.NET Day 2023: Clean as you Code: use Roslyn analyzers to focus on the code you modify

Transcript

1. ©2023, SonarSource S.A, Switzerland. Clean as You Code use Roslyn

   analyzers to focus on the code you modify Andrei EPURE 29.08.2023

2. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 2

3. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Me - Andrei Epure Developer

   Engineering Manager at ❤ clean code & team work 3

4. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Me - Mr. Evil Hacker

   .NET Day Switzerland 2022 4

5. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Agenda Why is Clean Code

   important Static Analysis Clean as You Code My experience at Sonar 5

6. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Tim Junior developer Tired of

   long feedback loops 6 © Håkan Dahlström

7. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Helen Senior developer Quality gatekeeper

   Busy 7 © Nataliya Vaitkevich

8. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 8 Helen, why do we

   need Clean Code? Because we want our software to be reliable, secure and maintainable.

9. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Why is Clean Code important

   for you? 9

10. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro For me: development and production

    10

11. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 11 https://stripe.com/files/reports/the-developer-coefficient.pdf 😢

12. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 12 “90% of reported security

    incidents result from exploits against defects in the design or code of software.” (U.S. Dept. of Homeland Security) https://www.cisa.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf

13. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 13 Helen, why is there

    so much technical debt? Our codebases are the best we could do on the day of the commit.

14. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro It worked on my machine

    Novice Standard Clean Code Professional Standard 14 Over time, you will learn to improve your standards.

15. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Helen 10 years ago Standard

    Clean Code Helen Today Standard 15 © Cory Denton from Saskatoon

16. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Do a code review of

    your code 10 years ago 16

17. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 17 Helen, how can I

    tell if my code is clean? Watch the reaction of your reviewers https://freesvg.org/troll-face

18. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Measure Clean Code? 18 https://www.osnews.com/story/19266/wtfsm/

19. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Tools Example project Measure Clean

    Code? 19

20. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Tools 20 FREE Com m

    unity FREE public projects FREE

21. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Developers write clean code Teams

    have a common standard 21 Tools

22. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Tools Who is using Roslyn

    analyzers? 22

23. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Sort(x => x.Downloads) xUnit.Analyzers -

    314M StyleCop.Analyzers - 108M Microsoft.Azure.Functions.Analyzers - 31M Microsoft.VisualStudio.Threading.Analyzers - 30M SonarAnalyzer.CSharp - 29M Microsoft.CodeAnalysis.NetAnalyzers - 21M 23

24. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro xUnit.Analyzers StyleCop.Analyzers - coding style

    Microsoft.Azure.Functions.Analyzers Microsoft.VisualStudio.Threading.Analyzers ❤ SonarAnalyzer.CSharp ❤ Microsoft.CodeAnalysis.NetAnalyzers - built in 24 Sort(x => x.Downloads)

25. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro ❤ SonarAnalyzer.CSharp ❤ 25

26. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 26 Helen, how do tools

    find problems in our code? They use static code analysis.

27. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Static Analysis Compiler framework APIs

    for analyzing code without executing it 27

28. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Static Analysis if (foo >

    5) Bar(); else Quix(); 28 https://edotor.net/

29. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro var foo = 4; if

    (foo > 5) Bar(); else Quix(); Static Analysis 29

30. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro var foo = 4; if

    (foo > 5) Bar(); else Quix(); Symbolic Execution 30 X

31. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 31 SQLMoney.cs (dotnet/runtime) https://github.com/dotnet/runtime/blob/45acd38/src/libra ries/System.Data.Common/src/System/Data/SQLTypes/SQ

    LMoney.cs#L150-L161 (MIT License) Symbolic Execution Example

32. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 32

33. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 33 sharplab

34. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 34 X

35. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 35 dotnet/runtime/issues/90741 sharplab

36. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 36 Taint analysis (SonarCloud /

    SonarQube DE+ only)

37. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 37 These tools are awesome!

    Yes, but knowing is not enough…

38. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro How can we clean our

    codebase? Knowing is not enough 38

39. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Challenges Deliver new functionality Risk

    of functional regression It can be boring 39

40. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Option 1: The Rewrite Things

    You Should Never Do 40 Knowing is not enough

41. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Option 2: The big refactor

    Things You Should Never Do 41 Knowing is not enough

42. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 42 Knowing is not enough

    Option 3: Clean as You Code

43. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Focus on New Code :

    added or modified Don’t (re)introduce new issues 43 Clean as You Code

44. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro The code is fresh The

    cost is ~0 44 Clean as You Code

45. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Clean as You Code after

    1 year after 2 years after 5 years 20% clean code 35% clean code 50% clean code today Your existing codebase gets progressively clean 45

46. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro New Code Definition • Pull

    Request / Commit • Versions • Number of days 46 Implementing Clean as You Code

47. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Implementing Clean as You Code

    47 Set up a Quality Gate on new code based on your standard (Quality Profile) Don’t merge unless it is green Don’t release unless it is green

48. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Clean as You Code DEMO

    Overall Code vs. New Code Pull Request integration SonarLint 48

49. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro 49 I learn as I

    code I can focus on more important things during code reviews

50. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro On average, 50% of code*

    gets changed within 3.33 years. *of large open-source projects on GitHub https://github.com/erikbern/git-of-theseus 50 Why does it work?

51. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Here’s SonarQube Years: 2010 to

    2023 Lines of Code (0 to 1 million) 51

52. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Here’s SonarQube added or modified

    in 2014 2014 52

53. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Here’s SonarQube Big delete (bye-bye

    ruby code) 53

54. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro At the beginning of 2018

    there were 1 million LOC Here’s SonarQube 2018 54

55. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Out of only 1 million

    LOC in 2018 less than 500K remain today Here’s SonarQube 55

56. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Clean as You Code after

    1 year after 2 years after 5 years 20% clean code 35% clean code 50% clean code today Your existing codebase gets progressively clean 56

57. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro My experience at Sonar We

    don’t merge PRs with red QG Red QG = broken build (slack notification) 57

58. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro My experience at Sonar Quality

    Profile Quality Gate - New Code: 95% ccov and no major issues - Overall code: no major bugs/vulnerabilities 58

59. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro My experience at Sonar In

    three years, for sonar-dotnet, we increased branch (conditional) coverage from 82% to 93% by using a Quality Gate at 95%. 59

60. 450+ C# Rules 30+ languages, frameworks, infra technologies rules.sonarsource.com is

    more 60 T-SQL COBOL and more…

61. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Clean as You Code =

    improve the code you touch: ◦ Set your common standard of clean code ◦ Ensure every commit achieves that standard ◦ Use static analysis to help consistently achieve it 61 Key takeaways Remember this!

62. ©2023, SonarSource S.A, Switzerland. Feedback form & slides: AndreiEpure.ro 62

63. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Extra slides 63

64. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro New issues always appear on

    the “overall code” (new rules, improved techniques). 64 My experience at Sonar

65. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Human code review cannot be

    replaced. 65 My experience at Sonar

66. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Part of Development 66

67. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Clean as You Code Happy

    that Roslyn analyzers exist because GenAI will produce a lot of code. 67

68. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Erik Bernhardsson - “The half-life

    of code & the ship of Theseus” (2016) 68

69. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Here’s SonarQube In 5 years,

    more than 50% of the code has been changed. 69

70. ©2023, SonarSource S.A, Switzerland. AndreiEpure.ro Software is the fruit of

    code software code 70