ProHoster > PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps
Matou te faʻaauau pea ona faʻaogaina le PVS-Studio e sili atu ona faigofie. O lo'o avanoa nei la matou su'esu'ega i Chocolatey, o se pule o pusa mo Windows. Matou te talitonu o lenei mea o le a faʻafaigofieina le faʻapipiʻiina o le PVS-Studio, aemaise lava, i auaunaga ao. Ina ia aua nei alu mamao, sei o tatou siaki le code source o le Chocolatey lava e tasi. Azure DevOps o le a galue o se faiga CI.

Ole lisi lea o isi a tatou tala ile autu ole tu'ufa'atasia ma faiga ao:

Ou te fautua atu ia te oe e faʻalogo i le tusiga muamua e uiga i le tuʻufaʻatasia ma Azure DevOps, talu ai i lenei tulaga e le o iai nisi vaega ina ia le toe faia.

O lea la, o toa o lenei tusiga:

PVS-potu potu ose meafaigaluega fa'avasega fa'ailoga fa'apitoa ua fuafuaina e iloa ai mea sese ma fa'afitauli fa'aletonu i polokalame o lo'o tusia ile C, C++, C# ma Java. E tamo'e ile 64-bit Windows, Linux, ma macOS system, ma e mafai ona au'ili'ili fa'ailoga ua fuafuaina mo 32-bit, 64-bit, ma fa'apipi'i ARM platforms. Afai o lou taimi muamua lea e su'e ai su'esu'ega code static e siaki ai au poloketi, matou te fautuaina oe e te faamasani i ai tala e uiga i le auala e vave vaʻai i le sili ona manaia PVS-Studio lapataiga ma iloilo le gafatia o lenei meafaigaluega.

Azure DevOps - o se seti o auaunaga ao e faʻapipiʻi faʻatasi le faagasologa atoa o le atinaʻe. O lenei faʻavae e aofia ai meafaigaluega e pei o Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, lea e mafai ai ona e faʻavaveina le faagasologa o le fatuina o polokalama ma faʻaleleia lona tulaga lelei.

Chocolatey ose pule o pusa puna tatala mo Windows. O le sini o le poloketi o le otometi le olaga atoa o polokalama mai le faʻapipiʻiina i le faʻafouina ma le uninstall i luga o Windows operating system.

E uiga i le fa'aaogaina o Chocolatey

E mafai ona e vaʻai pe faʻafefea ona faʻapipiʻi le pule o pusa i lenei mea fesoʻotaʻiga. O fa'amaumauga atoa mo le fa'apipi'iina o le su'esu'e o lo'o maua ile fesoʻotaʻiga Vaʻai i le Faʻapipiʻiina e faʻaaoga ai le vaega o le pule o pusa Chocolatey. O le a ou toe fai faapuupuu nisi o manatu mai iina.

Poloaiga e faʻapipiʻi le lomiga lata mai o le suʻega:

choco install pvs-studio

Poloaiga e faʻapipiʻi se faʻamatalaga patino o le pusa PVS-Studio:

choco install pvs-studio --version=7.05.35617.2075

Ona o le faaletonu, ua na'o le autu o le su'esu'e, le vaega Core, ua fa'apipi'iina. O isi fu'a uma (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) e mafai ona pasia e fa'aoga --package-parameters.

O se faʻataʻitaʻiga o se faʻatonuga o le a faʻapipiʻi ai se suʻesuʻega ma se masini mo Visual Studio 2019:

choco install pvs-studio --package-parameters="'/MSVS2019'"

Sei o tatou vaʻavaʻai i se faʻataʻitaʻiga o le faʻaogaina faigofie o le suʻega i lalo o Azure DevOps.

tonu

Sei ou faamanatu atu ia te oe o loʻo i ai se isi vaega e uiga i ia mataupu e pei o le resitalaina o se teugatupe, fatuina o se Build Pipeline ma faʻamaopoopo lau teugatupe ma se poloketi o loʻo i totonu o le GitHub repository. se tusiga. O la matou seti o le a vave amata i le tusiaina o se faila faila.

Muamua, se'i o tatou fa'atu se fa'alauiloa fa'aoso, e fa'ailoa mai e na'o suiga i totonu o le a tatou fa'alauiloa aliʻi lala:

trigger:
- master

Le isi e tatau ona tatou filifilia se masini masini. Mo le taimi nei o le a avea ma sui faʻafeiloaʻi a Microsoft ma Windows Server 2019 ma Visual Studio 2019:

pool:
  vmImage: 'windows-latest'

Sei o tatou agai atu i le tino o le faila faatulagaina (poloka laasaga). E ui lava i le mea moni e le mafai ona e faʻapipiʻi polokalama faʻapitoa i totonu o se masini komepiuta, ou te leʻi faʻaopoopoina se pusa Docker. E mafai ona matou faʻaopopoina Chocolatey e fai ma faʻaopoopoga mo Azure DevOps. Ina ia faia lenei mea, tatou o i fesoʻotaʻiga. Kiliki Maua fua. O le isi, afai ua uma ona e faʻatagaina, naʻo le filifilia o lau teugatupe, ma afai e leai, ona fai lea o le mea lava e tasi pe a uma le faʻatagaina.

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

O iinei e tatau ona e filifili po o fea o le a matou faʻaopopoina le faʻaopoopoga ma kiliki le ki faatuina.

