What static analysis tools are available for C#?

Question

What tools are there available for static analysis against C# code? I know about FxCop and StyleCop. Are there others? I've run across NStatic before but it's been in development for what seems like forever - it's looking pretty slick from what little I've seen of it, so it would be nice if it would ever see the light of day.

Along these same lines (this is primarily my interest for static analysis), tools for testing code for multithreading issues (deadlocks, race conditions, etc.) also seem a bit scarce. Typemock Racer just popped up so I'll be looking at that. Anything beyond this?

Real-life opinions about tools you've used are appreciated.

@IraBaxter I've begun a [discussion about this question on Meta](http://meta.stackexchange.com/questions/229248/should-an-old-popular-c-static-analysis-tools-question-be-deleted-for-locked), and I invite you to voice your arguments for why this question should not be deleted, if you want to. — , Apr 12 '14 at 07:59

score 361 · Accepted Answer · edited Nov 17 '21 at 09:25

361

Code violation detection Tools:

FxCop, excellent tool by Microsoft. Check compliance with .NET framework guidelines.

Edit October 2010: No longer available as a standalone download. It is now included in the Windows SDK and after installation can be found in Program Files\Microsoft SDKs\Windows\ [v7.1] \Bin\FXCop\FxCopSetup.exe

Edit February 2018: This functionality has now been integrated into Visual Studio 2012 and later as Code Analysis
Clocksharp, based on code source analysis (to C# 2.0)
Mono.Gendarme, similar to FxCop but with an open source licence (based on Mono.Cecil)
Smokey, similar to FxCop and Gendarme, based on Mono.Cecil. No longer on development, the main developer works with Gendarme team now.
Coverity Prevent™ for C#, commercial product
PRQA QA·C#, commercial product
PVS-Studio, commercial product
CAT.NET, visual studio addin that helps identification of security flaws Edit November 2019: Link is dead.
CodeIt.Right
Spec#
Pex
SonarQube, FOSS & Commercial options to support writing cleaner and safer code.

Quality Metric Tools:

NDepend, great visual tool. Useful for code metrics, rules, diff, coupling and dependency studies.
Nitriq, free, can easily write your own metrics/constraints, nice visualizations. Edit February 2018: download links now dead. Edit June 17, 2019: Links not dead.
RSM Squared, based on code source analysis
C# Metrics, using a full parse of C#
SourceMonitor, an old tool that occasionally gets updates
Code Metrics, a Reflector add-in
Vil, old tool that doesn't support .NET 2.0. Edit January 2018: Link now dead

Checking Style Tools:

StyleCop, Microsoft tool ( run from inside of Visual Studio or integrated into an MSBuild project). Also available as an extension for Visual Studio 2015 and C#6.0
Agent Smith, code style validation plugin for ReSharper

Duplication Detection:

Simian, based on source code. Works with plenty languages.
CloneDR, detects parameterized clones only on language boundaries (also handles many languages other than C#)
Clone Detective a Visual Studio plugin (which uses ConQAT internally)
Atomiq, based on source code, plenty of languages, cool "wheel" visualization

General Refactoring tools

ReSharper - Majorly cool C# code analysis and refactoring features

edited Nov 17 '21 at 09:25

SharpC

6,974
4
45
40

answered Sep 19 '08 at 07:55

Julien Hoarau

48,964
20
128
117

4

See the MSDN page about FxCop: http://msdn.microsoft.com/en-us/library/bb429476%28VS.80%29.aspx "FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements." – Sarah Vessels Jul 01 '09 at 18:24
The FxCop link has been removed from the Microsoft site. Here is the FxCop 10.0 "download": http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=917023f6-d5b7-41bb-bbc0-411a7d66cf3c – ulrichb Jun 23 '10 at 10:37
Is this Simian: http://www.harukizaemon.com/simian/index.html ? (you got broken link). Also it seems to be only .NET 1.1. – Theraot May 15 '12 at 13:24
@Theraot Thanks, I changed the url. Concerning the .NET version, Simian can run on .NET 1.1 on Java 5 but that doesn't mean it detects duplication in other versions of .NET – Julien Hoarau May 15 '12 at 15:03
Nitriq doesn't seem to be available anymore. The download link (now redirects to NimblePros, part of Telerik) says "We're sorry, we no longer offer Nitriq" – Narayana Jul 18 '12 at 16:49
Link to Agent Smith is broken : http://code.google.com/p/agentsmithplugin/ – Stéphane Bonniez Nov 28 '13 at 13:04
Link to 'Coverity Prevent™ for C#' is broken. It is renamed to 'Coverity Code Advisor' I guess: http://www.coverity.com/products/code-advisor/ – M. Mimpen Feb 24 '14 at 12:42
Atomiq does not work with the x64 versions of Windows 8. – GaTechThomas May 05 '16 at 16:18
What about SonarQube for code quality checks?https://www.sonarqube.org/ – Vaibhav Gawali Mar 28 '19 at 01:21
When you're using the OmniSharp extension for C# development in Visual Studio Code, you can (without installing additional tools) enable the built-in Roslyn compiler static code analyzer. It's as simple as adding ""omnisharp.enableRoslynAnalyzers": true" to your user or project settings json file, restarting OmniSharp and choosing "Analyze all projects" from your command palette. Problems then get updated as you type and it also can auto-fix problems for. I found it to work very well, although code analysis is limited (e.g. some problems show in SonarQube some via Roslyn an vice-versa). – Bim Oct 05 '20 at 10:20

