How Salesforce Code Quality Grade is calculated?
Bluefactory proposes a pragmatic and unique approach to measure the quality of apex code.
The code quality is determined by :
The number of defects found
The severity of these defects
The effort needed to solve these defects
The costs of repairing defects increase exponentially if they are found later on in the software development process.
So if it is possible to have a way to measure the software quality of a system before release (ideally on each change of the code), it will potentially save a lot of time and money.
Code quality metrics
Lots of metrics are applied to apex code nowadays (using PMD or other static code analysis tools), but unfortunately there is insufficient proof (yet) whether these metrics contribute to better code.
Examples of such metrics are cyclomatic complexity, code duplication, and code coverage. These metrics are approximations of some of the quality attributes of the ISO 25010 standard.
To obtain a systematic way of measuring and qualifying these measurements, Bluefactory selects 6 most commonly used software code quality metrics that can be measured in an automated way. These are:
- Code coverage:
Before developers hand over their code to the next stage in the software development cycle, they usually perform unit tests. The actual results of these automated tests are compared to the expected results.
The code coverage metric indicates how many lines of code or executable branches in the code have been touched during the unit test runs.
2. Abstract interpretation
It is also known as deep flow analysis. This analysis is capable of automatically detecting all kinds of programming errors related to the control flow of a program.
An example is the usage of SOQL/DML statements inside a loop.
The advantage of this analysis is that it generates results without actually running the programs. Errors found by abstract interpretation are severe programming errors that may result in crashes or performance issues.
3. Cyclomatic complexity
Cyclomatic complexity counts the number of independent paths or decisions through a program. For instance, each "if" statement adds one extra code path. The higher the cyclomatic complexity the harder it is to understand a program.
The average cyclomatic complexity per function is an indicator that enables comparisons of complexity between programs.
4. Coding standards
A coding standard is a set of rules that developers should follow. These coding rules are about known language pitfalls, code statements to avoid, but also about naming conventions and the number of lines per class. Since coding standards usually contain many different rules they can help to improve "Maintainability", “Reliability” and “Performance Efficiency”
5. Code duplication
Sometimes, it is very tempting for a developer to copy some piece of code and make some small modifications to it instead of generalizing functionality.
The problem of code duplication is that if one part of the code must be changed for whatever reason, it is very likely that the other parts have to be changed as well, one by one.
Code duplication has a negative effect on "Maintainability".
6. Security
The security of software is about how vulnerable code is to get unauthorized access to data.
Examples of such leaks are SOQL injection, XSS (Cross-site scripting).
Code quality Score
Bluefactory calculates a score for each of these 6 code quality metrics.
* The code coverage is calculated as a separated quality metric because of the nature of Apex/Visualforce language. They are proprietary language and compiled in Salesforce Server (not considered as a static code analysis)
The final score of the system (Salesforce org) is calculated as follows:
Bluefactory Score = Abstract_interpretation_score x 36% + Cyclomatic_complexity_score x 22% + Coding_standards_score x 12% + Code_duplication_score x 17% + Security_score x 13%
Bluefactory final Grade is defined as follows:
Code coverage score
The code coverage is measured by running all test classes in the Salesforce org.
Code codverage score = MIN(0.75 * test_coverage + 32.5, 100)
The definition of the code coverage score is based on the fact that a code coverage above 90% is perfect (score = 100). Improving the code coverage if it is above 90% is not worthwhile. On the other hand, if the code coverage is above 10%, i.e. if at least some tests are performed, the score should be in category E (score = 40). Between 40 and 100, the score is evenly distributed.
Salesforce platform requires a minimum Overall code coverage of 75% to deploy a new release in the production environment.
While Salesforce requires only 75% of Apex code must be covered by tests, your focus shouldn't be on the percentage of code that is covered. Instead, you should make sure that every use case of your application is covered.
Scope of the code quality analysis
Not all code is subject to the code quality analysis. The following kinds of code are excluded:
Generated code
Third-party code (Installed Appexchange)