Right now we are maintaining some old project written in VB6 we are planning to implement continuous integration server for it. We would like to implement some code analysis as well to track that maintanability at least not getting worse. Basically there is only one requirement - the tool should be command line so we can call it from continuous integration server and it should work with VB6 projects. I will really appreciate any recommendations regards tools to try.
Thank you, Maksym
You could look at SourceMonitor as this says that it can produce metrics for VB6, and can be made to work from the command line.
I've only used it for C++ myself.
Have you looked at the recommendations in this question about tools for analysing VB6 source code?
I don't know whether any of these tools can be run from the command-line.
The Code Advisor for Visual Basic 6 is an add-in used to review your code to ensure that it meets predetermined coding standards.
The coding standards are based on best practices developed by Microsoft to produce robust and easy-to-maintain code.
http://www.microsoft.com/en-us/download/details.aspx?id=1222
You can use VBDepend for VB6 and VBA code, static analysis tool based on CQL, here is some of its functionality:
Compare Builds, 60 code metrics, manage Complexity and Dependencies
However VBDepend does not have a rule to check for duplicate/repeated code in the project. This was the most important rule that I was looking for.
Our SD Source Code Search Engine is a tool for lightning-fast search across large code bases.
It words by breaking the text into language atoms, indexing all those atoms, and then executing queries using the indexes to guide the search. The SCSE has a VB6-specific front end (as well as front ends for a wide variety of other languages).
As a side effect of the indexing process, it produces metrics: SLOC, number of comments, Cyclomatic Complexity, Halstead measures, deepest-nested conditionals, etc. These metrics are emitted to an XML file that can be formatted/interrogated any way you like.
The indexing process is a command-line step, so you can integrate it into your scripts.
We also have a clone detector for VB6 that finds exact and near-miss duplicate blocks of code across large systems of source code.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
Is there a fundamental difference between these tools? After all, klocwork is relatively expensive and the other ones are free? Both do static code analysis after some rules.
Are there differences in the quality of rules? Does it only depend on the rules? What is your experience?
You get what you pay for, both in the depth of the checkers, and in defect tracking and false-positive suppression. cppcheck and the Clang static analyzer are worth running, and find a reasonable number of shallow but serious bugs, even in a good codebase. (We run the Clang analyzer first, with the settings file turned to the max with help from https://github.com/jonreid/XcodeWarnings. cppcheck occasionally finds some bugs missed by it, but similar in character.)
Klocwork, and its rival Coverity, both find much deeper bugs in C/C++, sometimes breathtaking in their depth of analysis. Coverity, though, has been taken over, and made little progress in its C/C++ checkers in the last decade; but they are still worth running. (Their JVM checkers are not.) I haven’t used Klocwork recently, but they also are no longer independent. (See my Dr Dobbs article for more detail, http://www.drdobbs.com/testing/deploying-static-analysis/240003801)
(pablo285, both Klocwork and Coverity have well-documented APIs to let you write your own checkers.)
LLVM has a tool for static analysis called Clang static analyzer.
Clang static analyzer and cppcheck are open-source (allowing you to write your own checks/modify existing ones) vs klockwork being proprietary (has an API to write your own checks).
As for the quality of the checks - you'll have to try for yourself, I'm trying to base this answer on facts, not opinions. Nothing prevents you from using more than one static analysis tool though.
Clang-tidy is a little different, it calls itself a "linter" tool and while it can be used for static analysis it also provides automated fixes for some of the defects it can find. Internally clang-tidy uses an abstract syntax tree to represent your code. In order to build this AST the code has to be compile-able by clang which can be a (possibly major) drawback in some codebases.
For list of clang-tidy checks that provide automated fixes see this answer.
I believe clang-tidy or cppcheck engine does line by line analysis. Klocwork engine in other hand, does inter procedural analysis. Klocwork can detect file dependent issues as well what most of other tool cant detect. Klocwork is very powerful in finding critical detects like memory leaks, Buffer Overflow, NULL exceptions, Dead Lock, concurrency issues, etc..,
we have evaluated multiple Static code analysers and ended with Klocwork.
I will tell you why we have chosen Klocwork than any other SCA tools,
Number of Checkers to detect possible vulnerabilities. Klocwork has
more than 1000+ checkers to detect coding defects/issues.
Klocwork can work at developer desktop. So it makes the code bug
free at the time of development. (It has post check-in capability as
well)
klocwork has direct plugin available for Visual Studio, Eclipse,
Intellij IDEA, Wind River, CCS and Eclipse based IDEs. Klocwork has
its own IDE as well. (If you are using any other IDEs than what
Klocwork plugin supports, you can use Klocwork IDE. Klocwork IDE can
work with any Editor or IDE you have)
Klocwork supports checking almost all industry standards like Misra,
Autosar, CERT, CWE, DISA-STIG, OWASP, etc..,
You can write your own checkers in Klocwork to maintain/check your
internal coding guidelines.
Effectiveness in finding the Vulnerabilities issues .
Reporting and Metrics (100+ reporting formats and 400+ metrics)
Filtering the issues – remove 3rd party code in report, create
module report, team report, etc..,
Fast – Though they create AST based on your native build settings
still Klocwork engine is fast and effective.
Automation – Automation – Automation. Klocwork build can be
automated as it has rich command line tools. Plus, Klocwork has
direct plugin available for Jenkins and Teamcity.
Simple Deployment – Client server architecture
Documentation – Documentation and Demo videos of Klocwork is
available online (Open). You just open google and say, “Klocwork C
and C++ checker list” you will get the list of Klocwork checkers
with proper explanation.
Support – Klocwork support team is very user friendly.
Licensing – Simple licensing. No hidden charges.
I would say, take up a free evaluation of Klocwork and test it on your project. I am sure you will love it.
yes, there is a fundamental difference between the clang-tidy or cppcheck compare to klocwork.
Klocwork wrapper will watch your build and creates build specification file based on your compiler name build settings including customized system calls. using this build spec file Klocwork does interprocedural analysis and creates abstract syntax three in back end. then it will try to cover 100% code and 100% path. So Klocwork analysis will be more accurate and it can detect the real defects in the code.
Klocwork can detect data flow issues as well.
Does anyone know of any tools out there that will let me run and debug a VXML application visually? There are a ton of VXML development tools, but they all require you to build your application within them.
I have an existing application that uses JSPs to generate VXML, and I'm looking for a way to navigate through and debug the rendered VXML in much the same way that Firebug allows one to do this with HTML. I have some proxy-like tools that let me inspect the rendered code as it is sent to the VXML browser, but there's a ton of JS, which makes traversing the code by hand rather difficult.
Has anyone worked with a product that allows for this?
Thanks!
IVR Avenger
There is JigSaw Test suite - has free trial license and reasonably priced.
There is IBM's debugger - part of WebSphere Voice Toolkit.
Many other products have debuggers - a very good summary is here
Disclaimer: I am the development manager for Voiyager (www.voiyager.com), a VoiceXML testing tool. It doesn't meet your criteria nor do I believe it is the type of tool you want, but I thought it was worth mentioning it.
As far as I know, there isn't such a test tool for VoiceXML. In fact there are very few VoiceXML tools on the market and hardly any of them test or analysis. The vendors that created development tools, have all been acquired by other companies. Some of them offered did offer various forms of debugging that were specific to their tool set or stayed at the Dialog (caller input) level. From your question, I'm assuming you need much lower level debugging capabilities.
I think the alternative paths are minimal and somewhat difficult. I believe your primary goal is to debug or rewrite an existing application, but you haven't provided any specific challenges beyond the JavaScript. Some thoughts or approaches that may help:
Isolate the JavaScript and place the code into a unit test harness. That will go a long way to understanding the logic of the application. Any encapsulation of the JavaScript you perform will probably go a long way towards better code maintainability.
