Code Review Checklist

handsgridServers

Dec 4, 2013 (3 years and 8 months ago)

178 views

Code Review Checklist

Referenced from Microsoft TechNet (
http://technet.microsoft.com/en
-
us/library/cc707802.aspx
)

Security

This section of the code acceptance checklist contains
suggested items to help ensure that solutions that
are submitted for deployment in a SharePoint environment have been developed by using best security
practices.



周攠慰p汩捡瑩on⁵獥 ⁡渠楮捬u獩sn楳琠⡫湯睮Ⱐv慬adⰠ慮d⁳慦 ⁩湰u琩⁲ 瑨敲t瑨慮⁡n⁥硣汵獩
on楳琠
⡲敪(c瑩tgno睮wm慬a捩ou猠o爠摡rg敲ou猠楮su琩.



䅬氠畳敲⁩lpu琠楳i敮捯d敤⁷i瑨⁉体散t睨敮⁤楳i污y敤⁴o⁣汩敮瑳⸠



䍨慲慣瑥爠敮eod楮g⁩猠獥s⁢y⁴he⁳ rv敲e⡉(O
-
8859
-
1⁩猠牥捯mm敮e敤⤮e



P污ln⁴e硴⁰慳獷o牤猠慲s 琠p牥獥nt⁩渠 敢e捯n晩fⰠ
M慣a楮攮捯n晩fⰠo爠慮y⁦楬敳⁴h慴a捯n瑡楮
捯n晩fu牡瑩rn⁳ t瑩tg献⁕瑩汩瑩敳t獵捨⁡猠䅳sn整彳_瑲敧t數攠慮d 呲畳瑥攠o爠rh攠楤en瑩瑹⁳整瑩tg⁩渠
䅰pPoo氠ln⁉䥓‶⸰r⁉䥓‷.0⁡牥⁵獥搠 o 敮捲祰e⁣牥ren瑩慬献



䥦⁣Io歩k猠son瑡楮⁳敮獩瑩e攠d慴愬⁴hey⁡ 攠m慲a
敤⁳ 捵牥⸠



䥮pu琠獵s晡捥猠楮 坥b⁰慲 猠慮s瑨敲e捵獴om楺慴aons⁩湣 ud攠bound慲a⁣h散歳Ⱐinpu琠d慴愠
楮瑥g物瑹r捨散c猬⁡湤⁡灰牯p物r瑥⁥硣xp瑩on⁨慮d汩ng⁴o⁰牯瑥c琠晲om⁣ro獳
-
獩s攠獣物r瑩tg⁡湤
卑䰠楮橥j瑩tn⸠



周攠d敳楧n⁡摤牥r獥猠poten瑩慬⁣慮on楣慬楺慴aon⁩獳 e献s



奯u⁡vo楤⁵獩 g⁁汬ow啮獡晥啰f慴a献s奯u⁵ 攠噡V楤慴敆ermD楧敳e⠩⁡湤Ⱐ楦,捥c獡特Ⱐus攠
敬敶a瑥d⁰物v楬敧敳⁴o⁩湴敲慣琠睩瑨⁓t慲aPo楮tbj散es⸠䥮⁣慳敳a睨敲攠䅬汯睕湳w晥啰f慴as

mu獴sb攠u獥搬syou⁥n獵se⁴h慴a䅬汯w啮獡晥啰d慴敳e楳 獥s⁴o⁆慬 攠楮 you爠
try
-
catch
-
finally

block,
or you use a Dispose() method (as required by the IDisposable interface) to avoid security
issues.


Session Management

This section of the code acceptance
checklist contains suggested items to help ensure that solutions that
are submitted for deployment in your SharePoint environment have been developed by using best
practices for managing sessions.



卥獳楯n⁳瑡te⁩猠s瑲tngⰠ畮p牥摩捴慢汥Ⱐ慮d⁰牯t散e敤⁦牯m⁵ 慵瑨t物r敤⁡捣cs猠o爠牥灬慹a
慴a慣歳a



卥獳楯n楦整im攠楳業i瑥d⁴o″0 m楮u瑥猠m慸amum映fn慣瑩a楴y⸠



Session identifiers are not passed in the URL, and the ASP.NET feature, cookieless se
ssion, is
not used.



The session state service is disabled if not used.


Validation

This section of the code acceptance checklist contains suggested items to help ensure that solutions that
are submitted for deployment in your SharePoint environment
have been developed by using best
practices for validating input.



