Hoʻomau mākou i ka hoʻohana ʻana i ka PVS-Studio i ʻoi aku ka maʻalahi. Loaʻa kā mākou mea hoʻoponopono i kēia manawa ma Chocolatey, kahi luna pūʻolo no Windows. Manaʻo mākou e hoʻomaʻamaʻa kēia i ka hoʻolaha ʻana o PVS-Studio, ma ke ʻano, i nā lawelawe kapuaʻi. I ʻole e hele lōʻihi, e nānā kākou i ke kumu kumu o ka Chocolatey hoʻokahi. E hana ʻo Azure DevOps ma ke ʻano he ʻōnaehana CI.
Eia ka papa inoa o kā mākou mau ʻatikala e pili ana i ke kumuhana o ka hoʻohui ʻana me nā ʻōnaehana kapua.
Ke aʻo aku nei au iā ʻoe e hoʻolohe i ka ʻatikala mua e pili ana i ka hoʻohui ʻana me Azure DevOps, no ka mea ma kēia hihia ua haʻalele ʻia kekahi mau kikoʻī i ʻole e hoʻohālikelike ʻia.
No laila, nā koa o kēia ʻatikala:
ʻO ia kahi mea hana loiloi code static i hoʻolālā ʻia e ʻike i nā hewa a me nā nāwaliwali i nā papahana i kākau ʻia ma C, C++, C# a me Java. Holo ma 64-bit Windows, Linux, a me nā ʻōnaehana macOS, a hiki ke kālailai i nā code i hoʻolālā ʻia no 32-bit, 64-bit, a i hoʻokomo ʻia i nā paepae ARM. Inā ʻo kēia kou manawa mua e hoʻāʻo ai i ka loiloi code static e nānā i kāu mau papahana, manaʻo mākou e kamaʻāina ʻoe iā ʻoe iho e pili ana pehea e ʻike koke ai i nā ʻōlelo aʻo PVS-Studio hoihoi loa a loiloi i nā hiki o kēia mea hana.
- kahi hoʻonohonoho o nā lawelawe kapuaʻi e uhi pū i ke kaʻina hana hoʻomohala holoʻokoʻa. Aia kēia paepae i nā mea hana e like me Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, e hiki ai iā ʻoe ke wikiwiki i ke kaʻina hana o ka hoʻokumu ʻana i nā polokalamu a hoʻomaikaʻi i kona ʻano.
he mea hoʻokele pūʻolo kumu wehe no Windows. ʻO ka pahuhopu o ka papahana ʻo ia ka hoʻomaʻamaʻa ʻana i ke ola holoʻokoʻa o ka polokalamu mai ka hoʻokomo ʻana i ka hoʻonui ʻana a me ka wehe ʻana i nā ʻōnaehana hana Windows.
E pili ana i ka hoʻohana ʻana iā Chocolatey
Hiki iā ʻoe ke ʻike pehea e hoʻokomo ai i ka mana paʻa iā ia iho ma kēia . Loaʻa nā palapala piha no ka hoʻokomo ʻana i ka mea anaana ma E ʻike i ka hoʻokomo ʻana me ka ʻāpana Chocolatey package manager. E haʻi pōkole wau i kekahi mau manaʻo mai laila.
Kauoha e hoʻokomo i ka mana hou o ka mea anaana:
choco install pvs-studioKauoha e hoʻokomo i kahi mana kikoʻī o ka pūʻolo PVS-Studio:
choco install pvs-studio --version=7.05.35617.2075Ma ka maʻamau, hoʻokomo wale ʻia ke kumu o ka mea hoʻoponopono, ka ʻāpana Core. Hiki ke kau ʻia nā hae āpau (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) me ka hoʻohana ʻana i --package-parameters.
ʻO kahi hiʻohiʻona o kahi kauoha e hoʻokomo i kahi mea nānā me kahi plugin no Visual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"I kēia manawa, e nānā i kahi laʻana o ka hoʻohana maʻalahi o ka mea anana ma lalo o Azure DevOps.
hoʻoponopono
E hoʻomanaʻo wau iā ʻoe aia kahi ʻāpana ʻokoʻa e pili ana i nā pilikia e like me ke kākau inoa ʻana i kahi moʻokāki, ka hana ʻana i kahi Build Pipeline a me ka synchronizing i kāu moʻokāki me kahi papahana i loaʻa i ka waihona GitHub. . E hoʻomaka koke kā mākou hoʻonohonoho me ke kākau ʻana i kahi faila hoʻonohonoho.