Attempt to run the VoiceXML through a translation layer to HTML so you could use FireBug. The largest challenge would involve caller input (ie processing the SRGS grammars). You could probably cheat this by just having the form accept a JSON string the populates the field values. There are tools on the market to test grammars. Depending on the nature of your problems, you could take a simple and light approach and attempt this over just the trouble areas.
Plumb the application with a lot of logging. This can be done through the VoiceXML LOG element, or push the variable space back to the server. By adding intermediate forms, you may be able to provide a dump from each via the VoiceXML Data element.
See if your application will run in one of the open source VoiceXML browsers (not sure of the state of the open source browsers as we've built and bought for our various product lines). If you can get it mostly working, you can use the development debugger to provide some ability to step through the logic. However, it is probably one of the more difficult paths as you'll really need to understand the browser to know when and where to stick your breakpoints and to figure out how to expose the data you want.
Good luck on the challenge. If you find another approach, I would be interested in seeing it posted.
An alternative debug env is to use something like Asterisk with a voicexml browser plugin like the one from http://www.voiceglue.org/ or for a limited licence, i6net.
You can keep all the pieces separate(dynamic html and vxml application in php/jsp/j2ee/, tts processing, and optional asr processing as separate virtual machines with something like virtualbox. If the logic can be kept the same, then it is just a matter of changing the UI based on the channel.
A softphone is all you need to call a minimal asterisk machine, which has the voicexml browser with the url of the vxml in the call plan.
I just used Zend Framework as php is used in this environment, and changed view suffixes(phtml vs vxml) based on the user-agent string.
Flite for tts is fine for debugging, and when your app is ready you can either record phrases, and there was a page on the ubuntu forums with directions for how to increase flite quality with some additional sound files.
Do you have tried Eclipse VTP or InVision Studio?
Eclipse VTP
This is Eclipse plugin. But I feel that it is user-unfriendly a little (of Japanese viewpoint).
InVision Studio *Required create user account*
This is Convergys's IVR tool. It has to edit standard VXML mode. (Unfortunately, It's not exact matching.)
For just debugging vxml, I use Nuance Cafe's VoiceXML checker. It doesn't give you a visual tree or anything, but it's pretty good at spotting syntax errors and is free. I think they might also have more advanced debugging tools if you look into it, but I haven't had the need. (Note: I have no association with them)
http://cafe.bevocal.com/tools/vxmlchecker/vxmlchecker.jsp
I'm looking for the same problem that most of the links are down. I found a document where they propose an open source solution, which works as a plugin for Asterisk (https://www.researchgate.net/publication/228873959_Open_Source_VoiceXML_Interpreter_over_Asterisk_for_Use_in_IVR_Applications) and is available at https://sourceforge.net/projects/voxy/
I would like to know if there are current options to create a VXML structure graphically, like the next image.
Do you use source code analyzers? If so, which ones and for which language development?
Do you find them helpful in solving potential bugs in your code? Or are most of their warnings trivial?
After prolonged use, do you find your code quality to be higher than before?
I use a few static analysis tools in Java. FindBugs is the first line of defense, catching a lot of common errors and giving pretty useful feedback. It often spots the silly mistakes of tired programmers and doesn't place a high burden on the user.
PMD is good for a lot of other more niggly bugs, but requires a lot more configuration. You'll find that PMDs defaults are often over the top. There are too many rules that are probably beneficial on a tiny scale but ultimately don't help other programmers maintain your code. Some of the PMD rules often smack of premature optimisation.
Probably more useful is the CPD support in PMD. It attempts to find code that has been duplicated elsewhere, in order to make refactoring much easier. Run over an entire project, this really helps determine where the biggest priorities are for cleaning up code and stopping any DRY violations.
Checkstyle is also handy, making sure your coders conform to some coding style standard. it has a bit of overlap with PMD but is generally much more usable.
Finally, Cobertura is a great test coverage suite. Very handy for finding out where the unit tests are lacking, and where you should be prioritising the creation of new tests.
