Peb txuas ntxiv ua kom siv PVS-Studio yooj yim dua. Peb lub ntsuas ntsuas tam sim no muaj nyob hauv Chocolatey, tus thawj tswj pob rau Windows. Peb ntseeg tias qhov no yuav pab txhawb kev xa tawm ntawm PVS-Studio, tshwj xeeb, hauv kev pabcuam huab. Yuav kom tsis txhob mus deb, cia peb tshawb xyuas qhov chaws ntawm tib Chocolatey. Azure DevOps yuav ua raws li CI system.
Nov yog ib daim ntawv teev npe ntawm peb lwm cov lus hais txog kev koom ua ke nrog huab cua:
Kuv qhia koj kom xyuam xim rau thawj tsab xov xwm hais txog kev koom ua ke nrog Azure DevOps, txij li qhov no qee cov ntsiab lus raug tshem tawm kom tsis txhob muab luam tawm.
Yog li ntawd, cov heroes ntawm tsab xov xwm no:
yog ib lub cuab yeej zoo li qub kev txheeb xyuas cov cuab yeej tsim los txheeb xyuas qhov tsis raug thiab qhov muaj peev xwm ua rau muaj qhov tsis zoo hauv cov haujlwm sau hauv C, C ++, C # thiab Java. Khiav ntawm 64-ntsis Windows, Linux, thiab macOS systems, thiab tuaj yeem txheeb xyuas cov lej tsim los rau 32-ntsis, 64-ntsis, thiab embedded ARM platforms. Yog tias qhov no yog koj thawj zaug sim sim cov lej zoo li qub los tshawb xyuas koj cov haujlwm, peb xav kom koj paub koj tus kheej nrog hais txog yuav ua li cas sai sai saib cov lus ceeb toom PVS-Studio txaus siab tshaj plaws thiab ntsuas lub peev xwm ntawm cov cuab yeej no.
- ib txheej ntawm cov kev pabcuam huab uas koom ua ke npog tag nrho cov txheej txheem txhim kho. Lub platform no suav nrog cov cuab yeej xws li Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, uas tso cai rau koj kom ceev cov txheej txheem tsim software thiab txhim kho nws qhov zoo.
yog tus thawj tswj pob qhib rau Windows. Lub hom phiaj ntawm txoj haujlwm yog los ua kom tag nrho cov software lifecycle los ntawm kev teeb tsa mus rau kev hloov kho thiab uninstallation ntawm Windows operating systems.
Hais txog kev siv Chocolatey
Koj tuaj yeem pom yuav ua li cas rau nruab tus thawj tswj pob nws tus kheej ntawm qhov no . Ua tiav cov ntaub ntawv rau kev txhim kho lub ntsuas ntsuas muaj nyob ntawm Saib qhov Kev teeb tsa siv Chocolatey pob tus thawj tswj seem. Kuv yuav luv luv rov ua qee cov ntsiab lus los ntawm qhov ntawd.
Hais kom nruab qhov tseeb version ntawm lub analyzer:
choco install pvs-studioHais kom nruab ib qho version ntawm PVS-Studio pob:
choco install pvs-studio --version=7.05.35617.2075Los ntawm lub neej ntawd, tsuas yog cov tub ntxhais ntawm cov ntsuas ntsuas, cov khoom siv Core, raug teeb tsa. Tag nrho lwm cov chij (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) tuaj yeem dhau los siv --package-parameters.
Ib qho piv txwv ntawm cov lus txib uas yuav nruab qhov ntsuas ntsuas nrog lub plugin rau Visual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Tam sim no cia saib ib qho piv txwv ntawm kev siv yooj yim ntawm cov ntsuas ntsuas hauv qab Azure DevOps.
hloov
Cia kuv ceeb toom rau koj tias muaj ib ntu cais txog cov teeb meem xws li kev sau npe rau ib tus account, tsim Tsim Pipeline thiab synchronizing koj tus account nrog ib qhov project nyob hauv GitHub repository. . Peb qhov teeb tsa yuav pib tam sim nrog sau cov ntaub ntawv teeb tsa.
Ua ntej, cia peb teeb tsa qhov pib tshwm sim, qhia tias peb tso tawm tsuas yog rau kev hloov pauv hauv tswv ceg:
trigger:
- masterTom ntej no peb yuav tsum xaiv lub tshuab virtual. Txog tam sim no nws yuav yog Microsoft-tus neeg sawv cev nrog Windows Server 2019 thiab Visual Studio 2019:
pool:
vmImage: 'windows-latest'Cia peb txav mus rau lub cev ntawm cov ntaub ntawv teeb tsa (block cov kauj ruam). Txawm tias muaj tseeb tias koj tsis tuaj yeem nruab software arbitrary rau hauv lub tshuab virtual, kuv tsis tau ntxiv lub thawv Docker. Peb tuaj yeem ntxiv Chocolatey ua qhov txuas ntxiv rau Azure DevOps. Ua li no, cia peb mus . Nyem Tau txais nws dawb. Tom ntej no, yog tias koj twb tau tso cai lawm, tsuas yog xaiv koj tus account, thiab yog tias tsis yog, ces ua tib yam tom qab tso cai.
Ntawm no koj yuav tsum xaiv qhov twg peb yuav ntxiv qhov txuas ntxiv thiab nyem lub pob Nruab.
Tom qab ua tiav kev teeb tsa, nyem Txuas mus rau lub koom haum:
Tam sim no koj tuaj yeem pom tus qauv rau txoj haujlwm Chocolatey hauv lub qhov rais paub tab thaum kho cov ntaub ntawv configuration azure-pipelines.yml:
Nyem rau ntawm Chocolatey thiab saib cov npe ntawm cov teb:
Ntawm no peb yuav tsum xaiv nruab hauv thaj chaw nrog cov pab pawg. IN Nuspec Cov ntaub ntawv npe qhia lub npe ntawm pob khoom xav tau - pvs-studio. Yog hais tias koj tsis qhia meej lub version, qhov tseeb yuav raug ntsia, uas suits peb kiag li. Wb nias lub khawm ntxiv thiab peb yuav pom cov haujlwm tsim tawm hauv cov ntaub ntawv teeb tsa.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Tom ntej no, cia peb mus rau qhov tseem ceeb ntawm peb cov ntaub ntawv:
- task: CmdLine@2
inputs:
script: Tam sim no peb yuav tsum tsim cov ntaub ntawv nrog rau daim ntawv tso cai soj ntsuam. Ntawm no PVSNAME и PVSKEY - cov npe ntawm cov kev hloov pauv uas nws muaj nuj nqis peb qhia hauv qhov chaw. Lawv yuav khaws PVS-Studio tus ID nkag mus thiab daim ntawv tso cai yuam sij. Txhawm rau teeb tsa lawv cov txiaj ntsig, qhib cov ntawv qhia zaub mov Variables-> Cov hloov tshiab tshiab. Cia peb tsim cov kev hloov pauv PVSNAME rau tus ID nkag mus thiab PVSKEY rau tus yuam sij analyzer. Tsis txhob hnov qab kos lub thawv Khaws tus nqi no zais cia rau PVSKEY. Cov lus txib:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Cia peb tsim qhov project siv cov ntaub ntawv bat nyob rau hauv lub repository:
сall build.batCia peb tsim ib daim nplaub tshev uas cov ntaub ntawv nrog cov txiaj ntsig ntawm tus ntsuas yuav muab khaws cia:
сall mkdir PVSTestResultsCia peb pib tsom xam qhov project:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Peb hloov peb daim ntawv tshaj tawm rau html hom siv PlogСonverter utility:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogTam sim no koj yuav tsum tsim ib txoj haujlwm kom koj tuaj yeem xa daim ntawv tshaj tawm.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Cov ntaub ntawv configuration tiav zoo li no:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Wb nias Txuag-> Txuag-> Khiav khiav haujlwm. Cia peb rub tawm daim ntawv tshaj tawm los ntawm kev mus rau cov haujlwm tab.
