Muna ci gaba da yin amfani da PVS-Studio mafi dacewa. Ana samun mai nazarin mu a yanzu a cikin Chocolatey, mai sarrafa fakitin Windows. Mun yi imanin cewa wannan zai sauƙaƙe ƙaddamar da PVS-Studio, musamman, a cikin ayyukan girgije. Don kar mu yi nisa, bari mu bincika lambar tushe na Chocolatey iri ɗaya. Azure DevOps zai yi aiki azaman tsarin CI.
Ga jerin sauran labaran mu kan batun haɗin kai tare da tsarin girgije:
Ina ba ku shawara ku kula da labarin farko game da haɗin kai tare da Azure DevOps, tun da yake a cikin wannan yanayin an cire wasu abubuwan don kada a kwafi su.
Don haka, jaruman wannan labarin:
kayan aikin bincike ne a tsaye wanda aka ƙera don gano kurakurai da yuwuwar lahani a cikin shirye-shiryen da aka rubuta a cikin C, C++, C # da Java. Yana aiki akan tsarin 64-bit Windows, Linux, da macOS, kuma yana iya bincika lambar da aka tsara don 32-bit, 64-bit, da dandamali na ARM da aka saka. Idan wannan shine karon farko da kuke ƙoƙarin bincikar lambobi don bincika ayyukanku, muna ba da shawarar ku saba da kanku game da yadda ake sauri duba mafi ban sha'awa PVS-Studio gargadi da kuma kimanta iyawar wannan kayan aiki.
- saitin sabis na girgije wanda ke rufe dukkan tsarin ci gaba tare. Wannan dandali ya hada da kayan aiki irin su Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, wanda ke ba ka damar hanzarta aikin samar da software da inganta ingancinta.
shine mai sarrafa fakitin buɗewa na Windows. Makasudin aikin shine sarrafa tsarin rayuwar software gaba ɗaya daga shigarwa zuwa sabuntawa da cirewa akan tsarin aiki na Windows.
Game da amfani da Chocolatey
Kuna iya ganin yadda ake shigar da manajan kunshin kanta a wannan . Ana samun cikakkun takardu don shigar da na'urar nazari a Duba Shigarwa ta amfani da sashin sarrafa fakitin Chocolatey. Zan sake maimaita wasu abubuwa a takaice.
Umurnin shigar da sabon sigar mai nazari:
choco install pvs-studioUmarni don shigar da takamaiman sigar fakitin PVS-Studio:
choco install pvs-studio --version=7.05.35617.2075Ta hanyar tsoho, an shigar da ainihin ma'aunin nazari, ɓangaren Core, kawai. Duk sauran tutoci (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) za a iya wuce ta amfani da --kunki-parameters.
Misalin umarni wanda zai shigar da mai nazari tare da plugin don Kayayyakin Kayayyakin Kayayyakin 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Yanzu bari mu kalli misali na dacewa amfani da mai nazari a ƙarƙashin Azure DevOps.
gyara
Bari in tunatar da ku cewa akwai wani sashe na daban game da batutuwa kamar yin rijistar asusu, ƙirƙirar Bututun Gina da daidaita asusunku tare da aikin da ke cikin ma'ajiyar GitHub. . Saitin mu zai fara nan da nan tare da rubuta fayil ɗin daidaitawa.
Da farko, bari mu saita faɗakarwa, yana nuna cewa mun ƙaddamar da canje-canje a ciki kawai master reshe:
trigger:
- masterNa gaba muna buƙatar zaɓar injin kama-da-wane. A yanzu zai zama wakili na Microsoft mai ɗaukar nauyi tare da Windows Server 2019 da Visual Studio 2019:
pool:
vmImage: 'windows-latest'Bari mu matsa zuwa jikin fayil ɗin sanyi (block matakai). Duk da cewa ba za ku iya shigar da software na sabani a cikin injin kama-da-wane ba, ban ƙara kwandon Docker ba. Za mu iya ƙara Chocolatey azaman kari don Azure DevOps. Don yin wannan, bari mu je . Danna Sami shi kyauta. Na gaba, idan an riga an ba ku izini, kawai zaɓi asusunku, kuma idan ba haka ba, to ku yi daidai da abin bayan izini.
Anan kuna buƙatar zaɓar inda zamu ƙara tsawo kuma danna maɓallin shigar.
