Looking for open source tool for f#
Have seen a few that support c#:
https://pumascan.com/
https://security-code-scan.github.io/
But cant find any for f#.
Just wonder do f# people do ci/cd and have a pipeline stage for static analysis and if so what do they use
Related
Having just switched to VS2019 I’m exploring whether to use code analysis. In the project properties, “code analysis” tab, there are numerous built-in Microsoft rule sets, and I can see the editor squiggles when my code violates one of these rules. I can customise these rule sets and “save as” to create my own.
I have also seen code analyser NuGet packages such as “Roslynator” and “StyleCop.Analyzers”. What’s the difference between these and the built-in MS rules? Is it really just down to more comprehensive sets of rules/more choice?
If I wanted to stick with the built-in MS rules, are there any limitations? E.g. will they still get run and be reported on during a TFS/Azure DevOps build?
What's the difference between legacy FxCop and FxCop analyzers?
Legacy FxCop runs post-build analysis on a compiled assembly. It runs as a separate executable called FxCopCmd.exe. FxCopCmd.exe loads the compiled assembly, runs code analysis, and then reports the results (or diagnostics).
FxCop analyzers are based on the .NET Compiler Platform ("Roslyn"). You install them as a NuGet package that's referenced by the project or solution. FxCop analyzers run source-code based analysis during compiler execution. FxCop analyzers are hosted within the compiler process, either csc.exe or vbc.exe, and run analysis when the project is built. Analyzer results are reported along with compiler results.
Note
You can also install FxCop analyzers as a Visual Studio extension. In this case, the analyzers execute as you type in the code editor, but they don't execute at build time. If you want to run FxCop analyzers as part of continuous integration (CI), install them as a NuGet package instead.
https://learn.microsoft.com/en-us/visualstudio/code-quality/fxcop-analyzers-faq?view=vs-2019
So, the built-in legacy FxCop and NuGet analyzers only run at build time while the extension analyzers can run at the same time the JIT compiler does as you type. Also, you have to specifically say to run legacy code analysis on build, whereas the NuGet analyzers will run on build just because they are installed. And analyzers installed as NuGet or extensions won't run when you go to the menu option "Run Code Analysis".
At least, that's what I get out of that page.
There's a link near the bottom of that page that takes you to what code analysis rules have moved over to the new analyzers, including rules that are now deprecated.
https://learn.microsoft.com/en-us/visualstudio/code-quality/fxcop-rule-port-status?view=vs-2019
The different analyzers attempt to cover different coding styles and things Microsoft didn't cover when they built FxCop. With the little research I just did on this, there's a whole rabbit hole to follow, Alice, that would take more time than I have right now to devote to it. And it seems to be filled with lots of arcane knowledge and OCD style code nitpicks that make Wonderland seem normal. But that's just my opinion.
There's lots of personal and professional opinion about various rules in these and basic Microsoft rules, so there's plenty of room to use what you want and disable what you don't. For a beginner, I'd suggest turning on only a few rules at a time. That way you aren't inundated with more warnings and errors than lines of code you might have. Ok, so that might be a bit of an exaggeration, but there's so many rules that really are nitpicks, especially on legacy code, that they aren't really worth it to have enabled, since you likely won't have time to fix it all. You will also want to do basic research and use "common sense" when you decide what to enable. ("Do I really need to worry about variable capitalization coding style consistency on an app that's been ported into 4 different languages over 15+ years and has 10k files?") This is both personal and professional opinion here, so follow it or not.
And don't forget the rules that contradict each other. Those are fun to deal with.......
I'd like to derive exactly that subset of the sources of a dart comiler (dart2js or dartdevc or other) or of a dart analyser that can 1. transform a string of dart code (or better a list of strings each representing a compilation unit) into a typed syntax tree, 2. be translated into js, 3. be run in the browser. Is there a marked subset that fulfills these requirements, which is it, and how can I find it, in general.
Accomplishing #1 is fairly simple using package:analyzer, which is the same static analyzer used to provide IDE hinting and autocomplete, etc. The Dart Team is currently working on unifying their compiler frontends behind on main API, but for now, analyzer should definitely take care of most of what you need.