Oh, and I've also been testing out Jester. It seems to be pretty good for finding holes in tests, even where the code has some coverage. Not recommended yet, simply because I've not used it enough, but one to test out.
I run these tools both from within Eclipse and as part of an automated build suite.
For C, I use MEMWATCH. It's really easy to use and free.
I've used it to find many memory bugs in the past.
I used resharper and MS TS (basically FXCop) and both of them quite usefull especially in the following areas :
Identifying dead code
Wide Scope
Performance improvements (related with globalization etc.)
Recommendations are not always great but generally improved the quality of the code.
I'm a long term user of PC-Lint for C and C++ and find it very helpful. These tools are most useful when taking over a code base you are unfamilier with. Over time you hit a law of diminishing returns, where the number of new bugs you find tends to trail off.
I always still to a full project lint on a big release.
Edit: There is a nice list of relevent tools on Wikipedia here
I'm pretty happy with ReSharper. Not only does it give useful bits of information while coding (e.g. needless casts, apply readonly and so forth) but its refactoring features are excellent for rearranging the code very quickly.
It doesn't cover everything, so FxCop (or similar) is a decent addition to the toolbox. However, as Resharper gives immediate feedback, the turnaround time is really good. (I'm aware that FxCop can be run from VS, but its just not the same imo).
I find analyzers somewhat useful, i use the buildin to visual studio (ex. /analyze for c/c++ and the custom rules for .net), occasionally i use stylecop and codeitright for c# mostly for guidelines how things should be.
I don't think there is a perfect tool for everything, that finds every bug, but i think the tools help to find some bugs, not untraceable, but believe me you would spend a ton of time finding them.
Yes your code quality is SOMEWHAT better than before, but i also believe manual debugging is still needed alot. Source analyzers are not the ultimate cure they are a good medicine though. If there was a tool that you just execute it and find any kind of bugs and fixes it for you would cost millions.
Some programmers that i know swear that IBM Rational PurifyPlus is superb, but that is their opinion i just had 2-3 sessions with the tool.
But always remember one of the basic principles of programming logical errors are the hardest for find and fix, so long debugging hours are inevitable. A good code analyzer combined with unit testing may work miracles thought.
PS. i tend to produce far less errors in C# than in C++, someone may say i am wrong but although i use c++ more years than c# i find the "code it and i will take care of it" gc approach of C# far easier than c++ especially for projects you rush thing to finish at the time limit/deadline, which EVERY project is like this days...
I use StyleCop for C#. It's a great tool to keep consistent code style that leads to better code quality. Also ReSharper does some code analysis but it's pretty basic.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
What successful conversion/rewrite have you done of software you were involved with? What where the languages and framework involved in the process? How large was the software in question? Finally what is the top one or two thing you learned from being involved with the process.
This is related to this question
I'm going for "most abstruse" here:
Ported an 8080 simulator written in
FORTRAN 77 from a DECSystem-10 running TOPS-10 to an
IBM 4381 mainframe running VM/CMS.
I rewrote 20,000 lines of Perl to use "use strict" in every file. I had to add "my" everywhere it was needed and I had to fix the bugs that were uncovered during the process.
The biggest thing I learned from doing this is, "It always takes longer than you think."
I had to get it done all at once overnight so that the other coders would not be writing new, unfixed code at the same time. I thought it would go quickly, but it didn't, and I was still hacking on it at 6 AM the next morning.
I did get it complete and checked in before everyone else started work though!
I rewrote a large java web application to an ASP.Net application for a realty company for various reasons.
The biggest thing I learned is that, no matter how trivial the feature the original system had, if it's not in the second system, the client thinks the rewrite is a failure. Expectation management is everything when writing the new system.
This is the biggest reason rewrites are so hard: it seems so easy to the client ("Just re-do what I already have and add a few things.").
The coolest one for me, I think, was the port of MAME to the iPod. It was a great learning experience with embedded hardware, and I got to work with a lot of great people. Official site.