Qhov project Chocolatey tsuas muaj 37615 kab ntawm C# code. Cia peb saib qee qhov yuam kev pom.
Cov qhabnias xeem
Ceeb toom N1
Analyzer ceeb toom: Qhov 'Provider' sib txawv yog muab rau nws tus kheej. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Tus kws tshuaj ntsuam xyuas pom qhov kev ua haujlwm ntawm qhov sib txawv rau nws tus kheej, uas tsis ua rau muaj kev nkag siab. Feem ntau, nyob rau hauv qhov chaw ntawm ib qho ntawm cov kev hloov pauv no yuav tsum muaj qee qhov lwm tus. Zoo, los yog qhov no yog typo, thiab cov haujlwm ntxiv tuaj yeem raug tshem tawm.
Ceeb toom N2
Analyzer ceeb toom: [CWE-480] Tus neeg teb xov tooj '&' ntsuas ob qho kev ua haujlwm. Tej zaum yuav tsum siv lub luv luv-circuit '&&' tus neeg teb xov tooj hloov. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Tus neeg teb xov tooj sib txawv & los ntawm tus neeg teb xov tooj && yog hais tias sab laug ntawm kev qhia yog cuav, ces sab xis tseem yuav suav, uas nyob rau hauv cov ntaub ntawv no implies tsis tsim nyog txoj kev hu system.directory_exists.
Nyob rau hauv lub fragment xam, qhov no yog ib tug me ntsis flaw. Yog lawm, qhov xwm txheej no tuaj yeem ua kom zoo dua los ntawm kev hloov pauv & tus neeg teb xov tooj nrog && tus neeg teb xov tooj, tab sis los ntawm kev pom zoo, qhov no tsis cuam tshuam dab tsi. Txawm li cas los xij, nyob rau hauv lwm qhov xwm txheej, kev tsis meej pem ntawm & thiab & & tuaj yeem ua rau muaj teeb meem loj thaum sab xis ntawm kev qhia raug kho nrog qhov tsis raug / tsis raug. Piv txwv li, hauv peb qhov kev sau ua yuam kev, , muaj li no:
if ((k < nct) & (s[k] != 0.0))Txawm tias qhov ntsuas k tsis raug, nws yuav raug siv los nkag mus rau lub ntsiab lus array. Yog li ntawd, ib qho kev zam yuav raug pov tseg IndexOutOfRangeException.
Ceeb toom N3, N4
Analyzer ceeb toom: [CWE-571] Kev nthuav qhia 'shortPrompt' yeej ib txwm muaj tseeb. InteractivePrompt.cs 101
Analyzer ceeb toom: [CWE-571] Kev nthuav qhia 'shortPrompt' yeej ib txwm muaj tseeb. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}Nyob rau hauv cov ntaub ntawv no, muaj ib tug coj txawv txawv logic tom qab lub lag luam ntawm tus neeg teb xov tooj ternary. Cia peb ua tib zoo saib: yog tias qhov xwm txheej kuv cim nrog tus lej 1 tau ntsib, ces peb yuav txav mus rau qhov xwm txheej 2, uas yog ib txwm muaj. muaj tseeb, uas txhais tau hais tias kab 3 yuav raug tua. Yog hais tias cov xwm txheej 1 hloov mus rau qhov tsis tseeb, ces peb yuav mus rau kab cim nrog tus lej 4, qhov xwm txheej uas tseem yog ib txwm muaj. muaj tseeb, uas txhais tau hais tias kab 5 yuav raug tua. Yog li, cov xwm txheej uas cim nrog cov lus pom 0 yuav tsis ua tiav, uas tej zaum yuav tsis yog raws nraim qhov kev ua haujlwm uas tus programmer xav tau.
