Anyị na-aga n'ihu na-eme ka iji PVS-Studio dabara adaba. Ihe nyocha anyị dị ugbu a na Chocolatey, onye njikwa ngwugwu maka Windows. Anyị kwenyere na nke a ga-eme ka ntinye nke PVS-Studio dị mfe, karịsịa, na ọrụ igwe ojii. Ka anyị ghara ịga ebe dị anya, ka anyị lelee koodu isi mmalite nke otu Chocolatey. Azure DevOps ga-arụ ọrụ dị ka usoro CI.
Nke a bụ ndepụta nke akụkọ anyị ndị ọzọ gbasara isiokwu nke njikọta na sistemụ igwe ojii:
M na-adụ ọdụ ka ị ṅaa ntị na isiokwu mbụ gbasara njikọta na Azure DevOps, ebe ọ bụ na nke a na-ahapụ ụfọdụ isi ihe ka e wee ghara ịmegharị ya.
Yabụ, ndị dike nke edemede a:
bụ ngwa nyocha koodu static emebere iji chọpụta njehie na adịghị ike na mmemme edere na C, C++, C # na Java. Na-agba ọsọ na sistemụ Windows, Linux na MacOS 64-bit ma nwee ike nyochaa koodu emere maka nyiwe 32-bit, 64-bit na agbakwunyere ARM. Ọ bụrụ na nke a bụ oge mbụ ị na-anwale nyocha koodu static iji lelee ọrụ gị, anyị na-akwado ka ị mara onwe gị nke ọma banyere otu esi ele ngwa ngwa ịdọ aka ná ntị PVS-Studio na-adọrọ mmasị ma nyochaa ike nke ngwá ọrụ a.
- otu ọrụ igwe ojii na-ejikọta ọnụ na usoro mmepe niile. Ikpokoro a na-agụnye ngwaọrụ ndị dị ka Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, nke na-enye gị ohere ịme ngwa ngwa nke ịmepụta ngwanrọ ma melite ogo ya.
bụ onye njikwa ngwugwu mepere emepe maka Windows. Ebumnobi nke oru ngo a bụ imeghari usoro ndụ sọftụwia niile site na nrụnye ruo na mmelite na iwepụ na sistemụ arụmọrụ Windows.
Banyere iji Chocolatey
Ị nwere ike ịhụ otu esi etinye onye njikwa ngwugwu n'onwe ya na nke a . Akwụkwọ zuru ezu maka ịwụnye ihe nyocha dị na Hụ nwụnye na iji ngalaba njikwa ngwugwu Chocolatey. Aga m ekwughachi isi ihe ụfọdụ n'ụzọ dị nkenke.
Iwu ka ịwụnye ụdị nyocha kachasị ọhụrụ:
choco install pvs-studioIwu ka ịwụnye otu ụdị ngwugwu PVS-Studio:
choco install pvs-studio --version=7.05.35617.2075Site na ndabara, naanị isi ihe nyocha, akụrụngwa Core, ka etinyere. Ọkọlọtọ ndị ọzọ niile (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) nwere ike gafere site na iji --ngwugwu-nkọwa.
Ihe atụ nke iwu nke ga-etinye ihe nyocha nwere ngwa mgbakwunye maka Visual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Ugbu a, ka anyị leba anya n'ihe atụ nke iji nyocha dị mma n'okpuru Azure DevOps.
ukpụhọde
Ka m chetara gị na enwere ngalaba dị iche gbasara okwu ndị dị ka ịdenye aha akaụntụ, ịmepụta Pipeline wuo ma mekọrịta akaụntụ gị na ọrụ dị na ebe nchekwa GitHub. . Nhazi anyị ga-amalite ozugbo site n'ide faịlụ nhazi.
Nke mbụ, ka anyị guzobe ihe mmalite mmalite, na-egosi na anyị malitere naanị maka mgbanwe nwe- alaka:
trigger:
- masterỌzọ anyị kwesịrị ịhọrọ igwe mebere. Maka ugbu a ọ ga-abụ onye nnọchi anya Microsoft nwere Windows Server 2019 na Visual Studio 2019:
pool:
vmImage: 'windows-latest'Ka anyị gaa n'ihu na ahụ nke faịlụ nhazi (block nzọụkwụ). N'agbanyeghị eziokwu na ịnweghị ike ịwụnye sọftụwia aka ike n'ime igwe mebere, etinyeghị m akpa Docker. Anyị nwere ike ịgbakwunye Chocolatey dị ka ndọtị maka Azure DevOps. Iji mee nke a, ka anyị gaa . Pịa Nweta ya n’efu. Na-esote, ọ bụrụ na enyerela gị ikike, họrọ naanị akaụntụ gị, ma ọ bụrụ na ọ bụghị, mee otu ihe ahụ mgbe ị nwetachara ikike.
N'ebe a, ịkwesịrị ịhọrọ ebe anyị ga-agbakwunye ndọtị wee pịa bọtịnụ wụnye.
