truly require human intelligence.

[ back to top ]

Automated Code Review

Parasoft's automated code analysis checks code as it is written to prevent entire classes of errors and ensure that code meets uniform expectations around security, reliability, performance, and maintainability. This typically relieves developers from having to perform line-by-line inspections during peer code reviews, freeing them to focus on higher-level analyses that require human intelligence. With automated checking for compliance to the team's and organization's development policies, the team can begin code reviews by discussing interesting findings from the automated code analysis results, then move on to examining design, algorithmic, and implementation issues. This aspect of the peer code review is supported by Parasoft's code review capability, which automatically identifies updated code, matches the code with designated reviewers, and tracks the progress of each review item until closure. By automating critical workflow components, the team gains more time to focus on inspecting and improving the code.

Peer Code Review

Parasoft automates and manages the peer code review workflow. Our code review capability-which automates preparation, notification, and tracking of peer code reviews-addresses the known shortcomings of this very powerful inspection method. It automatically identifies updated code by scanning the source control system or the local file system, matches the code with designated reviewers, and tracks the progress of each review item until closure. This allows teams to establish a bulletproof review process where all new code gets reviewed and all identified issues are resolved.

Teams who prefer to review only the the most dangerous segments of their code (for example, the most security-sensitive or deadlock-prone areas of the code base) can easily set up such focused reviews using the flexible configuration options.

[ back to top ]

Workflow
For a code review process to be sustainable and successful, it’s essential that the workflow be as natural and unobtrusive as possible. That’s why Parasoft engineered an automated peer code review workflow where developers simply check in code as normal, then review packages are prepared automatically and distributed to the appropriate reviewer’s IDE. The only added work is the actual peer review—a creative process that cannot, and should not, be automated.

Parasoft provides built-in support for the following typical code review flows:

• Post-commit code review: This mode is based on automatic identification of code changes in a source repository via custom source control interfaces. Code review tasks are created based on a preconfigured mapping of changed code to reviewers.
• Pre-commit code review: Users can initiate a code review from the desktop by selecting a set of files to distribute for the review, or automatically identify all locally changed source code.

Contextual Analysis
Although automated code analysis can identify many issues related to security, reliability, performance, and maintainability, it cannot detect functional defects: instances where the code is not doing what it’s supposed to do. This high-level error detection can only be achieved when the human brain analyzes code in the context of its requirements and available test cases. Parasoft aggregates these artifacts, reducing the barrier to entry for this irreplaceable analysis.

Monitoring
For a code review process to stay on track, it needs to be measured and actively monitored. That’s why Parasoft automates the process and connects it to Parasoft's reporting system — providing objective answers to questions such as:

• Are reviews being performed?
• Are identified issues actually being resolved?
• How is the code review impacting team productivity and application quality?

[ back to top ]

Parasoft delivers a complete framework to create, manage, and extract greater value from unit tests. We help you exercise and test an incomplete system enabling you to identify problems when they are least difficult, costly, and time-consuming to fix. This reduces the length and cost of downstream processes such as debugging. Moreover, since all tests are written at the unit level, the test suite can be run independent of the complete system. This allows you to isolate code behavior changes, reduces setup complexities, and makes it practical.

Test Creation

To facilitate standardized testing and quality processes, our patented technologies automatically generate extensible, reusable test cases. These test cases not only expose potential reliability problems, but also capture the code's current behavior to establish a baseline for regression testing. You can incrementally improve the test suite's intelligence and value by extending the generated test cases. Collectively, these test cases establish a safety net that alerts you when modifications impact application behavior.

Test Creation Options
There are two main ways to create unit tests with dotTEST:

• Unit Test Genie: Allows you to generate specific object factory methods and test scenarios by interacting with dotTEST wizards. You can control precisely what objects and test scenarios are generated.
• Non-Interactive Test Case Generation: Allows you to create a large number of tests with minimal time and effort. This is especially useful for achieving high code coverage and establishing a regression baseline.

Regression Baseline
If your team has a large code base with minimal tests or no tests, the fastest route to regression testing is to automatically generate a regression test suite that captures the code's current behavior and then run it daily to determine if code modifications break existing functionality. To help you achieve this, we scan the project code base, then automatically generate a baseline set of unit test cases that capture the code's current behavior. Then, we establish a continuous regression testing process which ensures that the impacts of code modifications are identified and addressed daily, and the test suite stays in synch with the evolving application. This provides a safety net that helps developers rapidly change code with confidence, which is especially critical for teams working on complex and constantly-evolving applications.

Exception Detection
By using corner case conditions, automatically-generated test cases check responses to unexpected inputs, exposing potential reliability problems.

The generated unit tests directly correlate tests to source code, which improves error identification and diagnosis, and allows developers to run these test cases without having to depend on access to the production environment or set up a complex staging environment. This facilitates collaboration between QA and Development: QA can provide developers traced test sessions with code-level test results, and these tests help developers identify, understand, and resolve the problematic code.

[ back to top ]

Test Optimization

Parasoft provides a variety of technologies to help you extend your manually-defined and automatically-generated test cases, enabling you to increase their value with minimal effort.

Easy Extension
Parasoft automatically generates complete tests, including test drivers and test cases for individual methods/functions, in industry-standard xUnit formats. Developers can rapidly add additional tests (for verifying specific functionality and/or increasing coverage) by extending the automatically-generated tests. This allows developers to extend the test suite while writing a minimal amount of code.

Stub Creation and Management
Parasoft can automatically stub out calls to external resources or problematic methods/functions within the source code base. This relieves developers from having to write extensive stubs or mock objects from scratch. Using automatically-generated stub templates, you can define your own stubs for automatically-generated or user-defined test cases.