Bayan nasarar shigarwa, danna Ci gaba zuwa tsari:
Kuna iya ganin samfuri don aikin Chocolatey a cikin taga ayyuka lokacin gyara fayil ɗin sanyi azure-pipelines.yml:
Danna kan Chocolatey kuma duba jerin filayen:
Anan muna buƙatar zaɓar shigar a filin wasa tare da kungiyoyin. IN Sunan Fayil na Nuspec nuna sunan kunshin da ake buƙata - pvs-studio. Idan ba ku bayyana sigar ba, za a shigar da na baya-bayan nan, wanda ya dace da mu gaba daya. Mu danna maballin ƙara kuma za mu ga aikin da aka samar a cikin fayil ɗin sanyi.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Na gaba, bari mu matsa zuwa babban sashin fayil ɗin mu:
- task: CmdLine@2
inputs:
script: Yanzu muna buƙatar ƙirƙirar fayil tare da lasisin tantancewa. nan PVSNAME и PVSKEY - sunayen masu canji waɗanda muka ƙididdige ƙimar su a cikin saitunan. Za su adana PVS-Studio shiga da maɓallin lasisi. Don saita ƙimar su, buɗe menu Canje-canje->Sabon canji. Bari mu ƙirƙiri masu canji PVSNAME domin login da PVSKEY don maɓallin analyzer. Kar a manta da duba akwatin Rufe wannan sirrin darajar to PVSKEY. Lambar umarni:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Bari mu gina aikin ta amfani da fayil ɗin jemage da ke cikin ma'ajiya:
сall build.batBari mu ƙirƙiri babban fayil inda za a adana fayiloli tare da sakamakon mai nazari:
сall mkdir PVSTestResultsBari mu fara nazarin aikin:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Muna canza rahoton mu zuwa tsarin html ta amfani da kayan aikin PlogConverter:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogYanzu kuna buƙatar ƙirƙirar ɗawainiya don ku iya loda rahoton.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Cikakken fayil ɗin daidaitawa yayi kama da haka:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Mu danna Ajiye-> Ajiye-> Gudu don gudanar da aikin. Bari mu sauke rahoton ta zuwa shafin ayyuka.
Aikin Chocolatey ya ƙunshi layukan C# guda 37615 kawai. Bari mu kalli wasu kurakurai da aka samu.
Sakamakon gwaji
Gargadi N1
Gargadi na Analyzer: Ana sanya maɓalli na 'Mai ba da kyauta' ga kanta. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Mai nazari ya gano wani aiki na mai canzawa ga kansa, wanda ba shi da ma'ana. Mafi mahimmanci, a maimakon ɗaya daga cikin waɗannan masu canji ya kamata a sami wani. To, ko kuma wannan typo ne, kuma za a iya cire ƙarin aikin kawai.
Gargadi N2
Gargadi na Analyzer: [CWE-480] Ma'aikacin '&' yana kimanta duka operands. Wataƙila ya kamata a yi amfani da ɗan gajeren kewayawa ''&&' maimakon. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Bambancin mai aiki & daga mai aiki && shine idan bangaren hagu na magana shine arya, to, gefen dama har yanzu za a ƙididdige shi, wanda a cikin wannan yanayin yana nuna kiran hanyar da ba dole ba tsarin.directory_akwai.
A cikin guntun da aka yi la'akari, wannan ƙaramin aibi ne. Ee, ana iya inganta wannan yanayin ta maye gurbin & mai aiki tare da && afareto, amma daga mahangar aiki, wannan baya shafar komai. Koyaya, a wasu lokuta, rudani tsakanin & && na iya haifar da matsala mai tsanani lokacin da aka bi da gefen dama na magana da ƙimar da ba daidai ba/marasa inganci. Misali, a cikin tarin kurakuran mu, , akwai wannan lamarin:
if ((k < nct) & (s[k] != 0.0))Ko da index k ba daidai ba ne, za a yi amfani da shi don samun dama ga rukunin tsararru. A sakamakon haka, togiya za a jefa IndexOutOfRangeException.