Mgbe emechara nke ọma, pịa Gaba na nhazi:
Ị nwere ike ịhụ template maka ọrụ Chocolatey na windo ihe aga-eme mgbe ị na-edezi faịlụ nhazi azure-pipelines.yml:
Pịa Chocolatey wee hụ ndepụta nke ubi:
Ebe a ka anyị kwesịrị ịhọrọ tinye n'ọhịa na otu. N'ime Aha faịlụ Nuspec gosi aha ngwugwu achọrọ - pvs-studio. Ọ bụrụ na ị kọwapụtaghị ụdị ahụ, a ga-etinye nke kachasị ọhụrụ, nke dabara anyị kpamkpam. Ka anyị pịa bọtịnụ tinye na anyị ga-ahụ ọrụ emepụtara na faịlụ nhazi.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Ọzọ, ka anyị gaa n'ihu na akụkụ bụ isi nke faịlụ anyị:
- task: CmdLine@2
inputs:
script: Ugbu a, anyị kwesịrị ịmepụta faịlụ nwere ikike nyocha. Ebe a PVSNAME и PVSKEY – aha nke variables nke ụkpụrụ anyị ezipụta na ntọala. Ha ga-echekwa igodo nbanye na PVS-Studio. Ka ịtọọ ụkpụrụ ha, mepee menu Variables-> Ọhụrụ mgbanwe. Ka anyị mepụta mgbanwe PVSNAME maka nbanye na PVSKEY maka igodo nyocha. Echefula ịlele igbe ahụ Debe uru a nzuzo n'ihi na PVSKEY. Koodu iwu:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Ka anyị jiri faịlụ bat dị na ebe nchekwa ihe wuo ọrụ a:
сall build.batKa anyị mepụta folda ebe a ga-echekwa faịlụ nwere nsonaazụ nyocha:
сall mkdir PVSTestResultsKa anyị malite nyocha ọrụ a:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Anyị na-eji ngwa PlogConverter tụgharịa akụkọ anyị ka ọ bụrụ ụdị HTML:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogUgbu a ịkwesịrị ịmepụta ọrụ ka ị nwee ike bulite akụkọ ahụ.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Faịlụ nhazi zuru oke dị ka nke a:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Ka anyị pịa Chekwa-> Chekwa-> Gbaa ọsọ iji rụọ ọrụ ahụ. Ka anyị budata akụkọ site na ịga na taabụ ọrụ.
Ọrụ Chocolatey nwere naanị ahịrị 37615 nke koodu C #. Ka anyị leba anya n'ụfọdụ mperi ndị achọtara.
Nsonaazụ ule
Ịdọ aka ná ntị N1
Ịdọ aka ná ntị nyocha: A na-ekenye mgbanwe 'Onye na-enye' n'onwe ya. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Onye nyocha ahụ chọpụtara ọrụ nke mgbanwe n'onwe ya, nke enweghị isi. O yikarịrị, n'ọnọdụ otu n'ime mgbanwe ndị a a ga-enwerịrị nke ọzọ. Ọfọn, ma ọ bụ nke a bụ typo, na mgbakwunye ọrụ nwere ike iwepụ ya.
Ịdọ aka ná ntị N2
Ịdọ aka ná ntị nyocha: [CWE-480] Onye ọrụ '&' na-enyocha operands abụọ ahụ. Ikekwe a ga-eji onye ọrụ '&&' obere okirikiri mee ihe kama. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Ọdịiche nke onye ọrụ & site na onye ọrụ && bụ na ọ bụrụ na akụkụ aka ekpe nke okwu ahụ bụ ụgha, mgbe ahụ, a ka ga-agbakọọ akụkụ aka nri, nke na nke a na-egosi oku usoro na-enweghị isi usoro.directory_adị.
N'iberibe a tụlere, nke a bụ obere ntụpọ. Ee, enwere ike imezi ọnọdụ a site na dochie & onye na-arụ ọrụ na & & onye na-arụ ọrụ, mana site na echiche bara uru, nke a anaghị emetụta ihe ọ bụla. Otú ọ dị, n'ọnọdụ ndị ọzọ, mgbagwoju anya n'etiti & & & nwere ike ịkpata nsogbu siri ike mgbe a na-emeso akụkụ aka nri nke okwu ahụ na ụkpụrụ na-ezighị ezi / na-ezighị ezi. Dịka ọmụmaatụ, na nchịkọta njehie anyị, , enwere ikpe a:
if ((k < nct) & (s[k] != 0.0))Ọbụna ma ọ bụrụ na index k ezighi ezi, a ga-eji ya nweta ihe n'usoro. N'ihi ya, a ga-atụfu ihe dị iche IndexOutOfRangeException.
Ịdọ aka ná ntị N3, N4
Ịdọ aka ná ntị nyocha: [CWE-571] Okwu 'shortPrompt' bụ eziokwu mgbe niile. InteractivePrompt.cs 101
Ịdọ aka ná ntị nyocha: [CWE-571] Okwu 'shortPrompt' bụ eziokwu mgbe niile. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}N'okwu a, enwere mgbagha dị iche iche n'azụ ọrụ nke onye ọrụ ternary. Ka anyị lebakwuo anya: ọ bụrụ na ọnọdụ m akara na nọmba 1 zutere, mgbe ahụ, anyị ga-aga n'ihu na ọnọdụ 2, nke bụ mgbe niile. ezi, nke pụtara na ahịrị 3 ga-egbu. ezi, nke pụtara na ahịrị 5 ga-egbu. Ya mere, ọnọdụ ndị akara na nkọwa 0 agaghị emezu, nke nwere ike ọ gaghị abụ kpọmkwem ezi uche nke ọrụ nke onye mmemme tụrụ anya.