Test Case Parameterization
Test Case Parameterization automates the process of reusing a test with different sets of data. This allows teams to increase the amount of testing and coverage with very little effort.

Data-Driven Test Cases
Parasoft can use values from any of the following types of data sources for test case inputs as well as data validation:

• CSV files
• Databases
• Excel spreadsheets
• Tables created in (or copied into) the internal table editor.
• File

[ back to top ]

Extended Execution Environment

Extended Execution Environment
Parasoft's extended execution environment centralizes execution and enhances reporting for all of your automatically-generated and manually-written xUnit-format unit test cases.

Error Assignment and Distribution
To promote fast remediation, each test failure or exception detected is prioritized, assigned to the developer who introduced the problem, and distributed to his or her IDE with direct links to the problematic code.

Debugger Integration
Developers can step through test cases with a debugger to better examine the code's internal state during a given test. For example, they might want to debug test cases to learn more about why an unexpected outcome was reported, or to determine why a test case failed.

Coverage Analysis
Parasoft's centralized reporting of coverage metrics helps teams gauge test suite efficacy and completeness, as well as demonstrate compliance with test and validation requirements. Coverage is reported in percentages as well as graphically displayed via source code that is annotated with line-by-line coverage details. Parasoft can automatically track the code coverage achieved for any level and type of testing—including application-level tests driven by manual tests or scripts, as well as unit and component tests.

Execution in the Context of the Application
One of the greatest challenges in writing unit tests is that many of the objects require the complete context of the application to get created and behave correctly. For example, tests may require the values of some static variables, environment variables, or some resources to be put in a certain state. You may also need to call methods on some of the objects/types provided by the application to establish the proper context for your test. Stubs and mock objects can be used to test such objects, but tests that use them can be difficult to understand and maintain—and they might not be testing realistic class behavior.

In response to these challenges, dotTEST allows you to run unit tests in the context of your application. This provides the following benefits:

• You can write very realistic and maintainable unit tests. You can create and access objects that are not available easily while using other unit testing frameworks.
• There is no need to create special frameworks such as "plugin" tests for your application.
• You can use this to test add-ins and plug-ins to tools such as Microsoft Office.
• You can easily run any subset of the tests and take advantage of dotTEST's reporting capabilities.
• While you are focusing on a single class or a small set of classes for testing, you are still testing it the way it gets used in practice.

.NET Compact Framework Testing

Developers of .NET Compact Framework applications are often forced to run their unit tests against the .NET Framework (non-compact version) on their PC machines. As a result, their tests are not realistic and test maintenance is difficult. This is because many parts of the API are different than their counterparts in the standard framework. Moreover, the .NET Compact Framework has different functionality for various devices—complicating the developing of portable applications and requiring much manual testing.

Addressing these challenges, dotTEST allows you to run unit tests directly on a device. This provides the following benefits:

• You can write very realistic unit tests because code runs against the .NET CF, which accurately represents realistic application behavior.
• You can automatically check your code against any device or emulator that supports Windows Mobile Device Center (Active Sync) communication.
• You can access an API, such as native API, which is available for a particular device only.

Test Driven Development (TDD)

Parasoft supports Test Driven Development with many different capabilities: both automated and assistive. In general, an organization can specify any sequence of development tasks—including writing a test for each requirement—within Parasoft Concerto. The preferred sequences of tasks are defined as "policy" and Parasoft Concerto enforces the desired behavior via a process (or exception-based task notification system). In other words, if developers perform the expected actions (as defined by the policy), then the system remains passive and does not bother them. Notifications are generated only when actions don't align with policy expectations.

For details, see the white paper Test Driven Development with Parasoft Concerto.

[ back to top ]

Parasoft's robust reporting capabilities not only promote rapid defect resolution, but also support an auditable quality process by providing complete visibility into the team's efforts.

Reports

After each test/analysis run, Parasoft can automatically generate and e-mail role-based reports to managers, team leads, and developers. Reports are available in HTML, PDF, and custom format, and can be easily configured via GUI controls or an options file. Reports can include the high level of detail required for a truly auditable process; for example:

• Pass/fail summary of code analysis and test results
• Expanded test output with pass/fail status of individual tests
• A list of analyzed files
• A list of policies checked
• A code coverage summary
• Full code listings with color-coding of all code coverage results
• Trend graphs for key metrics

Task Distribution

If any developer action is required (fix static analysis violations, address test failures, respond to code review suggestions, etc.), a task is generated, prioritized, and assigned to the developer who wrote the related code. The task is then distributed to the assigned developer's IDE with full data, cross-links to the related code, and a description explaining how to approach the assigned task. An e-mail notification alerts the developer to the assigned tasks.

Dashboards

Interactive Web-based dashboards with drill-down capability allow teams to track project status and trends based on results from Parasoft technologies as well as key process metrics (e.g., from source control, bug tracking, build, and requirements management systems). It correlates data from these sources to provide comprehensive and objective insight into application quality, team productivity, and project risk factors.

[ back to top ]

OS

• Windows 7, Windows Vista, Windows XP or Windows 2003 Server

IDEs

• Visual Studio 2010, 2008, 2005

Frameworks

• .NET Framework 2.0, 3.0, 3.5, 4
• .NET Compact Framework 2.0, 3.5
• Windows Mobile 5 and 6, Windows CE

Source Control

• AccuRev SCM
• Borland StarTeam
• CVS
• IBM/Rational ClearCase
• Microsoft Team Foundation Server (2005, 2008)
• Microsoft Visual SourceSafe
• Perforce SCM
• Serena Dimensions
• Subversion (SVN)
• Telelogic Synergy
• Git

[ back to top ]