Static Code Analysis on Unity project

Hi guys,

We are exploring how to effectively do Static code analysis on Unity projects (made for mobile app)

As per our research, there are a few options:

• Sonar Qube: they are setting rule so that Unity code structure can be scanned https://github.com/SonarSource/sonar-dotnet/issues/159
• Microsoft: https://github.com/microsoft/Microsoft.Unity.Analyzers
• Unity: https://docs.unity3d.com/Packages/com.unity.code-analysis@0.1/manual/index.html

However, the problem is that these options only scan at C# level. For our project, we will need to compile into XCode and Android projects.
So my questions are:

• Is it considered secure if we only just scan at C# level ?
• Does Unity3d have any warranty on the compiled projects so that we do not need to scan at that level ?
• Or can we exclude Unity3D source code (in the mobile app's projects)

The reason for this question is at lower level the number lines of code could be 10M or even more, while the C# level is usually <1M.
And service like Sonar Qube or Sonar Cloud will charge by number of lines of code

• Lastly, do you know if for Microsoft analyzer, they have a commercial product for it. Just in case, we can consider that as another commercial option.

 

Secure from?!!

I've never seen anyone bother with static analysis in Unity for the simple reason is that is almost NEVER where the bugs are. Bugs in typical Unity day-to-day use are typically things like:

- When running on the iPhoneX and you have more then 27 saved gems, the "Use Gem" button is partially hidden under the stupid notch on the screen display area.

Static code analysis (and code review in the general sense) tells you almost NOTHING about how your code might run. Even one boolean set wrong in a prefab makes 100% of your game fail instantly. No code review or static analysis can reason about that.

Remember your code is NOT the application. Unity IS the application. By convention Unity might run some of your code when you properly configure it. Otherwise, Unity is 100% of the app, not your code.