During a recent technical interview I asked the candidate which tools they used to review code quality for their SharePoint custom solutions.
This blog post describes the process and tools we use to check SharePoint code quality for a SharePoint Online 100K user deployment I have been working on.

Our project team uses Team Foundation Service (TFS) Cloud for source code management and continuous integration.  We perform code quality checks as part of TFS Team Build and Release Management processes.

SPCAF and MSOCAF code quality checkpoints

Figure 1: SPCAF and MSOCAF code quality checkpoints

The release management process for our project implements separate SharePoint Online tenants for Development (Integration), Staging (UAT), and Production environments. SPCAF provides code quality checks in the Development environment.  MSOCAF is used to provide consistency in packaging of releases to the Staging and Production environments.

Our SharePoint custom code must pass 400+ SPCAF code checking rules and MSOCAF test cases defined by the SharePoint Online engineering team before it can be approved for deployment to the Staging and Production environments.

Both tools provide extensive code checks to validate custom code against SharePoint development best practices and guidance.  SPDisposeCheck, FxCop, CATNET, and FxCop Metrics analysis tools are integrated into SPCAF and MSOCAF code review.

SharePoint Code Analysis Framework

SPCAF provides build activities that can be integrated into Team Build workflow.  For projects that do not use TFS or environments where Visual Studio is not available, the SPCAF client application can be used to perform analysis of WSP files or apps.

SPCAF client application

Figure 2: SPCAF client application

SPCAF provides rule check for WSP package and SharePoint 2013 apps to identify possible problems or coding errors in assemblies, XML files, ASPX files, CSS files etc. The rules check the artefacts and in case of violations they return the result as CriticalError, Error, CriticalWarning or Warning.  The Ruleset Editor can be used to disable rules or rule categories or to change the severity of a rule.  SPCAF includes a SDK to create custom rules, metrics or dependency checks.

SPCAF ruleset editor

Figure 3: SPCAF ruleset editor

SPCAF generates rule violations, metrics, dependencies, and inventory reports included as part of each release for our SharePoint Online application.

SPCAF code analysis results

Figure 4: SPCAF code analysis results

The SharePoint Rule Violations Report includes all rule checks that have failed.  A nice feature enhancement would be to provide the ability to override the rule check and provide a comment (similar to MSOCAF tool).
Some of our rule violations may be false positives depending on the deployment scenario . We include the HTML report together with a document providing reasons for any rule violations as part of our release management process.

SPCAF rule violations reporting

Figure 5: SPCAF rule violations reporting

The SharePoint Metrics Report provides a breakdown of the artifacts in our SharePoint custom application.  We use the metrics report to monitor the how our SharePoint code base is evolving across different project releases.

SPCAF code metrics reporting

Figure 6: SPCAF code metrics reporting

The SharePoint Dependency Report provides detailed information about dependencies in our SharePoint custom application.  I particularly like the DGML diagram for visualizing application dependencies but have not found a DGML viewer other than Visual Studio.

SPCAF code dependencies reporting

Figure 7: SPCAF code dependencies reporting

The SharePoint Application Inventory Report provides detailed documentation about the contents of our SharePoint custom application.  Both Dependency and Inventory reports save hours of effort documenting our SharePoint custom application for each release.

SPCAF code inventory reporting

Figure 8: SPCAF code inventory reporting

Microsoft SharePoint Online Code Analysis Framework

The MSOCAF tool ensures each release of our SharePoint custom application is packaged using a standard folder structure.

MSOCAF folder structure

Figure 9: MSOCAF folder structure

MSOCAF test cases are created by the Microsoft SharePoint Online engineering team and used to review code quality for each release of our SharePoint custom application before it is deployed to the Staging (UAT) environment.  The MSOCAF tool is built using an extensible framework so that the SharePoint Online engineering team can add new rules and/or plug-ins in the future. Code analysis within MSOCAF focuses on areas like memory management, security vulnerabilities, exception management, object model usage, quality gates for unsupported features and reporting.

MSOCAF test cases

Figure 10: MSOCAF test cases for custom code

Using SPCAF and MSOCAF as part of our build and release management process has been extremely helpful in improving the overall code quality and release procedures for our SharePoint projects at Kloud Solutions.

Application Development and Integration