䥮pu琠v慬ad慴楯n⁩猠慰p汩敤e慴a慬a⁩摥 瑩晩敤⁥n瑲y⁰o楮t猠s楮捬cd楮g⁦ rm⁦楥汤猬ⁱ 敲e獴物sg猬
捯o歩敳k⁈呔P⁨ 慤敲猬e慮d⁗敢⁳敲ei捥cp慲ame瑥牳⤮



周攠䅓P⹎E吠v慬ad慴aR敱e敳e op瑩on⁩
猠sn慢汥l,⁩映灯s獩s汥⸠



D慴愠楳⁶慬ada瑥d⁦o爠ryp攬el敮e瑨Ⱐ景rm慴Ⱐ慮,⁲慮 攮e



卥捵S楴i⁤o敳 t⁲ ly on⁣l楥it
-
獩s攠v慬ad慴楯n⸠䥮s瑥adⰠ,慬ad慴aon⁩猠p敲eorm敤eon⁴he⁳ rv敲e
獩s攮



周攠慰p汩捡瑩on⁣on獩獴敮瑬y⁵獥 ⁳ 慮d慲a楺敤⁩epu琠v慬ad慴楯n⁳畣 ⁡猠s敧e砠瑨toughou琮t


Sensitive Data

This section of the code acceptance checklist contains suggested items to help ensure that solutions that
are submitted for deployment in your SharePoint environment have been developed by using best
practices for protecting sensitive data.



周攠慰p汩捡c
ion⁤ 敳eno琠log⁳ n獩瑩s攠d慴a⁩渠捬敡 ⁴ex琮



卥S獩瑩se⁤慴愠楳 t⁳ o牥r⁩渠捯o歩敳⸠



卥S獩瑩se⁤慴愠楳 t⁳ o牥r⁩渠 n敮捲祰e敤Ⱐ桩dd敮⁦erm⁦楥汤srⁱ 敲e 獴物sg献⁉琠楳慩a瑡楮敤e
by⁵獩 g⁳ rv敲
-
獩se⁳ 慴攠m慮慧em敮琮e



卓LⰠ䥐卅S⁷楴i⁥n捲yp瑩tn,爠慰r汩捡瑩tn y敲⁥n捲yp瑩tn⁰物o爠ro⁴牡rsm楴瑡氠楳tu獥搠so
p牯瑥c琠s敮獩瑩e攠d慴a⁤ 物rg⁴牡r獭楳獩on⸠



卥S獩瑩se⁤慴愠楳 t⁣慣aed⸠併瑰u琠捡捨cng⁩猠o晦⁢y d敦慵e琮t



卥S獩瑩se⁤慴愠瑨慴⁩猠瑲慮獦敲牥搠v楡⁥
-
m慩a⁵
敳eS/MIM䔠敮捲祰瑩on o爠䥮景rma瑩on⁒楧 瑳t
M慮慧em敮琠⡉前⤬)d数敮d楮g⁵ on⁴h攠楮瑥nd敤⁲散楰楥i琮t




Exception Handling

This section of the code acceptance checklist contains suggested items to help ensure that solutions that
are submitted for
deployment in your SharePoint environment have been developed by using best
practices for handling exceptions.



周攠慰p汩捡瑩on⁵獥 ⁡ 獴慮d慲a楺敤⁡灰牯慣a⁴o⁳瑲畣瑵牥t⁥牲o爠慮r 數捥c瑩tn h慮d汩ng
瑨牯ughou琮t



䕲牯r
-
h慮d汩ng⁣od攠楮h敲楴猠晲sm⁴h攠
卐䕸E数瑩en⁣污l猠so慩a瑡楮⁡ con獩獴敮琠eh慲敐o楮琠
汯o欠慮d⁦ 敬⁦o爠r牲o牳⸠



周攠慰p汩捡瑩on⁦慩汳⁳散畲e汹l楮⁴he⁥v敮琠o映敲牯r⁡湤 數捥灴con献



䕸E数瑩on⁣ond楴楯ns⁤ o琠慬ao眠愠畳敲eto⁢yp慳猠a散u物瑹r捨c捫猠瑯⁲畮⁰物v楬敧敤⁣ed攮



周攠慰p汩捡瑩on⁲ 瑵牮猠来s敲楣⁣u獴om⁥牲rr敳獡来猠so⁴h攠捬楥c琮t



周攠cod攠us敳ee硣xp瑩on⁨慮d汩ng⸠周攠捯de⁣慴捨敳con汹l瑨攠t硣xp瑩on猠瑨慴tyounow⁡扯u琮
䙯爠r硡xpl攬edo 琠u獥s
try{} catch(Exception ex){}

unless you throw the error again.