Gargadi N3, N4
Gargadi na Analyzer: [CWE-571] Maganar 'shortPrompt' koyaushe gaskiya ce. InteractivePrompt.cs 101
Gargadi na Analyzer: [CWE-571] Maganar 'shortPrompt' koyaushe gaskiya ce. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}A wannan yanayin, akwai wani bakon dabaru a bayan aiki na ternary afareta. Mu duba a tsanake: idan yanayin da na yi alama da lamba 1 ya cika, to za mu ci gaba zuwa sharadi na 2, wanda a ko da yaushe. gaskiya, wanda ke nufin za a aiwatar da layi na 3. Idan sharadi na 1 ya zama karya, to za mu je layin da aka yi masa alama da lamba 4, yanayin da shi ma yake ko da yaushe. gaskiya, wanda ke nufin za a aiwatar da layi na 5. Don haka, sharuɗɗan da aka yiwa alama da sharhi 0 ba za su taɓa cika ba, wanda ƙila ba shine ainihin ma'anar aiki da mai shirye-shiryen ke tsammani ba.
Gargadi N5
Gargadi na Analyzer: [CWE-783] Wataƙila ma'aikacin '?:' yana aiki ta wata hanya dabam fiye da yadda ake tsammani. fifikonsa ya yi ƙasa da fifikon sauran masu aiki a yanayin sa. Zabuka.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Binciken ya yi aiki don layin:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Tun da m j an fara wasu layukan da ke sama zuwa sifili, mai aiki na ternary zai dawo da ƙimar arya. Saboda wannan yanayin, jikin madauki za a kashe sau ɗaya kawai. Ga alama ni wannan yanki ba ya aiki kwata-kwata kamar yadda mai tsara shirye-shirye ya nufa.
Gargadi N6
Gargadi na Analyzer: [CWE-571] Maganar 'installedPackageVersions.Count != 1' gaskiya ne koyaushe. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Akwai wani bakon yanayi a nan: shigarPackageVersions.Count!= 1wanda zai kasance koyaushe gaskiya. Sau da yawa irin wannan gargaɗin yana nuna kuskuren ma'ana a cikin lambar, kuma a wasu lokuta yana nuna kawai bincikawa.
Gargadi N7
Gargadi na Analyzer: Akwai madaidaitan ƙananan bayanan 'commandArguments.contains("-apikey") zuwa hagu da dama na '||' ma'aikaci. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Ma'aikacin da ya rubuta wannan sashe na code ya kwafi ya manna layi biyu na ƙarshe ya manta da gyara su. Saboda haka, masu amfani da Chocolatey sun kasa yin amfani da siga apikey wasu hanyoyi guda biyu. Kama da sigogin da ke sama, zan iya bayar da zaɓuɓɓuka masu zuwa:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Kurakurai kwafi-manna suna da babban damar bayyana nan ba da jimawa ba a cikin kowane aiki tare da adadi mai yawa na lambar tushe, kuma ɗayan mafi kyawun kayan aikin yaƙi da su shine bincike na tsaye.
PS Kuma kamar kullum, wannan kuskuren yana ƙoƙarin bayyana a ƙarshen yanayin layi mai yawa :). Dubi bugawa"".
Gargadi N8
Gargadi na Analyzer: [CWE-476] An yi amfani da abu na 'installedPackage' kafin a tabbatar da shi a kan null. Duba layi: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Classic kuskure: abu farko Kunshin shigar ana amfani da shi sannan a duba shi null. Wannan bincike yana gaya mana game da ɗaya daga cikin matsaloli biyu a cikin shirin: ko dai Kunshin shigar bai taba zama daidai ba null, wanda ke da shakku, sannan cak ɗin ya yi yawa, ko kuma za mu iya samun kuskure mai tsanani a cikin lambar - yunƙurin samun dama ga bayanin banza.
ƙarshe
Don haka mun ɗauki wani ƙaramin mataki - yanzu amfani da PVS-Studio ya zama mafi sauƙi kuma mafi dacewa. Ina kuma so in faɗi cewa Chocolatey shine mai sarrafa fakiti mai kyau tare da ƙananan kurakurai a cikin lambar, wanda zai iya zama ma kaɗan yayin amfani da PVS-Studio.
Muna gayyatar ku kuma gwada PVS-Studio. Yin amfani da na'urar nazari akai-akai zai inganta inganci da amincin lambar da ƙungiyar ku ta haɓaka kuma yana taimakawa hana da yawa .
PS
Kafin bugawa, mun aika labarin zuwa ga masu haɓaka Chocolatey, kuma sun karɓi shi da kyau. Ba mu sami wani abu mai mahimmanci ba, amma su, alal misali, suna son kwaro da muka samu mai alaƙa da maɓallin "api-key".
Idan kuna son raba wannan labarin tare da masu sauraron Ingilishi, da fatan za a yi amfani da hanyar haɗin fassarar: Vladislav Stolyarov. .
source: www.habr.com