ʻO ka mea mua, e hoʻonohonoho i kahi hoʻomaka hoʻomaka, e hōʻike ana e hoʻomaka wale mākou no nā loli haku lālā:
trigger:
- masterA laila pono mākou e koho i kahi mīkini virtual. I kēia manawa e lilo ia i mea hoʻokele Microsoft me Windows Server 2019 a me Visual Studio 2019:
pool:
vmImage: 'windows-latest'E neʻe kākou i ke kino o ka faila hoʻonohonoho (block anuu). ʻOiai ʻaʻole hiki iā ʻoe ke hoʻokomo i nā polokalamu manuahi i loko o kahi mīkini virtual, ʻaʻole wau i hoʻohui i kahi pahu Docker. Hiki iā mākou ke hoʻohui iā Chocolatey ma ke ʻano he hoʻonui no Azure DevOps. No ka hana ʻana i kēia, e hele kāua . Kaomi Lawe a kaʻawale. A laila, inā ua ʻae ʻia ʻoe, e koho wale i kāu moʻokāki, a inā ʻaʻole, e hana like ma hope o ka ʻae ʻia.
Maanei pono ʻoe e koho i kahi e hoʻohui ai mākou i ka hoʻonui a kaomi i ke pihi hoʻouka.
Ma hope o ka hoʻokomo pono ʻana, kaomi E hele i ka hui:
Hiki iā ʻoe ke ʻike i ke kumu hoʻohālike no ka hana Chocolatey ma ka pukaaniani hana i ka hoʻoponopono ʻana i kahi faila hoʻonohonoho azure-pipelines.yml:
Kaomi iā Chocolatey a ʻike i kahi papa inoa o nā kahua:
Maanei pono mākou e koho e hoʻohui ma ke kahua me nā hui. IN Nuspec File Name hōʻike i ka inoa o ka pūʻolo i koi ʻia - pvs-studio. Inā ʻaʻole ʻoe e kuhikuhi i ka mana, e hoʻokomo ʻia ka mea hou loa, kūpono loa iā mākou. E kaomi i ke pihi hui a e ʻike mākou i ka hana i hana ʻia ma ka faila hoʻonohonoho.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'A laila, e neʻe kākou i ka ʻāpana nui o kā mākou faila:
- task: CmdLine@2
inputs:
script: I kēia manawa pono mākou e hana i kahi faila me ka laikini analyser. Eia PVSNAME и PVSKEY - nā inoa o nā mea hoʻololi a mākou e kuhikuhi ai i nā hoʻonohonoho. E mālama lākou i ka PVS-Studio login a me ke kī laikini. No ka hoʻonohonoho ʻana i kā lākou mau waiwai, wehe i ka papa kuhikuhi Nā hoʻololi-> hoʻololi hou. E hana kākou i nā mea hoʻololi PVSNAME no ke komo ʻana a PVSKEY no ke kī hōʻike. Mai poina e nānā i ka pahu E hūnā i kēia waiwai no ka mea, PVSKEY. Kauoha kauoha:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)E kūkulu kākou i ka papahana me ka hoʻohana ʻana i ka faila bat i loko o ka waihona:
сall build.batE hana mākou i kahi waihona kahi e mālama ʻia ai nā faila me nā hopena o ka mea anamanaʻo:
сall mkdir PVSTestResultsE hoʻomaka kākou e nānā i ka papahana:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Hoʻololi mākou i kā mākou hōʻike i ka format html me ka hoʻohana ʻana i ka pono PlogConverter:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogI kēia manawa pono ʻoe e hana i kahi hana i hiki iā ʻoe ke hoʻouka i ka hōʻike.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Penei ka waihona hoʻonohonoho piha:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()E kaomi kāua Mālama-> Mālama-> Holo e holo i ka hana. E hoʻoiho i ka hōʻike ma ka hele ʻana i ka pā hana.
