How to use NDepend for Code Analysis

Introduction

Software Development doesn’t just mean writing a solution for a problem statement. As Software Developers we’re responsible for writing quality code that follows the standard coding conventions and best practices.

Oftentimes, we’d be in a rush to deliver solutions that we forget how we are writing it – I myself felt bad at how terrible my code was at the end of the delivery, on the basis of how better the naming conventions could be, or how better the parameters could be designed and so on.

In such cases, apart from just building code and shipping it, organizations employ another step in the process, which validates our code for such quality or standards. This is what we generally call Code Analysis.

What is Static Code Analysis?

Static Code Analysis is a type of code analysis, where we examine the code base without actually executing it. Hence the name Static.

Here, we go through each and every line that is added or changed as part of the release (or the commits since the previous analysis) and checks for coding standards and quality issues.

Now on what basis these checks are made? Generally every organization has its own set of coding standards and expectations in place, we call them coding rules. These analyzers pick up these coding rules and validate our code changes to see how it fares against them.

Something’s not inline with the rules in place? We get a Code Analysis Scan Result that puts up a consolidated list of all such violations – and generally the build is marked as a failure.

Why should we have such a thing in place?

Because as I mentioned before, it’s not just about writing code, it’s about writing quality code that is free of vulnerabilities – which can cause problems later in the live environment.

Benefits of Static Code Analysis

Helps improve code quality
enhances security by catching vulnerabilities early
reduces debugging time
enforces coding standards and best practices

There are several popular tools available in the .NET space which can help with Static Code Analysis tools – such as Roslyn Analyzers (which is built into Visual Studio), Resharper, SonarQube, StyleCop and NDepend.

I’ve had some sort of experience working with StyleCop and SonarQube as part of my work commitments. I’ve recently got an opportunity to try and get my hands dirty with NDepend. In this article, I want to share my experience working with it, and a few interesting findings.

What is NDepend?

NDepend is a leading static analysis tool tailored for .NET developers, offering unparalleled insights into code quality and architectural integrity. With its advanced dependency analysis and comprehensive code metrics, NDepend enables teams to maintain and improve software reliability effortlessly. Integrated directly into Visual Studio and supporting CI/CD workflows, it facilitates continuous monitoring and enhancement of codebases. Trusted by developers worldwide, NDepend empowers teams to make informed decisions, optimize performance, and manage technical debt effectively.

Some Interesting Features of NDepend

Unlike other Code Analysis tools, NDepend has some interesting features up their sleeves, such as Quality Gates, Technical Debt, Baseline Analysis, LINQ querying and so on… which I think makes them stand apart.

Let me give you a little detail about what these terms mean – based on the official documentation.

A quality gate is a code quality goal. A quality goal must be enforced before releasing and eventually, before committing to source control. There are so many default Quality Gates proposed by NDepend related to measures like technical debt amount, code coverage or amount of issues with particular severity.

Technical-debt is the estimated man-time that would take to fix the issue.

The concept of a baseline is that the current analysis result is compared against an older analysis result, which is called the baseline. All the change metrics and code differences are calculated based on this baseline.

What’s interesting is that a quality gate is a textual C# LINQ Query that can be easily created, edited and customized. So if you want to create or modify an existing goal, you can simply modify the LINQ query that runs for it and yep, you’re good to go!

Now that we have learnt enough about various conceptual features of NDepend, I want to walk you through my experience running through these features.

My experience using NDepend

I downloaded the latest version of NDepend (2024.1) from their website, which is a ZIP file. The ZIP file contains the contents as shown. I just need to run the VisualStudioExtension.Installer file, which will install the Extension on my installed Visual Studio, which is VS 2022 Community.

You also have the NDepend.Console file, which you will use when you need to integrate NDepend Code Analysis with CI/CD such as Jenkins – which I’d also cover.

Once Installed, you can open the Visual Studio IDE, in my case it is Visual Studio 2022 Community Edition and open the Solution on which you want the Analysis to run. In my case, I’m using my ContainerNinja.CleanArchitecture solution, which I have built before.

On the bottom right, you can see a White Dot appearing, click on it and you will see few options – Click on “Attach NDepend Code Analysis to this Solution” – NDepend will add a new ndproj file to the Solution and will now be able to run Code Analysis on this.

NDepend then shows all the available assemblies that are there in the Solution – just to confirm if there is any project which you may want to exclude from the Analysis. I just let all of them be added, so I clicked on “Analyze 5 .NET Assemblies”.

Static Code Analysis and Viewing the Metrics

Once Analysis is done it will show up various ways to view the scan result. I picked up the Dashboard option.

If you select the Dependency Graph, you can view the entire solution with each individual project and how they are dependent on one another in a nice visualization.

Since I selected the Dashboard option, a new Tab opens up showing all sorts of metrics to me. Dashboard is full for Cards, with each representing various preset Metrics and How the Solution fares on each.

One feature of NDepend is its customizable LINQ querying. Clicking on any Metric Count runs a LINQ query that shows up on the right pane. Also shows details on what the Issue is about and how to fix it.

Fixing my Code Errors and Running Analysis again

In my case it was a Rule Violation that my Custom Filter Attribute name didn’t end with Attribute. I tried to fix it by renaming the Class. Then it added another Violation, that I can’t rename an existing public class just like that, I need to first set it to Obsolete and then do it. After a lot of back and forth changes, I was able to fix it.

I added two classes – one with the new attribute class that ends with Attribute, and the old class that has Obsolete decorator. That’s the thing with Code Analysis – you try to solve an existing code issue, and the analyzer goes back and forth with new issues based on the changes, until all the code is good. This also helps in learning what’s the right practice, and how to achieve it.

There’s also the Debt calculator within the Dashboard Cards – that shows up how time it will take to fix all the issues NDepend has put forth – mine shows about 2hr time needed – how convenient!

When I click on Run Analysis and Build Report, once the Analysis is complete NDepend generates a HTML Report that I can view on my browser – it actually opens it up once the analysis is complete. It has all the metrics, data and visualization available – it’s kind of overwhelming with the amount of insights provided.

Another best part is you can also configure how this Analysis is performed – like when to trigger, how to trigger and so on. There are also options on how to configure with GitHub Actions, Default Editor for the Scan and so on.

There’s an option that says you can trigger this analysis after every successful build – I kind of couldn’t get it working but yep – it’s there.

Integrating with Jenkins for Code Analysis

Coming to the CI/CD integration, it seems that NDepend doesn’t yet have a plugin to integrate directly with Jenkins. Instead we have a nice guide on how to do it.

Basically the screenshot here shows you what to do – it’s a Windows batch command that needs to be added as a new step – NDepend.Console needs to be there in the host machine where Jenkins runs. Once you’ve added it – you can also add Reporting and Viewing experience within Jenkins builds.

This is how you’d integrate HTML Report with Jenkins. NDepend generates a HTML report after every build scan, which has all these visualizations of the Analysis

Conclusion

This article is my experience discovering NDepend and playing around with it. Although Code Analysis is a boring step for many developers (including me), it’s one of the most important required steps for delivering quality software. As they say – it’s better to sweat during training than to bleed in war.

There are several Static Code Analysis tools available in the market and each organization has its own tool picked up based on their expectations and choice. NDepend is one such Code Analysis which does things a bit differently – it’s smart, customizable, puts out tons of metrics and analysis data. It also has integrations with CI/CD (WIP, should I say) which helps in automating this entire step.

I’ve dropped the links to the official documentation and the product download page here – NDepend provides a free 14-day trial for the Pro version, so you can evaluate and decide for yourself.