Here's an example of getting a syntax tree and running analysis on it: https://github.com/thosakwe/analyzer_examples/blob/master/analyze_a_file/analyze_a_file.dart
As for #2, you'll likely have to fork the dart-lang/sdk repo and make your own adjustments to dart2js. It's not published as a standalone package. Otherwise, you can write your own compiler, which is probably not going be fun.
I suppose you'd have to figure out how to get #2 up and running, but hypothetically, if you could compile a JavaScript source, you could just eval it after compilation.
To answer your final question, no, AFAIK, there is no subset of dart2js available that lets you create your own Dart-to-JavaScript compiler.
I know there are a number of projects which can compile F# to JavaScript.
Does any of these projects support this use case:
developing an application in TypeScript
but writing part of the application in F#, as a library
consuming this F# library from the main TypeScript application, optimally in a type-safe way?
WebSharper produces d.ts files for the compiled JS files. You can read about this in the relevant section of the documentation. However this feature is still experimental and uses an older version of TypeScript.
There is FunScript (https://github.com/ZachBray/FunScript) but it does not seem to be widespread, so it may take you more time than the benefits are.
Sonar is an application for integrating output from several static and test analysis tools into a comprehensive overview of the software's quality.
Unfortunately, most of those analysis tools (PDM, FindBugs, etc.) do not support Groovy and, by extension, Grails.
We've found tools called CodeNarc and GMetrics which perform some of the analysis, but not test coverage, and we're working on a Sonar plugin to import the CodeNarc output. As I said, though, this is incomplete.
Does anyone know of a better set of complexity/rules-based static analysis tools that can handle Groovy, as well as a Grails test coverage metric? Of course, one with a Sonar plugin for reading in the output would be best.
Just use Sonar Groovy Plugin!
It leverages GMetrics, Codenarc and Cobertura in Sonar!
Here are the tools I'm aware of (and just aware):
There is CodeNarc that you mentioned.
There is also GMetrics.
And Grails has a Test Code Coverage Plugin.
But nothing ready to be used with Sonar AFAIK. I'm watching SONARPLUGINS-194 about this but there isn't much activity although some work has been reported very recently, maybe be you :)
After a recent juggling with our ant scripts I've started to wonder if something better is possible.
I need a builder that will know to recompile all required .java files for me.
For ex. for this structure
public class A { ]
public class B extends A {}
public class C {
B b;
}
For: Compile('C') Will know to compile A, B, C.
For: B changed, Compile('C') will know to recompile just B.
I know of several alternatives, Ivy which seems like an extension of ant which is our current java builder. Scons which we are currently using for building C++ code, scons is excellent in doing the above described behavior for C code. Then there are reports of Maven being almost but not quite there.
What would you suggest? What tools are you using Free Software / Commercial for you build system?
Thank you,
Maxim.
Ant, with 'depend' task and with 'closure' option turned on
'make', from IDEA ide
None of ivy, scons or maven will help you with your problem as stated.
What do you mean by "for Compile('C')"? I don't think this is what you have in your ant file.
For this case, Ant should be working as desired: you have described its default behaviour. In the same javac element, Ant will only recompile changed classes. See the Ant manual entry for the javac task, especially the 'includeDestClasses' attribute.
You should probably post an example ant file that you are finding inadequate.
maven, both for my personal and my commercial products
In your question you describe inter-class dependencies. Most build systems, in particular Maven, are aimed more at inter-project dependencies. I believe most systems just recompile all the classes in a project and most of the benefits of these build systems is in building as few projects as possible.
Both Maven and Ivy will allow you to easily specify both external and internal dependencies of your project, including which version of the project you depend on. They will both also automatically download external libraries (such as apache commons) to your local machine as part of the build process if they are not already locally cached, saving a lot of work manually downloading and organizing third party jar files.
Ivy is an extension of ant, like you mention. I recommend Maven. It is a convention oriented build system that I've used successfully and feel is quite mature. Maven requires far less up front effort to start using and is quite extensible.