SharePoint Custom Code Analysis using MSOCAF

Code review, as we all know, plays a critical role in software development.  It helps in developing high quality, custom codes using industry best practices.

Code analyzing can be performed in two ways, i.e. by manual analysis or by using tools. The main benefits of using tools over manual process is the fact that it is faster and the results have a higher accuracy rate.

There are several tools available in the market that help to perform code analysis, such as, FXCop, NDepend, Eclipse, SourceMeter, JSLint, and so forth. In the context of SharePoint, the code analysis tool provided by Microsoft is MSOCAF (Microsoft SharePoint Online Code Analysis Framework). It is a free tool provided by Microsoft for analyzing SharePoint custom code.

It is really important to ensure that the custom code we write is healthy to ensure that it will not bring down the entire SharePoint server due to the malicious code we deployed to the server. In fact, this is one of the reasons why Microsoft introduced the new Add-in concept for developing custom code. Either the Provider hosted Add-in or the SharePoint hosted Add-in will not be executing the custom code in the SharePoint server. The below sections will explain how we can use MSOCAF for analyzing our custom code.

Install MSOCAF in the development server.

The first step is to install the tool in the development server. We can download the tool from this url. After successful installation we can launch the application by selecting the shortcut from the desktop as shown below:

MSOCAF in the development server

This will launch the tool:

Office 365 Custom Solution

This tool is not only used for analysis but can also be we used for deployment to the test environment, roll back the custom solution which is already deployed and also submit the code to Microsoft.  In this document let us focus on the analysis part.

Preparations for performing analysis:

Before we start analyzing our custom solution (.wsp file) we need to create a folder structure and keep the required files in this folder. The below screen shot shows the folder structure that is required to perform the analysis.

Custom Solution

The folders and content of each of these folders is mentioned below:

Caf Reports – empty folder.  (This folder is used to store the output of code analysis. The output contains the cab file and the analysis comments in xml format)

Release Documents –should contain the release document in MS word format.

Solution Artifacts – contains the wsp and the DeploymentManifest.xml file (DeploymentManifest file contains the details for deployment as shown in code snippet below)

Source Code – This folder should contain the complete solution in Zip format.

Test Documents – Any file format that contains the test results

Installation Scripts – PowerShell scripts that contains pre and post deployment activities to be performed.

 Code Snippet:

<DeploymentManifest xmlns_xsi="" xmlns_xsd="" >


<Solution Name=”<Name of the  Solution>” Version=”<deployment version>” Action=”Deploy”>

<SolutionDescription><One line description about the solution></SolutionDescription>

<SolutionFileName><Solution Name></SolutionFileName>




<WebApplication Type

=”<Type of the site>” Uri=”<url of site>”></WebApplication>





Once all the required folders and the respective files are created we can start the analysis.

In the tool window click on the Analyze icon as shown below:

Code Analysis

On selecting `Analyze’ it will take us to the next screen that gives us the required folder structure:

Code Snippet

Click on the `Next’ button which open a short description page that tells  us about the review rules:

SharePoint Custom

Click the `Next’ button where we have the option to select the folder where the source code and other artifacts are stored:

Source Code Analysis

Select the folder that we created during the preparations for performing the analysis step right in the beginning. And click the Analyze button. This will start analyzing our code.  Once the analysis is completed we will get the below shown screen:

 Performance Analysis

Here the analysis is completed successfully and this code is safe to get deployed into the server. If you notice, there are two warning which are ignorable. We can click on the expand icon to further drill down and find out the details.

Let us see what those warnings are:

Development Server

It says we need to apply ULS log in each catch block and


The hardcoded control template path needs to be removed.

We can ignore these two warnings and proceed with deployment or can fix these two warnings and do a re-analyze.

Now, let us take a situation where it fails the code review. Below is the screen shot of the analysis failure:

Microsoft SharePoint

Here if we notice the code analysis failed due to ten errors.  Let us analyze those errors:

SharePoint Custom Code

It says there is an issue with marshalling. Let us click in the Resolution link provided under the Resolution column to find out what is the recommended resolution.


It says we need to add Marshal Attribute to the code when we are using unmanaged components.

Now let us look at the code and fix these failures and re- run the analysis.

Deployment Solution

After fixing those issues we can now re-run the analysis and the same will be completed successfully and the code is safe to be deployed. We can further get this code deployed by clicking the Next button. The code will be deployed into the environment as mentioned in the manifest file.

Since the focus was on getting the code reviewed, I am not taking you to the next action – deployment – of the solution from the tool.



  • Manu D S

    Manu D S works as Technical Lead with Trigent Software. He comes with over 13 years of experience in the IT industry especially in Microsoft Technologies. He is currently focusing on the SharePoint technology stack with an experience of 6+ years in SharePoint Online, SharePoint 2013 and SharePoint 2010. Manu is also experienced in all stages of the SDLC process. He has strong experience in application development using .NET framework and JavaScript. Manu D S is a Microsoft® Certified Technology Specialist in SharePoint 2010 application development.