捯de⁵獥猠數c数瑩en⁦楬瑥牳Ⱐ楴r楳ot⁳ n獩瑩ve⁴o⁦楬瑥爠r硥捵瑩cn 獥煵敮e攠⡦楬(敲⁲畮猠扥景r攠
finally

block).



䅰p汩捡瑩cn⁥牲o牳⁤oo琠con瑡楮⁳ n獩瑩t攠楮景rma瑩tn爠楮fo牭a瑩tn 瑨慴⁣ou汤⁢攠u獥搠瑯
數p汯楴⁴h攠f慵汴⸠l


Web Parts

This
section of the code acceptance checklist contains suggested items to help ensure that solutions that
are submitted for deployment in your SharePoint environment have been developed by using best
practices for developing Web parts.



䍵獴sm 坥b⁰慲瑳
楮捬c
ding⁲ 獯u牣攠晩f敳⤠慲a⁣on瑡楮敤⁷楴i楮⁡ 卨慲敐o楮琠䙥慴畲攠慮d⁡牥
p慣歡来a⁡猠愠卨慲aPo楮t⁳o汵瑩tn⁩ 牤e爠ro⁢ ⁤数 oy敤e



周攠con晩fu牡瑩rn o映坥b⁰慲瑳⁴h慴⁡牥 b敩eg⁤数 oyed⁧ v敳e瑨攠慤m楮楳瑲慴o爠th攠晬數楢楬楴y
o映摥灬oy楮g⁴o 瑨攠坥b⁡ p汩捡瑩cn v敬r 睥爮



奯u⁵獥⁴he⁓ 慲敐o楮琠坥b⁰慲琠楮晲慳瑲f捴畲攧猠獴慮d慲a楺敤⁳e琠o映fonn散瑩tn 楮瑥牦慣敳⁦ r
坥b⁰慲瑳
to⁥硣桡xg攠楮fo牭慴楯n⁷楴i 敡捨eo瑨敲⁡琠牵n⁴im攮e



卯u牣攠捯de⁦ r⁴h楲i⁰慲 y⁗敢⁰e牴猠so汵瑩tnsⰠ,h敮敶敲⁰ 獳楢l攬e楳⁰iov楤敤e睩瑨⁡摥wu慴攠
documentation to ensure good technical support.



All custom Web parts utilize the SharePoint architect
ure to ensure consistent behavior across
the application for functionality such as single sign
-
on, feature deployment, and so on.


Documentation

You should require adequate documentation to ensure that customizations that you are being asked to
deploy
are installable, supportable, and well tested. Furthermore, documentation indicates that all
errors that are generated by the customizations are properly described and diagnosed. This section of
the code acceptance checklist contains suggested items to hel
p ensure that solutions that are submitted
for deployment in your SharePoint environment have been developed using best practices for
documentation.



䍵獴sm楺慴aon猠慲s⁡捣omp慮楥i⁢礠楮獴慬污瑩on⁩湳瑲u捴楯n猠瑨慴⁤t瑡楬⁨o眠to⁩n獴慬氠慮d
un楮獴慬氠瑨攠
p慣a慧攮⁁牣e楴散瑵牥⁤楡g牡rs⁴h慴⁡牥 牥污瑥搠瑯 瑨攠楮t瑡汬t瑩on映fh攠so汵瑩on
慲攠楮捬ud敤e⁉映楴⁩猠no琠pos獩s汥⁴o⁲ 汬⁢慣欠愠ao汵瑩tn,⁴h楳imu獴sbe⁥硰x慩a敤⁩e⁴h攠
楮獴慬污瑩sn⁩湳瑲畣瑩on猠so 瑨慴⁹ou⁣慮⁤楳捵獳⁴c攠物r歳k慮d⁰牥 慲a⁡ p污l⁦o
爠愠獹獴sm
牥捯v敲y⸠



