Review: NDepend: a code quality and technical debt estimator

A couple weeks ago, an individual from NDepend reached out and asked me to do a review of their platform, which is a code-quality tool that continually runs analysis on your code base to determine technical debt.  With it also integrating into VSTS so managers and higher-ups can view reports while also providing a desktop installable and Visual Studio extension to tweak analysis rules, view reports, and customize just about every aspect of NDepend, this is definitely a very powerful tool.  Let’s dig in.

Initial thoughts

The installation of NDepend is very easy.  The VSTS extension installs without a lot of work: once the extension is added, an NDepend dashboard is automatically generated and runs the default rules on your codebase.  There is also a task it installs which you have to add to any build definitions you want NDepend to analyze.  Once done, you are set and ready to go.

NDepend’s VSTS dashboard

NDepend is going to take a build to run comparisons against.  I installed this into a pretty mature codebase so I just let it compare against against the baseline of the first build generated with the NDepend task added.  I figured over the next week or two I should start seeing baseline comparisons leveling out as myself and the other devs start checking in code.

NDepend is thorough (it gave my code an overall rating of D).  Like a lot of other code quality applications out there, the baseline rules are strict and rigid.  There are major categories (Quality gates, code smells, dead code, immutability, etc) that are broken down into simple, single purpose rules.  Maximum lines of code in a file, for example, is set at 200 lines.  You can only have 20 methods in a file (which is actually a decent amount of methods).

NDepend rule categories and rules

If you’ve used any kind of code quality software before, it’s pretty much like that.  You can choose what projects it reviews, you tweak the rules or fix the issues, and you try to improve your overall score to something you are happy with.

Customization

The big part of NDepend is the customization.  NDepend is highly customizable in that you can select which projects in a solution to analyze, add your own rules and tweak existing rules.  With the desktop application, you can change anything about NDepend and save it so it refreshes the dashboard analysis with the updates.

For instance, the number of lines per file flagged one file in my codebase, which is great.  However, it was a Automapper translation file, so it’s not something I care too much about as it just lists and defined translations.  It didn’t bother me that it this file was a bit unwieldy.  I updated the rule to ignore translation files and that issue went away.

I also had a project I didn’t want analysis done on.  Even though I had NDepend target my entire solution, I was able to tell it to ignore certain projects, which also improved my overall score.

Integration

NDepend isn’t necessarily better than other code quality tools like Sonar Cube or Resharper.  Resharper’s integration into VS is one of the best I’ve ever seen for code, however, Resharper is much, much more than a code quality engine.  NDepend integrates into VS, as well, giving you real time updates to the quality of the code you’re writing.  This is a very nice feature as you can fix issues before you check in and commit it.

NDepend really pulls ahead due to the VSTS dashboard it creates.  My executive director is a big fan of code metrics and having this dashboard is giving a kid the keys to the candy store.  Any metric he wants is there and anything that might not be there down the road can easily be created (NDepend allows you create “Quality Gates” which are boolean tests as to whether or not a specific rule passes).

My use

First, I want to make a general disclaimer that, overall, I find that code quality tools are great, but I don’t really use them.  To really get what you need from a CQ tool you should be tweaking the rules to match your patterns, which is a lot of upfront investment.  Being that I’m on a very small dev team, I find that code reviews go a long way to preventing 90% of the issues I want to stop.

I found myself making tweaks to the rules and what the rules were run on to improve my score rather than following the rules to improve my code half the time.  While that isn’t the intent of the software, the software’s OOTB rules were either too rigid or were catching things I didn’t want them to catch.  There were a lot of “well, that’s a BS mocked object anyway, so ignore that” or “well, it doesn’t really need to run against that test project as it’s an integration test library and doesn’t really need code smell analysis.”

All in all, the default rules engine grade of “D”, once I really looked through the things it caught, was really a B or even an A once I fixed the rules.  The “too many methods in a class” didn’t take into consideration overloads, which I would’ve liked it to since overloads are typically one real method and then sister methods that end up feeding data into the “real” method.  I would really consider them to be one method.  But, again, that’s my use.

Don’t get me wrong, though.  There is definitely a bunch in here that is useful: finding all methods or properties that are poorly documented, dead/unused code, fixing visibility issues, inconsistent naming conventions, missing attributes, too general of exception types being used, etc.  These are huge things that are not easy to find on your own in a large code base and definitely makes NDepend a viable purchase.

Conclusion

Overall, NDepend is a viable, strong CQ engine.  It’s integration into VSTS and VS is a big plus that few, if any, of its competitors has.  However, if you aren’t using VSTS, that advantage diminishes.  It’s UI is okay, nothing special and has a learning curve to getting used to as any highly-configurable software UI does.  But, once you get past that, it’s very easy to use.

It is pricey, though, starting at 399 Euros for up to 2 seats.  SonarQube, by comparison, is free.  NDepend is definitely more indepth and has more features than SonarQube, but it depends on your needs if the price justifies the purchase.  Resharper by JetBrains also has a VSTS task to run a CQ analysis during a check in, so that might be a worthwhile solution if you already have a JetBrains license (such as I do).

You can download and view NDepend here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: