SharePoint Code Analysis Framework (SPCAF) currently is a free beta tool (http://visualstudiogallery.msdn.microsoft.com/d3b2aaf7-0d6a-4995-a4e5-4153c57e3889) and remains that way until 2013/09/30, but eventually will become a commercial product. SPCAF currently uses +/- 300 rules dedicated to SharePoint analyzing compiled code, XML files, user controls (*.ascx files), pages (*.aspx files), and master pages (*.master files). It integrates in Visual Studio and is also available as a separate client application that can be run from the command line. The following Figure shows a screenshot of the client application.
The following Figure shows a dependency graph that understands SharePoint solution files.
SPCAF rules are divided in various categories:
· Correctness. Correctness rules check the SharePoint XML code for syntax errors. This includes check for all required XML attributes, correct values and data types of attributes. For example, such rules check for required Id attributes in the <Solution> element, valid GUIDs, and checks Feature folder and file names don’t contain spaces.
· Security. Checks if solutions pose security issues. For example, such rules check for calls to SPWeb.AllowUnsafeUpdates, WindowsIdentity.Impersonate() calls, running with elevated privileges, specific CAS policy settings, and presence of a form digest control in *.aspx pages.
· SharePoint Supportability. Checks if solutions endanger the supportability of SharePoint. For example, such rules check for attempts to change system files, accessing the SharePoint API via reflection, reading the content database connection string, and querying SharePoint databases directly.
· Design. Warnings that support proper library design. For example, such rules check for presence of assembly file version number, hard coded URLs, and programmatically created content types.
· Best Practices. Rules to warn if best practices are not used. For example, such rules check for direct calls to Item collection of SPList, check if locking is used when storing objects in SharePoint cache, and instantiating new list, list object, sites, and/or webs in event receivers.
· Deployment. The deployment process of SharePoint customizations is often a critical part. Deploying the wrong way or the wrong files can harm the SharePoint farm or make the farm inaccessible. Deployment rules check the code for these risks or potential problems. For example, such rules check for global deployments, web server resets in code during deployment, deploy assemblies in Debug mode, and deployment of web services to the SharePoint LAYOUTS folder.
· Localization. Localization is the process of customizing an application, webpage, or website for a given culture or locale. The localization rules check if all attributes in XML which support localization are localized in a proper way. For example, such rules check that localizable attributes (such as display names) use resources and more.
· Naming. Checks files and artifacts for violations against naming conventions. For example, such rules check for valid namespaces, names of web templates that start with 'WEBTEMP'.
· Customization. Rules which check violations against SharePoint customization guidelines. For example, such rules check for the presence of HTTP handlers and/or modules, presence of timer jobs, presence of event receivers, and presence of inline code in .aspx pages.
· Sandboxed compatibility. Checks files and artefacts whether they are compatibel with Sandboxed solutions requirements. For example, such rules check for presence of APTCA attribute, references to .NET assemblies that are unavailable within the sandbox, and HideCustomAction elements.
· SharePoint 2007 compatibility. Checks files and artefacts whether they are compatibel with SharePoint 2007. For example, such rules check for references to the correct assemblies.
· SharePoint 2010 compatibility. Checks files and artefacts whether they are compatibel with SharePoint 2010. For example, such rules check for check for references to the correct assemblies, and deprecated API calls.
· SharePoint 2013 compatibility. Checks files and artefacts whether they are compatibel with SharePoint 2013. For example, such rules check for references to the correct assemblies, .NET 4.5 target framework, and deprecated API calls.
SPCAF promises to become the most powerful tool when it comes to analyzing custom SharePoint solutions, but we’ll keep our eyes on the tool!