Ceeb toom N5
Analyzer ceeb toom: [CWE-783] Tej zaum tus '?:' tus neeg teb xov tooj ua haujlwm txawv dua li qhov nws xav tau. Nws qhov tseem ceeb yog qis dua qhov tseem ceeb ntawm lwm tus neeg ua haujlwm hauv nws qhov xwm txheej. Options.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Diagnostic ua hauj lwm rau kab:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Txij li qhov sib txawv j ob peb kab saum toj no yog pib mus rau xoom, tus neeg teb xov tooj ternary yuav rov qab tus nqi cuav. Vim tias qhov mob no, lub cev ntawm lub voj yuav raug tua ib zaug xwb. Nws zoo nkaus li kuv tias daim code no tsis ua haujlwm txhua yam raws li tus programmer npaj.
Ceeb toom N6
Analyzer ceeb toom: [CWE-571] Kev nthuav qhia 'installedPackageVersions.Count != 1' yeej ib txwm muaj tseeb. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Muaj ib qho xwm txheej txawv txawv ntawm no: installPackageVersions.Count != 1uas ib txwm yuav muaj tseeb. Feem ntau cov lus ceeb toom no qhia txog qhov yuam kev hauv cov lej, thiab lwm qhov xwm txheej nws tsuas yog qhia txog kev kuaj xyuas tsis tu ncua.
Ceeb toom N7
Analyzer ceeb toom: Muaj zoo ib yam sub-expressions 'commandArguments.contains("-apikey")' rau sab laug thiab sab xis ntawm '||' tus neeg ua haujlwm. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Tus programmer uas tau sau nqe lus no ntawm cov lej tau theej thiab muab tso rau ob kab kawg thiab tsis nco qab kho lawv. Vim li no, cov neeg siv Chocolatey tsis tuaj yeem siv qhov ntsuas apiky ob peb txoj kev ntxiv. Zoo ib yam li cov kev ntsuas saum toj no, kuv tuaj yeem muab cov kev xaiv hauv qab no:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Luam-paste yuam kev muaj feem ntau yuav tshwm sim sai lossis tom qab hauv ib qhov project uas muaj ntau qhov chaws, thiab ib qho ntawm cov cuab yeej zoo tshaj plaws los tawm tsam lawv yog kev tshuaj xyuas zoo li qub.
PS Thiab raws li ib txwm muaj, qhov yuam kev no zoo li tshwm sim thaum kawg ntawm ntau kab mob :). Saib kev tshaj tawm "".
Ceeb toom N8
Analyzer ceeb toom: [CWE-476] Cov khoom 'installedPackage' tau siv ua ntej nws raug txheeb xyuas tsis muaj tseeb. Kos kab: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Classic yuam kev: khoom ua ntej installPackage yog siv thiab ces kuaj rau null. Qhov kev kuaj mob no qhia peb txog ib qho ntawm ob qhov teeb meem hauv qhov kev zov me nyuam: ib qho installPackage yeej tsis sib npaug null, uas yog tsis ntseeg, thiab tom qab ntawd daim tshev yuav rov ua dua, lossis peb tuaj yeem tau txais qhov yuam kev loj hauv txoj cai - kev sim nkag mus rau qhov siv tsis tau.
xaus
Yog li peb tau ua lwm kauj ruam me me - tam sim no siv PVS-Studio tau dhau los ua qhov yooj yim dua thiab yooj yim dua. Kuv kuj xav hais tias Chocolatey yog tus thawj tswj hwm pob zoo nrog cov lej me me ntawm qhov yuam kev, uas tuaj yeem muaj tsawg dua thaum siv PVS-Studio.
Peb caw koj thiab sim PVS-Studio. Kev siv cov tshuaj ntsuam xyuas zoo li qub yuav txhim kho qhov zoo thiab kev ntseeg siab ntawm cov cai uas koj pab neeg tsim kho thiab pab tiv thaiv ntau yam. .
PS
Ua ntej tshaj tawm, peb xa tsab xov xwm mus rau Chocolatey developers, thiab lawv tau txais nws zoo. Peb tsis pom dab tsi tseem ceeb, tab sis lawv, piv txwv li, nyiam cov kab uas peb pom muaj feem xyuam rau "api-key" tus yuam sij.
Yog tias koj xav qhia cov kab lus no nrog cov neeg hais lus Askiv, thov siv qhov txuas txhais lus: Vladislav Stolyarov. .
Tau qhov twg los: www.hab.com