Aia i loko o ka papahana Chocolatey he 37615 laina o ka code C#. E nānā kākou i kekahi o nā hewa i loaʻa.
Nā hopena hoʻāʻo
'Ōlelo N1
Ka ʻōlelo aʻo a ka mea hōʻike: Hāʻawi ʻia ka ʻano hoʻololi 'mea hoʻolako' iā ia iho. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Ua ʻike ka mea loiloi i kahi hāʻawi ʻana o ka hoʻololi iā ia iho, ʻaʻole kūpono. ʻO ka mea nui paha, ma kahi o kēia mau ʻano hoʻololi e pono ai kekahi. ʻAe, a i ʻole he typo kēia, a hiki ke hoʻoneʻe wale ʻia ka hana keu.
'Ōlelo N2
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-480] Hoʻoponopono ka mea hoʻohana '&' i nā operand ʻelua. Malia paha e hoʻohana ʻia kahi mea hoʻohana '&&' pōkole. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}ʻokoʻa mea hana & mai ka mea hana && ʻo ia inā ʻo ka ʻaoʻao hema o ka ʻōlelo wahahee, a laila e helu ʻia ka ʻaoʻao ʻākau, a ma kēia hihia e pili ana i nā kelepona ʻano pono ʻole system.directory_exists.
Ma ka ʻāpana i manaʻo ʻia, he hapa liʻiliʻi kēia. ʻAe, hiki ke hoʻonui ʻia kēia kūlana ma ka hoʻololi ʻana i ka & operator me ka && operator, akā mai kahi ʻike kūpono, ʻaʻole pili kēia i kekahi mea. Eia nō naʻe, ma nā hihia ʻē aʻe, hiki i ka huikau ma waena o & a && ke hoʻopilikia i nā pilikia koʻikoʻi ke mālama ʻia ka ʻaoʻao ʻākau o ka ʻōlelo me nā waiwai hewa ʻole. No ka laʻana, i kā mākou hōʻiliʻili hewa, , aia kēia hihia:
if ((k < nct) & (s[k] != 0.0))ʻOiai ʻo ka index k ʻaʻole pololei, e hoʻohana ʻia ia no ke komo ʻana i kahi mea hoʻonohonoho. ʻO ka hopena, e kiola ʻia kahi ʻokoʻa IndexOutOfRangeException.
'Ōlelo N3, N4
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-571] ʻOiaʻiʻo mau ka ʻōlelo 'shortPrompt'. InteractivePrompt.cs 101
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-571] ʻOiaʻiʻo mau ka ʻōlelo 'shortPrompt'. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}I kēia hihia, aia kahi loiloi ʻē aʻe ma hope o ka hana ʻana o ka mea hoʻohana ternary. E nānā pono kākou: inā e hoʻokō ʻia ke kūlana aʻu i kaha ai me ka helu 1, a laila e neʻe mākou i ke kūlana 2, ʻo ia ka mea mau. oiaio, ʻo ia hoʻi e hoʻokō ʻia ka laina 3. Inā ʻike ʻia ke kūlana 1 he wahaheʻe, a laila e hele mākou i ka laina i kaha ʻia me ka helu 4, ʻo ia ke kūlana i nā manawa a pau. oiaio, 'o ia ho'i, e ho'okō 'ia ka laina 5. No laila, 'a'ole e ho'okō 'ia nā kūlana i kaha 'ia me ka mana'o 0, 'a'ole paha e like me ka loina o ka hana i mana'o 'ia e ka mea polokalamu.
'Ōlelo N5
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-783] He ʻano ʻokoʻa ka hana o ka '?:' ma mua o ka mea i manaʻo ʻia. ʻOi aku ka haʻahaʻa ma mua o ka mea nui o nā mea hana ʻē aʻe i kona kūlana. Nā koho.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Ua hana ka diagnostic no ka laina:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Mai ka hoololi j Hoʻomaka ʻia kekahi mau laina ma luna i ka ʻole, e hoʻihoʻi ka mea hoʻohana ternary i ka waiwai wahahee. Ma muli o kēia kūlana, e hoʻokō ʻia ke kino o ka loop hoʻokahi wale nō. Me he mea lā ʻaʻole hana kēia ʻāpana code e like me ka manaʻo o ka mea papahana.
