When you’re coding by yourself, for yourself, your code style doesn’t matter that much. Developers the world over have GitHub profiles full of horrible, ugly code they wrote to tinker with some new library or language. Their goal wasn’t to write pretty code, it was to learn something new. That changes when you’re working in a software team, though. Now you need to make sure not only that your code is functional, but that it adheres to team standards.
There are many ways to make sure that code written for a professional team meets requirements around styling and complexity. Every team should be doing peer code review before code is promoted to production. This review ensures not only that your code does what it’s supposed to, but also that other people can understand it, and that it meets the team’s style requirements.
Like manual code review, automated code review is a critical part of writing high-quality code.
Why Use Static Code Analysis Tools?
Static code analysis is a key part of nurturing a high-quality software team. It reduces the cognitive burden on manual code reviews, because reviewers don’t need to check for things like spacing or function naming issues. In more extreme teams, automated code review is built right into the automated code deployment process. If your code has style issues, it won’t pass the validation check necessary for deployment. Many static code analysis tools also detect software vulnerabilities. They can tell you when your code exposes insecure behavior to users.
While there are some code analysis tools which target multiple languages, my experience is that tools which focus on one or two languages tend to have the best results. In this post, we’ll take a look at the best static analysis tools for five popular programming languages.
C# and VB.NET: CodeIt.Right
Technically, this is two languages. However, C# and VB.NET share a wide variety of tooling and an IDE: Visual Studio. For my money, there’s no better code analysis tool that plugs into Visual Studio than CodeIt.Right. CodeIt.Right has some serious advantages over other tools on this list. Because it integrates directly into Visual Studio, it’s able to analyze code while you write it.
CodeIt.Right has an extensible RuleSet SDK which allows your team to develop new rules that are specific to your team. This puts it head and shoulders above other tools in a similar space. If your team works in an uncommon software vertical, being able to generate your own rules and integrate them directly into the IDE is a game-changer. The software also supports multiple scanning profiles, meaning that you can apply different rules to different parts of your code base. I know that I’ve worked in code bases where legacy code was held to a different set of standards from new code. It was a constant headache to figure out which warnings applied to which part of the code base. With CodeIt.Right, that’s not a problem.
Python: Pep8 + PyLint
These two tools are meant to work together, and they do so very well. Pep8 and PyLint are a common combination for static analysis in the Python community. Pep8 especially provides an enormous library of rules. These rules apply to scopes as narrow as a single variable name all the way up to an entire file’s structure. Setting up Pep8 and PyLint can be a bit of a headache, and many IDEs don’t contain integrations for Pep8. Instead of checking your code while you write it, the expectation is that you’ll run a command line tool to check the code before committing it. This can make the tool a bit clunky, but Pep8 + PyLint cover just about every code issue that could ever crop up in your Python code.
An additional benefit of Pep8 is that it’s not just a set of rules. It’s a standard for the Python language. That means that if your team follows Pep8, any Python developer anywhere will be immediately familiar with your coding style. Plugging a new developer into your team doesn’t come with weeks of pain as they need to be constantly reminded of your team’s coding style. They’ve been writing code using your style rules for years.
In truth, it’d be pretty easy to fill an entire article like this just about Java static code analysis tools. The top of the heap in 2019 seems to be PMD. PMD isn’t quite as slick as other tools on this list like CodeIt.Right, but it holds its own. It’s a pretty versatile tool; it can be run on the command line or integrated into popular Java IDEs. Plugins are maintained for Eclipse, NetBeans and IntelliJ IDEA.
One of PMD’s most popular features is their CPD module—the Copy and Paste Detector. This module will analyze code across your entire code base, and find code that looks like it’s been copied and pasted. PMD then provides recommendations on how you can refactor this code so that similar logic is shared, instead of existing in two places. Modern Enterprise Java code is quite verbose, so this is the type of thing that a human reviewer might miss. These recommendations will save your team hours in any code refactoring process.
By its nature, Ruby is a flexible programming language. This is complicated by the Ruby community’s habit to create Domain Specific Languages (DSL) to handle common problems. DSLs simplify a lot of coding patterns, but really complicate static code analysis. Rubocop is a Ruby-specific static code analysis tool that is aware of almost all of the popular Ruby DSLs. It won’t be confused by code written to work with ActiveRecord’s integration in Ruby on Rails, unlike more general-purpose static code checkers. For a team working with some of these DSLs, Rubocop is one of very few options for static code analysis.
Rubocop also brings another great feature to the table: automated problem fixing. Rubocop is a command line tool, but if you run it with the right flag, Rubocop will automatically fix up common errors like indentation or naming issues. This feature is a real boon for developers who tend to be a bit sloppy with their code. They don’t ever have to worry about checking in code with the wrong tab spacing ever again.
Which Tool is Right for Your Team?
If you write one of the languages in this post, you can’t go wrong picking one of the tools in this list. They’re all fully-featured and well-supported within their communities. Even if you don’t, you should consider static code analysis for your team. Using a static analysis tool simplifies your team’s code review process, and speeds up adding new developers to the team. They’ll help find over-complicated or messy code within your application.
Like we noted at the start, it’s certainly possible to write code without using code analysis. But if you’re trying to be a better coder—even if you’re just writing code to learn something new—static code analysis will make you a better coder. It’ll help you to think critically about the code you write in ways that you might not otherwise. And in 2019, adding a high-quality static code review tool is easier than ever. The only thing you have to lose is bad code!