Ịdọ aka ná ntị N5
Ịdọ aka ná ntị nyocha: [CWE-783] Ikekwe '?:' onye ọrụ na-arụ ọrụ n'ụzọ dị iche karịa ka ọ tụrụ anya ya. Ihe kacha mkpa ya dị ala karịa ndị ọrụ ndị ọzọ na-ahụ maka ya na ọnọdụ ya. Nhọrọ.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Nchọpụta ahụ rụrụ ọrụ maka ahịrị:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Ebe ọ bụ na agbanwe agbanwe j ahịrị ole na ole dị n'elu ka ebidoro ka ọ bụrụ efu, onye ọrụ ternary ga-eweghachi uru ahụ ụgha. N'ihi ọnọdụ a, a ga-egbu ahụ nke loop naanị otu ugboro. Ọ dị m ka mpempe koodu a anaghị arụ ọrụ ma ọlị dị ka onye mmemme chọrọ.
Ịdọ aka ná ntị N6
Ịdọ aka ná ntị nyocha: [CWE-571] Okwu 'installedPackageVersions.Count != 1' bụ eziokwu mgbe niile. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Enwere ọnọdụ akwụghị ụgwọ ebe a: arụnyerePackageVersions.Count!= 1nke ga-adị mgbe niile ezi. Ọtụtụ mgbe ịdọ aka ná ntị dị otú ahụ na-egosi njehie ezi uche dị na koodu ahụ, na n'ọnọdụ ndị ọzọ, ọ na-egosi nanị ịlele ugboro ugboro.
Ịdọ aka ná ntị N7
Ịdọ aka ná ntị nyocha: Enwere otu okwu sub-expression 'commandArguments.contains("-apikey")' n'aka ekpe na aka nri nke '||' onye ọrụ. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Onye mmemme nke dere ngalaba koodu a depụtaghachiri na mado ahịrị abụọ ikpeazụ wee chefuo idezi ha. N'ihi nke a, ndị ọrụ Chocolatey enweghị ike itinye paramita ahụ apikey ụzọ di na nwunye ọzọ. Yiri paramita dị n'elu, enwere m ike ịnye nhọrọ ndị a:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Njehie detuo-paste nwere ohere dị elu nke ịpụta n'oge na-adịghị anya na ọrụ ọ bụla nwere nnukwu koodu isi mmalite, na otu n'ime ngwá ọrụ kachasị mma iji lụso ha ọgụ bụ nyocha static.
PS Ma dị ka mgbe niile, njehie a na-apụta na njedebe nke ọnọdụ ọtụtụ ahịrị :). Hụ akwụkwọ"".
Ịdọ aka ná ntị N8
Ịdọ aka ná ntị nyocha: [CWE-476] Ejiri ihe 'installedPackage' mee ihe tupu enyocha ya megide efu. Lelee ahịrị: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Omuma ndudue: ihe mbụ ngwugwu arụnyere a na-eji wee chọpụta ya adịghị ịre. Nchọpụta nchọpụta a na-agwa anyị maka otu n'ime nsogbu abụọ dị na mmemme: ma ngwugwu arụnyere ọ dịghị mgbe hà nhata adịghị ịre, nke a na-enyo enyo, mgbe ahụ, nlele ahụ adịkwaghị, ma ọ bụ na anyị nwere ike ịnweta nnukwu njehie na koodu - mgbalị iji nweta akwụkwọ ntụaka efu.
nkwubi
Ya mere, anyị ewerela obere nzọụkwụ ọzọ - ugbu a iji PVS-Studio aghọwo ọbụna mfe ma dị mfe karị. Ọ ga-amasị m ịsị na Chocolatey bụ ezigbo njikwa ngwugwu nwere obere njehie na koodu, nke nwere ike ịdị ntakịrị karịa mgbe ị na-eji PVS-Studio.
Anyị na-akpọ gị òkù ma gbalịa PVS-Studio. Iji ihe nyocha static eme ihe mgbe niile ga-eme ka ogo na ntụkwasị obi nke koodu ndị otu gị na-etolite wee nyere aka gbochie ọtụtụ .
PS
Tupu e bipụta ya, anyị zigara ndị mmepe Chocolatey akụkọ ahụ, ha natakwara ya nke ọma. Anyị ahụghị ihe ọ bụla dị egwu, mana ha, dịka ọmụmaatụ, nwere mmasị na ahụhụ anyị hụrụ metụtara igodo "api-key".
Ọ bụrụ na ịchọrọ ịkọrọ ndị na-ege ntị na-asụ Bekee akụkọ a, biko jiri njikọ ntụgharị asụsụ: Vladislav Stolyarov. .
isi: www.habr.com