Upgrade to Pro — share decks privately, control downloads, hide ads and more …

.NET Day 2023: Clean as you Code: use Roslyn analyzers to focus on the code you modify

dotnetday
September 02, 2023

.NET Day 2023: Clean as you Code: use Roslyn analyzers to focus on the code you modify

Clean code is crucial for ensuring the maintainability and scalability of software projects. However, it can be challenging for developers to improve the code quality of legacy codebases. In this session, Andrei will introduce the Clean as You Code approach, which empowers developers to take ownership of their code and meet high-quality standards. Using Roslyn analyzers and the open-source tool SonarQube, developers can focus on the code they modify and ensure that it adheres to Clean Code standards. By adopting this low-effort approach, developers can quickly identify and fix code issues, resulting in a cleaner codebase and improved software quality. Over time, by cleaning the code you modify, you improve the quality of the overall code and achieve a more maintainable, scalable, and high-quality codebase.

dotnetday

September 02, 2023
Tweet

More Decks by dotnetday

Other Decks in Technology

Transcript

  1. ©2023, SonarSource S.A, Switzerland.
    Clean as You Code
    use Roslyn analyzers to focus on the code you modify
    Andrei EPURE
    29.08.2023

    View full-size slide

  2. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    2

    View full-size slide

  3. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Me - Andrei Epure
    Developer
    Engineering Manager at
    ❤ clean code & team work
    3

    View full-size slide

  4. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Me - Mr. Evil Hacker
    .NET Day Switzerland 2022
    4

    View full-size slide

  5. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Agenda
    Why is Clean Code important
    Static Analysis
    Clean as You Code
    My experience at Sonar
    5

    View full-size slide

  6. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Tim
    Junior developer
    Tired of long feedback loops
    6
    © Håkan Dahlström

    View full-size slide

  7. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Helen
    Senior developer
    Quality gatekeeper
    Busy
    7
    © Nataliya Vaitkevich

    View full-size slide

  8. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    8
    Helen, why do we
    need Clean Code?
    Because we want our
    software to be
    reliable, secure and
    maintainable.

    View full-size slide

  9. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Why is Clean Code important for
    you?
    9

    View full-size slide

  10. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    For me:
    development and production
    10

    View full-size slide

  11. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    11
    https://stripe.com/files/reports/the-developer-coefficient.pdf
    😢

    View full-size slide

  12. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    12
    “90% of reported security incidents result from exploits
    against defects in the design or code of software.”
    (U.S. Dept. of Homeland Security)
    https://www.cisa.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf

    View full-size slide

  13. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    13
    Helen, why is there
    so much technical
    debt?
    Our codebases are the
    best we could do on
    the day of the commit.

    View full-size slide

  14. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    It worked on my
    machine
    Novice
    Standard
    Clean Code
    Professional
    Standard
    14
    Over time, you will
    learn to improve your
    standards.

    View full-size slide

  15. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Helen 10 years ago
    Standard
    Clean Code
    Helen Today
    Standard
    15
    © Cory Denton from Saskatoon

    View full-size slide

  16. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Do a code review of your code 10
    years ago
    16

    View full-size slide

  17. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    17
    Helen, how can I tell
    if my code is clean?
    Watch the reaction of
    your reviewers
    https://freesvg.org/troll-face

    View full-size slide

  18. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Measure Clean Code?
    18
    https://www.osnews.com/story/19266/wtfsm/

    View full-size slide

  19. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Tools
    Example project
    Measure Clean Code?
    19

    View full-size slide

  20. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Tools
    20
    FREE
    Com
    m
    unity FREE
    public projects
    FREE

    View full-size slide

  21. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Developers write clean code
    Teams have a common standard
    21
    Tools

    View full-size slide

  22. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Tools
    Who is using Roslyn analyzers?
    22

    View full-size slide

  23. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Sort(x => x.Downloads)
    xUnit.Analyzers - 314M
    StyleCop.Analyzers - 108M
    Microsoft.Azure.Functions.Analyzers - 31M
    Microsoft.VisualStudio.Threading.Analyzers - 30M
    SonarAnalyzer.CSharp - 29M
    Microsoft.CodeAnalysis.NetAnalyzers - 21M
    23

    View full-size slide

  24. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    xUnit.Analyzers
    StyleCop.Analyzers - coding style
    Microsoft.Azure.Functions.Analyzers
    Microsoft.VisualStudio.Threading.Analyzers
    ❤ SonarAnalyzer.CSharp ❤
    Microsoft.CodeAnalysis.NetAnalyzers - built in
    24
    Sort(x => x.Downloads)

    View full-size slide

  25. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    ❤ SonarAnalyzer.CSharp ❤
    25

    View full-size slide

  26. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    26
    Helen, how do tools
    find problems in our
    code?
    They use static code
    analysis.