score 6 · Answer 2 · edited Oct 20 '22 at 21:34

The tool NDepend is quoted as Quality Metric Tools but it is pretty much also a Code violation detection tool. Disclaimer: I am one of the developers of the tool

With NDepend, one can write Code Rule over LINQ Queries (what we call CQLinq). More than 200 CQLinq code rules are proposed by default. The strength of CQLinq is that it is straightforward to write a code rule, and get immediately results. Facilities are proposed to browse matched code elements. For example:

Beside that, NDepend comes with many others static analysis like features. These include:

Reporting from your CI/CD
Azure DevOps Hub
GitHub Action
Smart Technical Debt Estimation
Dependency Matrix
Code Diff capabilities
NDepend.API that lets write you own static analysis tool. With NDepend.APi we even developed a tool to detect code duplicate (details in this blog post: An Original Algorithm to Find .NET Code Duplicate).
Powerful Dependency Graph

I had the opportunity to trial NDepend over the last few weeks -- big fan, going to get a dev license when I can. :) Thanks for your work! — Michael Armes, Jun 28 '18 at 13:54

score 1 · Answer 3 · answered Sep 02 '08 at 17:11

Gendarme is an open source rules based static analyzer (similar to FXCop, but finds a lot of different problems).
Clone Detective is a nice plug-in for Visual Studio that finds duplicate code.
Also speaking of Mono, I find the act of compiling with the Mono compiler (if your code is platform independent enough to do that, a goal you might want to strive for anyway) finds tons of unreferenced variables and other Warnings that Visual Studio completely misses (even with the warning level set to 4).

score 1 · Answer 4 · edited Sep 24 '11 at 17:37

1

Have you seen CAT.NET?

From the blurb -

CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.

I used an early beta and it did seem to turn up a few things worth looking at.

edited Sep 24 '11 at 17:37

LPL

16,827
6
51
95

answered May 26 '09 at 09:10

markdevilliers

144
1
6

score 0 · Answer 5 · edited Apr 13 '11 at 05:47

0

I find the Code Metrics and Dependency Structure Matrix add-ins for Reflector very useful.

edited Apr 13 '11 at 05:47

Tom Carter

2,938
1
27
42

answered Sep 23 '08 at 20:25

Hamish Smith

8,153
1
34
48

score 0 · Answer 6 · answered May 01 '10 at 02:13

0

Klocwork has a static analysis tool for C#: http://www.klocwork.com

answered May 01 '10 at 02:13

Alen

117
1

Our company bought that. In the range of $30K for us – Dan dot net Mar 08 '11 at 21:13

score 0 · Answer 7 · answered Apr 19 '09 at 02:07

0

Aside from the excellent list by madgnome, I would add a duplicate code detector that is based off the command line (but is free):

http://sourceforge.net/projects/duplo/

answered Apr 19 '09 at 02:07

torial

13,085
9
62
89

score -1 · Answer 8 · edited Jul 06 '17 at 13:56

Axivion Bauhaus Suite is a static analysis tool that works with C# (as well as C, C++ and Java).

It provides the following capabilities:

Software Architecture Visualization (inlcuding dependencies)
Enforcement of architectural rules e.g. layering, subsystems, calling rules
Clone Detection - highlighting copy and pasted (and modified code)
Dead Code Detection
Cycle Detection
Software Metrics
Code Style Checks

These features can be run on a one-off basis or as part of a Continuous Integration process. Issues can be highlighted on a per project basis or per developer basis when the system is integrated with a source code control system.

score -1 · Answer 9 · answered Oct 07 '11 at 13:22

Optimyth Software has just launched a static analysis service in the cloud www.checkinginthecloud.com. Just securely upload your code run the analysis and get the results. No hassles.

It supports several languages including C# more info can be found at wwww.optimyth.com

What static analysis tools are available for C#?

9 Answers9

Linked

Related