Code Quality
By Simon Bisson
Simon Bisson looks at the latest generation of tools that can help you deliver quality applications – fully tested and secure.
HardCopy Issue: 46 | Found In: Development | Published: 01/11/2009 | Last Revision: 06/07/2010
Getting your code right isn’t just a matter of making sure there are no bugs. It also means ensuring that tests have been passed, that code standards are being adhered to, and of making sure that it can be documented. Modern business applications are complex constructions, where code from many different authors is brought together to create a hopefully seamless whole. If one programmer doesn’t keep to standards then whole edifice could come crashing down in an expensive (and possibly career limiting) heap.
Developing large-scale applications is engineering, not art, and it’s important to deliver software that meets all the required quality standards. That means implementing some form of software quality management procedure, whether manual or automated. The result will be code that has both internal and external quality, with internal code quality ensuring its maintainability, and external showing its acceptability to its users.
It’s hard to get a single definition for software quality, but there’s consensus around several key areas. If you’re producing quality code, it needs to be all of the following: understandable, complete, concise, portable, consistent, maintainable, testable, usable, reliable, efficient and secure.
When you look at that list of requirements, it’s clear that they all depend on the other, and that delivering on all or many of them can significantly reduce project risk. Well written code will be easy to maintain and easy to understand, simplifying handover from development teams to operations. It’ll be bug free and tested at all stages of the development process, from unit to acceptance, with as few security issues as possible.
If you need to port it from one OS to another, it’ll be easy to understand just where and what changes need to be made. Clear, concise and uncomplicated code is also easier to optimise, making applications easier to tune for performance. Static analysis tools can help ensure that code meets standards, and that dangerous buffer overruns and other possible security flaws are avoided.
Delivering quality code is a problem that gets harder as project teams grow. With small teams it’s possible to use peer review techniques to manage code quality, but as teams get larger it’s not possible for architects and QA team members to verify every module and every function on every branch of the source tree.
One approach is to ensure code quality by managing developers’ output to make sure that their code meets the standards set by a project’s architects. These may be project specific, or based on corporate or client standards, or on any of the emerging open coding standards. Tools can help manage the resulting review process, but they are only a part of the solution. It’s important to also make sure that everything that’s been written has been tested.
That’s where code coverage tools can help. These tools can be used to ensure that tests are run, and that untested code can’t be delivered to the source tree. Code coverage tools show you what tests have been run, and what parts of the code have been tested. If there’s code that’s not been tested then it will be highlighted, helping you develop new unit tests to make sure that all your application code has been properly exercised.
There are two main approaches to using code coverage tools. First, you can invest in standalone applications that become part of your development workflow. Alternatively you can use IDE plug-ins to add code coverage features to existing development environments such as Eclipse or Visual Studio.
Microsoft Visual Studio
Microsoft’s Visual Studio can be used to host a wide selection of third party code coverage and code management tools. However standalone Visual Studio is only part of Microsoft’s software quality story, and larger teams will get a lot more out of Visual Studio Team System (VSTS) with its built-in code coverage and test management tools.
Visual Studio Team System includes tools for unit testing and measuring code coverage.
VSTS has been designed with agile development methodologies in mind, and it supports test-first development procedures where developers and testers work together to build unit tests before they start to write code. As new code is added to an application, it’s tested, and the built-in code coverage tools flag up untested code. You can use the default unit testing tools, or work with any of the many third-party solutions. One of the more popular is the open source NUnit which works well with any .NET managed code applications, providing an effective framework in which to test C# and Visual Basic code.
Code also needs to be audited, to improve security and performance. VSTS includes static analysis tools based on Microsoft’s FxCop tool (which can also be downloaded for use with other Editions of Visual Studio). The rules that are bundled with the tool are based on Microsoft’s own internal coding standards, and can be used to reduce the risk of security and application flaws. Rules are written in XML, and you can create your own to ensure compliance with both corporate standards and business-appropriate regulations - preventing leakage of financial data, for example.
Creating tests in VSTS is straightforward. Choose the methods you want to test, and Visual Studio will generate stub code for the appropriate test. You’ll need to edit this to build your tests, using either C# or Visual Basic. Tests are stored in a separate project from your application code, and can be accessed from the Solution Explorer. Once completed you run your tests, using Visual Studio’s reporting tools to explore the results. This shows you what has been tested and how, and what lines of code have been missed. In practice you’ll need to use several unit tests to fully test each method, especially if you’re working on complex pieces of business logic. You don’t need a separate test module for each unit test as several test methods can be bundled together and run as a single test.