    View full-size slide

  27. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Static Analysis
    Compiler framework
    APIs for analyzing code without executing it
    27

    View full-size slide

  28. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Static Analysis
    if (foo > 5)
    Bar();
    else
    Quix();
    28
    https://edotor.net/

    View full-size slide

  29. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    var foo = 4;
    if (foo > 5)
    Bar();
    else
    Quix();
    Static Analysis
    29

    View full-size slide

  30. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    var foo = 4;
    if (foo > 5)
    Bar();
    else
    Quix();
    Symbolic Execution
    30
    X

    View full-size slide

  31. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    31
    SQLMoney.cs
    (dotnet/runtime)
    https://github.com/dotnet/runtime/blob/45acd38/src/libra
    ries/System.Data.Common/src/System/Data/SQLTypes/SQ
    LMoney.cs#L150-L161 (MIT License)
    Symbolic Execution Example

    View full-size slide

  32. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    32

    View full-size slide

  33. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    33
    sharplab

    View full-size slide

  34. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    34
    X

    View full-size slide

  35. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    35
    dotnet/runtime/issues/90741
    sharplab

    View full-size slide

  36. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    36
    Taint analysis
    (SonarCloud / SonarQube DE+ only)

    View full-size slide

  37. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    37
    These tools are
    awesome!
    Yes, but knowing is not
    enough…

    View full-size slide

  38. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    How can we clean our codebase?
    Knowing is not enough
    38

    View full-size slide

  39. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Challenges
    Deliver new functionality
    Risk of functional regression
    It can be boring
    39

    View full-size slide

  40. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Option 1: The Rewrite
    Things You Should Never Do
    40
    Knowing is not enough

    View full-size slide

  41. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Option 2: The big refactor
    Things You Should Never Do
    41
    Knowing is not enough

    View full-size slide

  42. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    42
    Knowing is not enough
    Option 3: Clean as You Code

    View full-size slide

  43. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Focus on New Code : added or modified
    Don’t (re)introduce new issues
    43
    Clean as You Code

    View full-size slide

  44. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    The code is fresh
    The cost is ~0
    44
    Clean as You Code

    View full-size slide

  45. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Clean as You Code
    after 1 year after 2 years after 5 years
    20% clean code 35% clean code 50% clean code
    today
    Your existing codebase gets progressively clean
    45

    View full-size slide

  46. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    New Code Definition
    ● Pull Request / Commit
    ● Versions
    ● Number of days
    46
    Implementing Clean as You Code

    View full-size slide

  47. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Implementing Clean as You Code
    47
    Set up a Quality Gate on new code based
    on your standard (Quality Profile)
    Don’t merge unless it is green
    Don’t release unless it is green

    View full-size slide

  48. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Clean as You Code
    DEMO
    Overall Code vs. New Code
    Pull Request integration
    SonarLint
    48

    View full-size slide

  49. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    49
    I learn as I code
    I can focus on more
    important things
    during code reviews

    View full-size slide

  50. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    On average, 50% of code* gets changed
    within 3.33 years.
    *of large open-source projects on GitHub
    https://github.com/erikbern/git-of-theseus
    50
    Why does it work?

    View full-size slide

  51. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Here’s
    SonarQube
    Years: 2010 to 2023
    Lines of Code (0 to 1 million)
    51

    View full-size slide

  52. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Here’s
    SonarQube
    added or
    modified in
    2014
    2014
    52

    View full-size slide

  53. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Here’s
    SonarQube
    Big delete
    (bye-bye ruby code) 53

    View full-size slide

  54. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    At the
    beginning of
    2018 there
    were 1 million
    LOC
    Here’s
    SonarQube
    2018
    54

    View full-size slide

  55. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Out of only 1
    million LOC in
    2018 less than
    500K remain
    today
    Here’s
    SonarQube
    55

    View full-size slide

  56. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Clean as You Code
    after 1 year after 2 years after 5 years
    20% clean code 35% clean code 50% clean code
    today
    Your existing codebase gets progressively clean
    56

    View full-size slide

  57. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    My experience at Sonar
    We don’t merge PRs with red QG
    Red QG = broken build (slack notification)
    57

    View full-size slide

  58. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    My experience at Sonar
    Quality Profile
    Quality Gate
    - New Code: 95% ccov and no major issues
    - Overall code: no major bugs/vulnerabilities
    58

    View full-size slide

  59. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    My experience at Sonar
    In three years, for sonar-dotnet, we increased
    branch (conditional) coverage from 82% to 93%
    by using a Quality Gate at 95%.
    59

    View full-size slide

  60. 450+ C# Rules
    30+ languages, frameworks,
    infra technologies
    rules.sonarsource.com
    is more
    60
    T-SQL
    COBOL
    and more…

    View full-size slide

  61. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Clean as You Code = improve the code you touch:
    ○ Set your common standard of clean code
    ○ Ensure every commit achieves that standard
    ○ Use static analysis to help consistently achieve it
    61
    Key takeaways Remember this!

    View full-size slide

  62. ©2023, SonarSource S.A, Switzerland.
    Feedback form & slides:
    AndreiEpure.ro
    62

    View full-size slide

  63. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Extra slides
    63

    View full-size slide

  64. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    New issues always appear on the “overall code”
    (new rules, improved techniques).
    64
    My experience at Sonar

    View full-size slide

  65. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Human code review cannot be replaced.
    65
    My experience at Sonar

    View full-size slide

  66. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Part of Development
    66

    View full-size slide

  67. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Clean as You Code
    Happy that Roslyn
    analyzers exist because
    GenAI will produce a lot of
    code.
    67

    View full-size slide

  68. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Erik Bernhardsson - “The half-life of code & the ship of Theseus” (2016) 68

    View full-size slide

  69. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Here’s
    SonarQube
    In 5 years,
    more than
    50% of the
    code has been
    changed.
    69

    View full-size slide

  70. ©2023, SonarSource S.A, Switzerland.
    AndreiEpure.ro
    Software is the fruit of code
    software
    code
    70

    View full-size slide