Slide 1
Slide 1 text
©2023, SonarSource S.A, Switzerland.
Clean as You Code
use Roslyn analyzers to focus on the code you modify
Andrei EPURE
29.08.2023
Slide 2
Slide 2 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
2
Slide 3
Slide 3 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Me - Andrei Epure
Developer
Engineering Manager at
❤ clean code & team work
3
Slide 4
Slide 4 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Me - Mr. Evil Hacker
.NET Day Switzerland 2022
4
Slide 5
Slide 5 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Agenda
Why is Clean Code important
Static Analysis
Clean as You Code
My experience at Sonar
5
Slide 6
Slide 6 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Tim
Junior developer
Tired of long feedback loops
6
© Håkan Dahlström
Slide 7
Slide 7 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Helen
Senior developer
Quality gatekeeper
Busy
7
© Nataliya Vaitkevich
Slide 8
Slide 8 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
8
Helen, why do we
need Clean Code?
Because we want our
software to be
reliable, secure and
maintainable.
Slide 9
Slide 9 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Why is Clean Code important for
you?
9
Slide 10
Slide 10 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
For me:
development and production
10
Slide 11
Slide 11 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
11
https://stripe.com/files/reports/the-developer-coefficient.pdf
😢
Slide 12
Slide 12 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
12
“90% of reported security incidents result from exploits
against defects in the design or code of software.”
(U.S. Dept. of Homeland Security)
https://www.cisa.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
Slide 13
Slide 13 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
13
Helen, why is there
so much technical
debt?
Our codebases are the
best we could do on
the day of the commit.
Slide 14
Slide 14 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
It worked on my
machine
Novice
Standard
Clean Code
Professional
Standard
14
Over time, you will
learn to improve your
standards.
Slide 15
Slide 15 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Helen 10 years ago
Standard
Clean Code
Helen Today
Standard
15
© Cory Denton from Saskatoon
Slide 16
Slide 16 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Do a code review of your code 10
years ago
16
Slide 17
Slide 17 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
17
Helen, how can I tell
if my code is clean?
Watch the reaction of
your reviewers
https://freesvg.org/troll-face
Slide 18
Slide 18 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Measure Clean Code?
18
https://www.osnews.com/story/19266/wtfsm/
Slide 19
Slide 19 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Tools
Example project
Measure Clean Code?
19
Slide 20
Slide 20 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Tools
20
FREE
Com
m
unity FREE
public projects
FREE
Slide 21
Slide 21 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Developers write clean code
Teams have a common standard
21
Tools
Slide 22
Slide 22 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Tools
Who is using Roslyn analyzers?
22
Slide 23
Slide 23 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Sort(x => x.Downloads)
xUnit.Analyzers - 314M
StyleCop.Analyzers - 108M
Microsoft.Azure.Functions.Analyzers - 31M
Microsoft.VisualStudio.Threading.Analyzers - 30M
SonarAnalyzer.CSharp - 29M
Microsoft.CodeAnalysis.NetAnalyzers - 21M
23
Slide 24
Slide 24 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
xUnit.Analyzers
StyleCop.Analyzers - coding style
Microsoft.Azure.Functions.Analyzers
Microsoft.VisualStudio.Threading.Analyzers
❤ SonarAnalyzer.CSharp ❤
Microsoft.CodeAnalysis.NetAnalyzers - built in
24
Sort(x => x.Downloads)
Slide 25
Slide 25 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
❤ SonarAnalyzer.CSharp ❤
25
Slide 26
Slide 26 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
26
Helen, how do tools
find problems in our
code?
They use static code
analysis.
Slide 27
Slide 27 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Static Analysis
Compiler framework
APIs for analyzing code without executing it
27
Slide 28
Slide 28 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Static Analysis
if (foo > 5)
Bar();
else
Quix();
28
https://edotor.net/
Slide 29
Slide 29 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
var foo = 4;
if (foo > 5)
Bar();
else
Quix();
Static Analysis
29
Slide 30
Slide 30 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
var foo = 4;
if (foo > 5)
Bar();
else
Quix();
Symbolic Execution
30
X
Slide 31
Slide 31 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
31
SQLMoney.cs
(dotnet/runtime)
https://github.com/dotnet/runtime/blob/45acd38/src/libra
ries/System.Data.Common/src/System/Data/SQLTypes/SQ
LMoney.cs#L150-L161 (MIT License)
Symbolic Execution Example
Slide 32
Slide 32 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
32
Slide 33
Slide 33 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
33
sharplab
Slide 34
Slide 34 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
34
X
Slide 35
Slide 35 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
35
dotnet/runtime/issues/90741
sharplab
Slide 36
Slide 36 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
36
Taint analysis
(SonarCloud / SonarQube DE+ only)
Slide 37
Slide 37 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
37
These tools are
awesome!