'Ōlelo N6
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-571] He ʻoiaʻiʻo mau ka ʻōlelo 'installedPackageVersions.Count != 1'. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Aia kekahi ʻano pūnana ʻē ma aneʻi: installPackageVersions.Count != 1e mau ana oiaio. Hōʻike pinepine ʻia kēlā ʻōlelo aʻo i kahi hewa kūpono i ke code, a ma nā hihia ʻē aʻe e hōʻike wale ana i ka nānā ʻana.
'Ōlelo N7
Ka ʻōlelo aʻo a ka mea hōʻike: Loaʻa nā sub-expression like 'commandArguments.contains("-apikey")' ma ka hema a ma ka ʻākau o ka '||' mea hoʻohana. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}ʻO ka mea papahana nāna i kākau i kēia ʻāpana o ke code i kope a paʻi i nā laina hope ʻelua a poina e hoʻoponopono iā lākou. Ma muli o kēia, ʻaʻole hiki i nā mea hoʻohana Chocolatey ke hoʻopili i ka ʻāpana apikey ʻelua mau ala ʻē aʻe. E like me nā ʻāpana i luna, hiki iaʻu ke hāʻawi i nā koho aʻe:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Loaʻa i nā hewa kope-paste ke ʻike koke a ma hope paha i kekahi papahana me ka nui o ka code kumu, a ʻo kekahi o nā mea hana maikaʻi loa e kūʻē iā lākou ʻo ka nānā ʻana.
PS A e like me nā manawa a pau, ʻike ʻia kēia hewa ma ka hopena o kahi kūlana multi-line :). E ʻike i ka hoʻolaha "".
'Ōlelo N8
Ka ʻōlelo aʻo a ka mea hōʻike: [CWE-476] Ua hoʻohana ʻia ka mea 'installedPackage' ma mua o ka hōʻoia ʻana i ka null. E nānā i nā laina: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Ke kuhi hewa kahiko: mea mua InstallPackage hoʻohana ʻia a laila nānā ʻia Yard. Hōʻike kēia diagnostics iā mākou e pili ana i kekahi o nā pilikia ʻelua i ka papahana: ʻo ia InstallPackage aole like Yard, he mea kanalua, a laila ua emi ka helu, a i ʻole hiki iā mākou ke loaʻa kahi hewa koʻikoʻi ma ke code - kahi hoʻāʻo e komo i kahi kuhikuhi null.
hopena
No laila ua hana hou mākou i kahi hana liʻiliʻi - i kēia manawa ua maʻalahi a maʻalahi ka hoʻohana ʻana iā PVS-Studio. Makemake au e ʻōlelo aku ʻo Chocolatey kahi mea hoʻokele puʻupuʻu maikaʻi me kahi helu liʻiliʻi o nā hewa i ke code, ʻoi aku ka liʻiliʻi i ka wā e hoʻohana ai iā PVS-Studio.
Ke kono aku nei makou ia oe a ho'āʻo iā PVS-Studio. ʻO ka hoʻohana mau ʻana i kahi ananala static e hoʻomaikaʻi i ka maikaʻi a me ka hilinaʻi o ke code i kūkulu ʻia e kāu hui a kōkua i ka pale ʻana i nā mea he nui. .
PS
Ma mua o ka paʻi ʻana, hoʻouna mākou i ka ʻatikala i nā mea hoʻomohala Chocolatey, a ua loaʻa maikaʻi iā lākou. ʻAʻole i loaʻa iā mākou kekahi mea koʻikoʻi, akā, no ka laʻana, makemake lākou i ka bug a mākou i ʻike ai e pili ana i ke kī "api-key".
Inā makemake ʻoe e kaʻana like i kēia ʻatikala me ka lehulehu ʻōlelo Pelekania, e ʻoluʻolu e hoʻohana i ka loulou unuhi: Vladislav Stolyarov. .
Source: www.habr.com