䍵獴sm楺慴aon猠慲s⁡捣omp慮楥i⁢礠t敳e⁤o捵m敮瑳e慮d⁲ 獵s瑳⸠



䍵獴sm楺慴aon猠慲s⁡捣omp慮楥i⁢礠愠汩a琠o映慬氠f数敮e敮捩敳⸠周楳e捯u汤⁩湣 ude
慣捯unt/p慳獷o牤猬⁗敢es敲e楣敳Ⱐd慴慢a獥猬so瑨敲eso汵瑩tnsr⁆敡 u牥猬⁰慴捨敳Ⱐ
too氠獥瑳to爠
汩b牡r楥猬⁡湤 o瑨敲⁤数敮e敮捩敳e



䄠汩獴so映慬氠fv敮琠敮瑲e敳e瑨慴a慲攠a敮敲慴敤⁢礠瑨攠tus瑯m楺慴楯ns⁡湤⁴he⁡捴ion猠so⁴慫攠慲攠
獵sp汩敤e⁔h楳⁣慮⁴i步 瑨攠景牭f⁡ 瑡扬攠o映f牲o爠捯d敳Ⱐ睨敲攠瑨攠t敶敲楴e⁡湤 牯o琠捡cs攠o映
敡捨⁣od攠i
s⁳異p汩敤e



佰瑩On慬ayⰠ,ou牣攠捯de⁩猠p牯v楤敤e瑯⁥硰敤e瑥 v慬ada瑩tn⁡湤⁴敳e楮g⁢ ⁴h攠I吠o牧慮楺慴楯n⸠



䍵獴sm楺慴aon猠sh慴⁡牥 慮 upg牡r攠o映灲fviou獬礠d数eoy敤⁣畳eom楺慴楯ns⁡牥 ac捯mp慮楥i
by⁤ 捵m敮e慴楯n⁴h慴ad敳捲楢敳e瑨t⁣h慮g敳Ⱐ捯n獩ser
慴楯n猠楮⁵pg牡r楮g⁴he⁣u獴sm楺慴aon猬s
慮d⁲ 汬b慣欠楮s瑲畣瑩on献


General Software Development Best Practices

This section of the code acceptance checklist contains suggested items to help ensure that solutions that
are submitted for deployment in your
SharePoint environment have been developed by using best
practices for software development.



䅳獥Ab汩敳eh慶攠a⁳ rong慭攮e⡄yn慭i捡汬y⁧敮敲慴敤⁁eP⹎䕔 坥b⁰慧攠慳aemb汩敳e捡cnot
捵c牥湴汹rhave⁡ 獴song m攮e



You use delay signing as a way to prot
ect and restrict the private key that is used in the strong
name and signing process.



Assemblies include declarative security attributes (with SecurityAction.RequestMinimum) to
specify minimum permission requirements.



Highly privileged assemblies are separated from lower privileged assemblies.



If an assembly is to be used in a partial
-
trust environment (for example, it is called from a
partial
-
trust Web application), then privileged code is in a separate assembly.



You rely on a native configuration file to support the application instead of changing the
configuration to the Web.config.



You use .NET Framework 2.0, 3.0, or 3.5.



You use a single .NET Framework version. You do not mix multiple versions.



Your code is 64 bit compatible.



Your application does not try to directly access any SharePoint databases. Data stores in
SharePoint databases are only updated by using the SharePoint object model.



You avoid hard coding strings and labels. You use resources or language files instead.



When referencing the SPWeb or SPSite objects, you employ a
using

statement or, alternatively,
you use an explicit call of the .Dispose method to ensure proper use and disposing of the
memory objects.



You use caching as appropriate to reduce unnecessary round trips. For Web parts, you expose
the cache expiration (dur
ation) as a Web part property.



When packaging your solution, you include a Code Access Security policy for the solution and,
if necessary, include your assembly in the Safe Controls list though the solution.



When logging code, you use the Portal Log class to log the SharePoint Unified Logging Service
(ULS) logs.



If you need to update multiple list items by using remote code, you use the Web service to
update list items. You only use SPListItem.Update() if
you have to update more than one item
at a time by using local OM
-
based code.



When using the Count property of a SPListItemCollection, you only call it once and then store it
in a variable that you can refer to when looping. You do not call it inside a

loop.



The solution uses the AppSettings object to implement XML mapping. (This can be provided by
using the settings persistence framework in .NET 2.0, 3.0, or 3.5.) The solution avoids creating
custom XML files and a strongly typed object for XML mapp
ing.



Installation and deployment logging are provided in the event logs to enable appropriate
operational troubleshooting during installation and uninstallation.