I am doing a rewrite of an Inhouse Project managment system to a more standard MVC model. Its in the LAMP stack (PHP) and i am close to the 1st milestone.
The things i have learned from that currently is how simple the program feels at the beginning and i tried to not add complexity until i have to.
Example is that i programmed all the functionality first (like i was an admin user) and then when that is sorted out, add the complexity of having restrictions (user levels etc)
I ported/redesigned/rewrote a 30,000-line MS-DOS C++ program into a similar-length but much more fully-featured and usable Java Swing program.
I learned never to take another job involving C++ or Java.
I ported a client server Powerbuilder app, a couple of hundred screens worth, into an ASP.NET app (C#).
Due to performance and maintainability issues, I had over the previous year moved a ton of embedded SQL out of Powerbuilder scripts and into stored procedures.
Although this would make a lot of you wince, having a lot of business logic in the database, it mean the Powerbuilder app was relatively "light" and when we built the .Net front end, it could take advantage of the SQL codebase and have a lot of functionality already built and tested.
Not saying I'd recommend building apps that way, but it certainly worked to our advantage in this instance.
We had a code generation tool in our application framework that was used to read in text-based data files, About 20 other applications made use of it.
We wanted to make use of XML data files instead of structured text-based files. The original code was quite outdated and difficult to maintain. We replaced this tool by a combination of XSLT scripts and a utility library. For the utility library we could make use of some code in the old tool.
The result was that all 20 applications could now make use of either the obsolete text based file format or the new XML based format. We also delivered a conversion-generation tool that converted old data files to new XML data files.
After bringing out one or two release we have now decided that we will no longer support the old text based format and everybody is able to convert their data to XML.
We did hardly have to do manual conversions,
Converted the main company app from pre-standard C++ to standard C++. We had a multimillion dollar sale contingent on making it work on AIX, and after looking at it we decided that converting to standard C++ was going to be just as easy as converting to IBM's traditional C++.
I don't know the line count, but the source code ran to hundreds of megabytes.
We used standard Unix tools to do this, including vi and the assorted compilers.
It took a few months. Most of the fixes were simple ones, caught by the compiler and almost mechanically fixed. Some of them were much more complicated.
I think my main takeaway was: Don't get too awfully clever with code in a language that hasn't been standardized yet, or is likely to have things change in unexpected ways. We had to do a lot of digging in some of the ingenious adaptations/abuses of C++ streams.
Ten years ago I managed a team that converted a CAD system from DOS into Windows. The DOS version used home-brew libraries for graphics drawing, the Windows version used MFC. The software was about 70.000 lines of C code at the time of the conversion. The most important thing we learned in the process is the power of abstraction. All device-specific non-portable routines were isolated in a few files. It was therefore relatively easy to substitute the calls to the DOS-based library that would draw by directly accessing the frame buffer with Windows API calls. Similarly, for input we just substituted the event loop that checked for keyboard and mouse events, with the corresponding Windows event loop. We continued our policy of isolating the non-portable (this time Windows) code from the rest of the system, but we have not yet found this particularly useful. Perhaps one day we will port the system to Mac OS X and be thankful again.
Several. But I mention one.
It was a performance modeling tool. Part delphi 1, part turbo pascal. It needed a rewrite else it was not going to survive. So we started as a team of 2, but only me survived to the end. And I was ready before the deadline ;-).
Several things we did:
Make it multimodel. The original had lots of globals. I removed them all and multi model was easy to adapt.
Extended error messages. Click on a message and get the help.
Lots of graphs and diagrams. All clickable to drill down.
Simulation. Change parameters over time and see how long the current configuration was enough.
We really made this one clean and it paid back heavily in the end. Such a big learning experience.
Re-wrote a system for a company that processes legal invoices - the original system was a VB monstrosity that had no idea of good OO principles - everything was mixed together. The HTML did SQL, and the SQL wrote HTML. A large part of it was a custom rules engine that used something like XML for the rules.