The upcoming Visual Studio Team System 2010 adds support for 64-bit code coverage, as well as a new set of UI tests which include screen captures of the test process. There are also tools for understanding the impact of changes you’ve made to the code, and which tests need to be run to ensure the new code is fully tested. Simplifying the number of tests keeps test time to a minimum, reducing the impact of tests on the build process for a large project while still ensuring that all your code is tested thoroughly.
VSTS 2010 will also add the ability to pick and choose the code analysis rules you’re using, using rule groups. These simplify the process of choosing which of the bundled rules you want to use, letting you select security rules separately from coding best practices.
NCover
If you decide not to invest in the full VSTS platform then you can use Visual Studio plug-ins to add code coverage features to Microsoft’s standalone development platform. One option is NCover which works in conjunction with test solutions such as NUnit and MStest to manage and report on .NET code coverage.
You can use the NCover Explorer to manage test projects, linking it to your test tool and to your files and assemblies. Once a project has been run from inside NCover you are presented with a view of the code coverage metrics that are supported. These include symbol coverage and code complexity, as well as tools to show the sections of code that aren’t being tested.
While it’s a good idea to aim for 100 per cent code coverage in your tests, it’s often an impractical target. NCover lets you choose the coverage level you want to set as a pass, whether it’s 60, 80, or 90 per cent coverage. Once you’ve run your tests you can drill down in to the source code to see which lines have been tested. Lines that haven’t been tested are colour coded so you can quickly see what’s been missed and what new tests you need to develop. NCover Complete also includes profiling tools to help optimise your code, as well as tools for filtering report content and examining historical trends.
Embarcadero J Optimizer
Embarcadero’s Java tools get code quality management features in the shape of J Optimizer. Designed to improve the quality and performance of Java applications, J Optimizer mixes application profiling with tools to help improve delivered code, and there’s support for most common Java servers including Oracle Application Server, IBM WebSphere and Sun GlassFish.
Embarcadero’s Code Coverage tool helps to identify lines of code that are not being exercised.
One of its more useful features is real-time code coverage which allows you to see just how often each line of code is executed. The same tools also show when methods and classes are called, and there’s support for everything from EJBs to JSPs – as long as it’s written in Java it can be analysed! While J Optimizer uses this as a tool for showing whether code is ‘dead’, and if it can safely be removed from an application, the same feature can be used to support unit testing tools like JUnit, showing what needs to be tested and which lines of code have been missed during a test run.
J Optimizer also includes tools for handling code audits, and can provide static analysis of your code. The resulting report highlights possible race conditions, buffer overruns and other errors that can seriously affect your code and may open up applications to security breaches and exploits. A progress tracker tool mixes the results from the code coverage tools, the profiler and the request analyser to report on application development progress. The resulting graphical reports can be shared with managers and architects.
Embarcadero offers developers similar tools for working with databases. Its DB Optimizer will analyse SQL code and test the loading and response time of the database server so that it can suggest alternative approaches that may improve query performance.
Parasoft
Parasoft specialises in software quality management tools for static analysis, code review and unit testing, with versions for Java, C, C++ and the .NET languages. At a higher level it also offers tools for testing business systems, so supporting developers and QA teams working with service oriented architectures and N-tier web applications.
Jtest, Parasoft’s Java testing tool for Eclipse-based development environments, will analyse code for security flaws as well as supporting checks for regulatory compliance with PCI DSS (Payment Card Industry Data Security Standard). The same feature will also identify and refactor unused code, making your applications easier to manage and test. You can use Jtest to automatically create and run unit tests – even if you’re using it with existing applications that may have been around some time which have what might charitably be described as ‘organic’ codebases.
Parasoft Jtest supports both static analysis and test coverage.
C++test, which is available for both Eclipse and Visual Studio, has similar features, and its dynamic flow analysis explores the feasible execution paths, highlighting possible buffer overruns as well as memory and resource leaks. You can also define your own rules, locking down coding standards and ensuring that your code is as clean as possible. C++test contains over 1,400 rules which are organised into groups targeting industry standards such as Misra and Joint Strike Fighter (JSF) or by severity of error.
Parasoft carries its approach over into managed code, with its .NET testing tools which it calls .TEST. These allow you to automate the management of code reviews. When code is checked in to a repository, changes are highlighted and sent to reviewers who can then approve or deny the code submission. The result should be a cleaner codebase, with code that doesn’t meet standards kept out of source repositories and out of the build process.
With more and more businesses processes relying on software, code quality management is already a crucial component of any large-scale development process. It’s clear that software quality is critically important, and will only become more important, as applications and services themselves become more complex. The costs associated with a failure can be significant, and managing software quality should be one of the foundations of your risk management strategy.
Investments in code quality management won’t be wasted – and will save your business money in the medium and long term, with fewer outages and less maintenance. Automated and assisted software development governance will help even the largest teams deliver a quality product, and that’s an investment well worth making!