Continuous Integration is a software development practice where members of a team integrate their work frequently. Each integration is verified by an automated build to detect integration errors as quickly as possible.
Software teams can benefit from Continuous Integration for both coordination and automation. We'll be discussing the people that can and should participate in CI, the processes that we can implement and then automate, and look at the technology that makes all of this possible. I've attached the presentation I gave at the CapArea .NET User Group on Nov 16, 2009.
Downloads
63053790-2608-4db7-aefc-f8ca7759e301|0|.0
As part of my continuous improvement campaign, I have been adding additional processes to our continuous integration server so our team can ensure high code quality.
One issue I have seen is that developers do not take enough time to read each other’s code. This leads to duplicate code that then needs to be maintained in multiple places. Sometimes this is just a one-off, sometimes this is a trend, you need to decide for your project. Practices like code reviews and pair programming can minimize this. There are many tools that can do the mechanical review as well.
The most popular commercial tool is Simian. However, for my project I am using Duplicate Finder, which is open-source software. These tools will scan your source code, not object code, so access to the source code is required. The reports that are generated can help you identify cut & paste programming, or common constructs that can be refactored.
Anthony Steele (the developer of Duplicate Finder) recently integrated changes into the tool to provide an XML output perfect for use with CruiseControl.NET. I've created two Xsl files that integrate the Xml reports in both summary form and detail (with file name and line number).
To integrate them into your CruiseControl.NET dashboard
- Unzip them both to <cruisecontrol install directory>\webdashboard\xsl
- Modify the dashboard.config file in <cruisecontrol install directory>\webdashboard\ as follows
- Add the following line <xslFile>xsl\DuplicateReportSummary.xsl</xslFile> to dashboard/plugins/buildPlugins/buildReportBuildPlugin/xslFileNames
- Add the following line <xslReportBuildPlugin description="Duplicate Code Report" actionName="DuplicateBuildReport" xslFileName="xsl\DuplicateReport.xsl" /> to dashboard/plugins/buildPlugins/
DuplicateReportXsl.zip
sha1: 29d5ae55db98db86ebf01d3e8bfd88f15c53b3a4
a6f348f5-a1bb-476b-b484-48c8013f4c0a|0|.0
Static code analysis can improve software security by looking for common security errors like (SQL/XML/LDAP) injection, Cross Site Scripting (XSS), and more. Generally this is done by looking for malformed queries where malicious input can be injected. The CAT.NET tool from Microsoft goes one better and analyzes the data as it flows from trusted (or untrusted) inputs to output. This is a great QA check as well as a teaching tool for developers to understand where their applications may be vulnerable to attack.
The tool is available as a Visual Studio plugin or command-line tool. It will scan your object code (assemblies) and provide a report for you to review. Microsoft offers a tool to handle XSS attacks known as the Anti-XSS library. For the remainder of the errors, you are on your own to mitigate them.
I was writing some code to search Active Directory with an LDAP query. CAT.NET found this and marked it as a vulnerability for LDAP injection. I made sure to sanitize the input (and decorate the method with a System.Diagnotics.CodeAnalysis.SupressMessage attribute), and it disappeared from the report. This is a great tool to use in a daily build to ensure common security bugs can be eliminated.
5b89feab-4925-499c-a099-311973c51e93|0|.0