Yes, but knowing is not
enough…
Slide 38
Slide 38 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
How can we clean our codebase?
Knowing is not enough
38
Slide 39
Slide 39 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Challenges
Deliver new functionality
Risk of functional regression
It can be boring
39
Slide 40
Slide 40 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Option 1: The Rewrite
Things You Should Never Do
40
Knowing is not enough
Slide 41
Slide 41 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Option 2: The big refactor
Things You Should Never Do
41
Knowing is not enough
Slide 42
Slide 42 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
42
Knowing is not enough
Option 3: Clean as You Code
Slide 43
Slide 43 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Focus on New Code : added or modified
Don’t (re)introduce new issues
43
Clean as You Code
Slide 44
Slide 44 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
The code is fresh
The cost is ~0
44
Clean as You Code
Slide 45
Slide 45 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Clean as You Code
after 1 year after 2 years after 5 years
20% clean code 35% clean code 50% clean code
today
Your existing codebase gets progressively clean
45
Slide 46
Slide 46 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
New Code Definition
● Pull Request / Commit
● Versions
● Number of days
46
Implementing Clean as You Code
Slide 47
Slide 47 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Implementing Clean as You Code
47
Set up a Quality Gate on new code based
on your standard (Quality Profile)
Don’t merge unless it is green
Don’t release unless it is green
Slide 48
Slide 48 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Clean as You Code
DEMO
Overall Code vs. New Code
Pull Request integration
SonarLint
48
Slide 49
Slide 49 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
49
I learn as I code
I can focus on more
important things
during code reviews
Slide 50
Slide 50 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
On average, 50% of code* gets changed
within 3.33 years.
*of large open-source projects on GitHub
https://github.com/erikbern/git-of-theseus
50
Why does it work?
Slide 51
Slide 51 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Here’s
SonarQube
Years: 2010 to 2023
Lines of Code (0 to 1 million)
51
Slide 52
Slide 52 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Here’s
SonarQube
added or
modified in
2014
2014
52
Slide 53
Slide 53 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Here’s
SonarQube
Big delete
(bye-bye ruby code) 53
Slide 54
Slide 54 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
At the
beginning of
2018 there
were 1 million
LOC
Here’s
SonarQube
2018
54
Slide 55
Slide 55 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Out of only 1
million LOC in
2018 less than
500K remain
today
Here’s
SonarQube
55
Slide 56
Slide 56 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Clean as You Code
after 1 year after 2 years after 5 years
20% clean code 35% clean code 50% clean code
today
Your existing codebase gets progressively clean
56
Slide 57
Slide 57 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
My experience at Sonar
We don’t merge PRs with red QG
Red QG = broken build (slack notification)
57
Slide 58
Slide 58 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
My experience at Sonar
Quality Profile
Quality Gate
- New Code: 95% ccov and no major issues
- Overall code: no major bugs/vulnerabilities
58
Slide 59
Slide 59 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
My experience at Sonar
In three years, for sonar-dotnet, we increased
branch (conditional) coverage from 82% to 93%
by using a Quality Gate at 95%.
59
Slide 60
Slide 60 text
450+ C# Rules
30+ languages, frameworks,
infra technologies
rules.sonarsource.com
is more
60
T-SQL
COBOL
and more…
Slide 61
Slide 61 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Clean as You Code = improve the code you touch:
○ Set your common standard of clean code
○ Ensure every commit achieves that standard
○ Use static analysis to help consistently achieve it
61
Key takeaways Remember this!
Slide 62
Slide 62 text
©2023, SonarSource S.A, Switzerland.
Feedback form & slides:
AndreiEpure.ro
62
Slide 63
Slide 63 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Extra slides
63
Slide 64
Slide 64 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
New issues always appear on the “overall code”
(new rules, improved techniques).
64
My experience at Sonar
Slide 65
Slide 65 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Human code review cannot be replaced.
65
My experience at Sonar
Slide 66
Slide 66 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Part of Development
66
Slide 67
Slide 67 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Clean as You Code
Happy that Roslyn
analyzers exist because
GenAI will produce a lot of
code.
67
Slide 68
Slide 68 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Erik Bernhardsson - “The half-life of code & the ship of Theseus” (2016) 68
Slide 69
Slide 69 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Here’s
SonarQube
In 5 years,
more than
50% of the
code has been
changed.
69
Slide 70
Slide 70 text
©2023, SonarSource S.A, Switzerland.
AndreiEpure.ro
Software is the fruit of code
software
code
70