Static code analysis with NDepend

Wether you’re working on a small or big project, it might be hard to measure to quality of your code. Sometimes you’ll just add a temporary fix, and suddenly “temporary” has become “permanent”. Maybe you have multiple people working on the same project and someone mistakenly assumes that that temporary fix is the correct way of doing things and the Broken Windows Theory starts kicking in. Suddenly you’ve accumulated technical debt, but you’re not really sure where to begin fixing your code.

Enter static code analyzers. One of those is NDepend, which specializes in .NET code. With NDepend you can scan your source code and get information about the level of technical debt your code has through different metrics. It can provide you with an ETA of how long it will take to pay off your debt to reach an acceptable level and will also pinpoint where the pressing matters are. It will flag critical issues, “code smells” and quality gates, which are self-determined levels that you want NDepend to warn you about.

Disclaimer: I have been gifted a NDepend license to test out in order to share my thoughts and experiences around working with the tool.

Example

I ran the NDepend analysis on one of the most long-running solutions we have in our project (15+ years). It’s an old WinForms application with little to no separation of business logic from the UI layer. Here’s the resulting dashboard from this:

Analysis results from an NDepend scan.

As you can see, it gives me a percentage score of how much technical debt I have and gives me a rating. I can also click on the percentage score to specifically where that debt resides.

Debt and Issues per Rule.

You also have “Quality gates”, which are gates that you can determine yourself for when NDepend should warn you about rising issues. This could be a percentage of code coverage that you’ve set for your project.

You can also check what kind of issues and warnings you have under each category, like “Code smells”, Security, Dead Code and Naming Conventions.

Categories under the Queries and Rules Explorer.

Lastly, you can also get a dependency graph of your solution from Extensions -> NDepend -> Dependency Graph in Visual Studio.

Dependency graph of our project.

The report also shows “Issues” for the project. NDepend spits out thousands of issues on your legacy project and this is normal but inconvenient. When you start changing your code and re-analyze, NDepend will use your first analysis result as a baseline and will show new & fixed issues (since the baseline) which makes it practicable to prioritize and fix issues.

Legacy project vs. new project

Using a static code analyzer is great for legacy projects for many reasons, one of them being the one I stated above. Also, say that you’ve inherited a legacy application with little to no documentation which struggles with performance. This tool would be a great way to try to map where you would begin refactoring.

For new projects, this is a great way to make sure that you get off on the right foot and uphold a certain code quality. I forgot to mention that you can also track these metrics over time through trend charts.

CI Integration

NDepend also offers integration with CI/CD platforms such as Azure DevOps Server, Azure DevOps Services, TeamCity and more. For Azure DevOps, all you need to do is add the NDepend Build task to your pipeline, which will analyse the code and provide the same metrics as shown above directly from Azure DevOps.

You can also access the NDepend dashboard from Azure DevOps at any time, which will show the current state of technical debt, code size etc..

Integration with Azure DevOps (TFS).

Final thoughts

Currently in my project we are talking about paying off some technical debt in our legacy code. I am definitely going to pitch in this tool to aid us in that process. There are a lot more options in NDepend that I recommend that you check out. They have a free 14-trial that you can take for a spin here.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.