SharePoint Custom Code Analysis using MSOCAF

Code review, as we all know, plays a critical role in software development.  It helps in developing high quality, custom codes using industry best practices.

Code analyzing can be performed in two ways, i.e. by manual analysis or by using tools. The main benefits of using tools over manual process is the fact that it is faster and the results have a higher accuracy rate.

There are several tools available in the market that help to perform code analysis, such as, FXCop, NDepend, Eclipse, SourceMeter, JSLint, and so forth. In the context of SharePoint, the code analysis tool provided by Microsoft is MSOCAF (Microsoft SharePoint Online Code Analysis Framework). It is a free tool provided by Microsoft for analyzing SharePoint custom code.

It is really important to ensure that the custom code we write is healthy to ensure that it will not bring down the entire SharePoint server due to the malicious code we deployed to the server. In fact, this is one of the reasons why Microsoft introduced the new Add-in concept for developing custom code. Either the Provider hosted Add-in or the SharePoint hosted Add-in will not be executing the custom code in the SharePoint server. The below sections will explain how we can use MSOCAF for analyzing our custom code.

Install MSOCAF in the development server.

The first step is to install the tool in the development server. We can download the tool from this url. After successful installation we can launch the application by selecting the shortcut from the desktop as shown below:

This will launch the tool:

This tool is not only used for analysis but can also be we used for deployment to the test environment, roll back the custom solution which is already deployed and also submit the code to Microsoft.  In this document let us focus on the analysis part.

Preparations for performing analysis:

Before we start analyzing our custom solution (.wsp file) we need to create a folder structure and keep the required files in this folder. The below screen shot shows the folder structure that is required to perform the analysis.

The folders and content of each of these folders is mentioned below:

Caf Reports – empty folder.  (This folder is used to store the output of code analysis. The output contains the cab file and the analysis comments in xml format)

Release Documents –should contain the release document in MS word format.

Solution Artifacts – contains the wsp and the DeploymentManifest.xml file (DeploymentManifest file contains the details for deployment as shown in code snippet below)

Source Code – This folder should contain the complete solution in Zip format.

Test Documents – Any file format that contains the test results

Installation Scripts – PowerShell scripts that contains pre and post deployment activities to be performed.

 Code Snippet:

<DeploymentManifest xmlns_xsi="" xmlns_xsd="" >


<Solution Name=”<Name of the  Solution>” Version=”<deployment version>” Action=”Deploy”>

<SolutionDescription><One line description about the solution></SolutionDescription>

<SolutionFileName><Solution Name></SolutionFileName>




<WebApplication Type

=”<Type of the site>” Uri=”<url of site>”></WebApplication>





Once all the required folders and the respective files are created we can start the analysis.

In the tool window click on the Analyze icon as shown below:

On selecting `Analyze’ it will take us to the next screen that gives us the required folder structure:

Click on the `Next’ button which open a short description page that tells  us about the review rules:

Click the `Next’ button where we have the option to select the folder where the source code and other artifacts are stored:

Select the folder that we created during the preparations for performing the analysis step right in the beginning. And click the Analyze button. This will start analyzing our code.  Once the analysis is completed we will get the below shown screen:

Here the analysis is completed successfully and this code is safe to get deployed into the server. If you notice, there are two warning which are ignorable. We can click on the expand icon to further drill down and find out the details.

Let us see what those warnings are:

It says we need to apply ULS log in each catch block and

The hardcoded control template path needs to be removed.

We can ignore these two warnings and proceed with deployment or can fix these two warnings and do a re-analyze.

Now, let us take a situation where it fails the code review. Below is the screen shot of the analysis failure:

Here if we notice the code analysis failed due to ten errors.  Let us analyze those errors:

It says there is an issue with marshalling. Let us click in the Resolution link provided under the Resolution column to find out what is the recommended resolution.

It says we need to add Marshal Attribute to the code when we are using unmanaged components.

Now let us look at the code and fix these failures and re- run the analysis.

After fixing those issues we can now re-run the analysis and the same will be completed successfully and the code is safe to be deployed. We can further get this code deployed by clicking the Next button. The code will be deployed into the environment as mentioned in the manifest file.

Since the focus was on getting the code reviewed, I am not taking you to the next action – deployment – of the solution from the tool.


Exit mobile version