Two teams did the re-write, which took about 9 months. One team did the web front end and the backend workflow, while the other team (that I was on) re-wrote the rules engine. The new system was written in C#, and was done test-first. Adding new rules to the system when we were done was dirt simple, and it was all testable. Along the way we did things like convert the company from VSS to SVN, implement continuous integration, automate the deployment, and teach the other developers how to do TDD and other Scrum/XP practices.
Managing expectations was crucial through the project. Having a customer that was savvy about software was very helpful.
Having a mix of large scale (end-to-end) tests along with comprehensive unit and integration tests helped tons.
Converted vBulletin which is written in PHP into C#/Asp.NET. I'm pretty familiar with both languages, but PHP is the hands down the winner for building that software. The biggest pain in the rear was needing to do a C# equivalent of PHP's eval() for calling the templates.
It was my first challenge in trying to do a conversion. I learned that I need more experience with C# and that writing it from scratch is just the easier route sometimes.
I converted a dynamical build-process completely written in Perl to a C#/.Net solution using a workflow-engine a co-worker had developed (which was still in beta - so I had to do some refinements). That gave me the oppertunity to add fail-safe and fail-over functionality to the build process.
Before you ask - no - the microsoft workflow-foundation could not be used since you cannot dynamically change a process during its runtime.
What I learned:
to hate the Perl-developer
process-optimization using a wf-engine
fail-safe and fail-over strategies
some C# tweaks ;)
In the end it covered about 5k - 6k (including the wf-engine) LoC origin from 3 200 LoC Perl-files. But it was fun - and far better in the end ;)
Converting theoretically portable C code into theoretically portable C code across architectures to support a hardware change that saves the company X dollars per unit.
The size varies - this is a common need, and I've done small and large projects.
I learned to write more portable C code. Elegance is great, but when it comes right down to it the compiler takes care of performance, and the code should be as simple and portable as possible.
Ported a simulation written in Fortran 77 (despite being written in the 90s) to C/Java because the original only worked on small data sets. I learned to love big O notation after several times of explaining why just moving the entire data table into memory at the start of the program was not going to scale.
Migrating the B-2 Stealth Bomber mission software from JOVIAL to C. 100% fully automated conversion. Seriously!
Main lesson: using configurable automated conversion tools is a huge win.
See DMS Software Reengineering Toolkit.
We are about to get a canned package in that has been modified to our needs. I'm part of the team setup to prepare tests for it. It has an Oracle back end and I believe it's written in C++ .NET.
My question is what free or open source testing tools would you recommend.
Thanks
Ken
For regression testing of our applications I use a free tool called AutoHotKey http://www.autohotkey.com/. It is simple, batch configurable, and can work for virtually any application you have. Not exactly designed for black box testing, but a good free tool to add to your toolbox.
While there are a few good commercial applications for black box testing of applications (HoloDeck http://www.sisecure.com/holodeck/index.shtml, Cenzic Hailstorm http://www.cenzic.com/), the only open source applications that I know about only test network security (Spike http://www.immunitysec.com/resources-freesoftware.shtml, OWASP WebScarab http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project, and Nikto http://www.cirt.net/nikto2)
Value checking. See if only valid dates are exempted, number fields except the full range, ect.
What do you expect from such a tool? I don't know of any tool that can arbitrarily test any piece of software.
For what is sounds like you already know what it is that you want to check. Being a custom application your best bet would be to devise a test plan and manually test the values that you would like to validate.
Agree with the others - since the application has been modified to your needs, you should make sure that it actually is modified to your needs.
If the assembly isn't obfuscated, you can use FxCop to analyze the binaries and see if there are any critical bugs (note - if you're not familiar with fxcop and static analysis, find someone who is before reporting a ton of bugs that won't be fixed).
Beyond that, you're looking at more techniques vs. tools to get the job done.
Testing, either functional or non-functional, without reference to the
internal structure of the component or system.