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

A maeʻa faʻapipiʻi manuia, kiliki Fa'agasolo ile fa'alapotopotoga:

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

Ua mafai nei ona e va'ai i le fa'ata'ita'iga mo le galuega Chocolatey i le fa'amalama galuega pe a fa'asa'o se faila fa'aopoopo azure-pipelines.yml:

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

Kiliki ile Chocolatey ma va'ai se lisi o fanua:

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

O iinei e tatau ona tatou filifili faʻapipiʻi i le malae ma ‘au. IN Nuspec File Igoa faailoa le igoa o le afifi manaʻomia - pvs-studio. Afai e te le faʻamaonia le faʻasologa, o le a faʻapipiʻi le mea fou, lea e fetaui lelei ma i matou. Tatou oomi le faamau faʻaopoopo ma o le a tatou vaʻai i le galuega faʻatupuina i le faila faila.

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

Sosoo ai, se'i o tatou agai i luma i le vaega autu o la tatou faila:

- task: CmdLine@2
  inputs:
    script:

Ole taimi nei e manaʻomia ona tatou fatuina se faila ma le laisene analyzer. O iinei PVSNAME и PVSKEY - igoa o fesuiaiga o latou tau matou te faʻamaonia i tulaga. O le a latou teuina le PVS-Studio login ma laisene ki. Ina ia seti a latou tau, tatala le lisi Fesuiaiga->Fesuiaiga fou. Sei o tatou faia ni fesuiaiga PVSNAME mo saini ma PVSKEY mo le ki su'esu'e. Aua nei galo e siaki le pusa Taofi faalilolilo lenei taua mo PVSKEY. Poloaiga code:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials 
–u $(PVSNAME) –n $(PVSKEY)

Sei o tatou fausia le poloketi e faʻaaoga ai le faila peʻa o loʻo i totonu o le fale teu oloa:

сall build.bat

Sei o tatou fatuina se faila e teu ai faila ma taunuuga o le suʻega:

сall mkdir PVSTestResults

Sei o tatou amata iloilo le poloketi:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog

Matou te faaliliuina la matou lipoti i le html format e faʻaaoga ai le aoga PlogConverter:

сall "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
–t html –o PVSTestResults .PVSTestResultsChoco.plog

Ole taimi nei e tatau ona e faia se galuega ina ia mafai ona e faʻapipiʻiina le lipoti.

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

O le faila faatulagaina atoa e pei o lenei:

trigger:
- master

pool:
  vmImage: 'windows-latest'

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

- task: CmdLine@2
  inputs:
    script: |
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      credentials –u $(PVSNAME) –n $(PVSKEY)
      call build.bat
      call mkdir PVSTestResults
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      –t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
      call "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
      –t html –o .PVSTestResults .PVSTestResultsChoco.plog

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Tatou kiliki Save-> Save-> Run e fai le galuega. Se'i o tatou la'u mai le lipoti e ala ile alu ile lisi o galuega.

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

Ole poloketi Chocolatey e na'o le 37615 laina ole C# code. Sei o tatou tilotilo i nisi o mea sese na maua.

I'uga o su'ega

Lapataiga N1

Lapataiga ole su'ega: V3005 O le 'Fa'atonuga' fesuia'i ua tu'uina atu ia te ia lava. CrytpoHashProviderSpecs.cs 38

public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
  ....
  protected CryptoHashProvider Provider;
  ....
  public override void Context()
  {
    Provider = Provider = new CryptoHashProvider(FileSystem.Object);
  }
}

Na maua e le tagata su'esu'e se tofiga o le fesuiaiga ia te ia lava, e le talafeagai. E foliga mai, e suitulaga i se tasi o nei fesuiaiga e tatau ona i ai se isi. Ia, pe o se mea sese, ma o le galuega faaopoopo e mafai ona aveese.

Lapataiga N2

Lapataiga ole su'ega: V3093 [CWE-480] O le '&' e fa'atino e su'esu'eina ia fa'auiga uma e lua. Atonu e tatau ona fa'aogaina se '&&' fa'a-pu'upu'u. Platform.cs 64

public static PlatformType get_platform()
{
  switch (Environment.OSVersion.Platform)
  {
    case PlatformID.MacOSX:
    {
      ....
    }
    case PlatformID.Unix:
    if(file_system.directory_exists("/Applications")
      & file_system.directory_exists("/System")
      & file_system.directory_exists("/Users")
      & file_system.directory_exists("/Volumes"))
      {
        return PlatformType.Mac;
      }
        else
          return PlatformType.Linux;
    default:
      return PlatformType.Windows;
  }
}

Eseesega tagata faigaluega & mai le fa'afoe && pe afai o le itu agavale o le faaupuga e sese, ona faʻatatauina lea o le itu taumatau, lea i lenei tulaga e faʻaalia ai le le manaʻomia o le telefoni system.directory_exists.

I le vaega na iloiloina, o se fa'aletonu la'ititi. Ioe, o lenei tulaga e mafai ona faʻamalieina e ala i le suia o le & operator i le && operator, ae mai se vaaiga faʻapitoa, e le afaina ai se mea. Ae ui i lea, i isi tulaga, o le fenumiai i le va o le & ma le && e mafai ona mafua ai ni faʻafitauli matuia pe a togafitia le itu taumatau o le faʻamatalaga i ni tau le saʻo / le aoga. Mo se faʻataʻitaʻiga, i la matou aoina o mea sese, fa'ailoa ile fa'aogaina ole V3093 diagnostic, o loʻo i ai le tulaga lenei:

if ((k < nct) & (s[k] != 0.0))

E tusa lava pe o le faasino igoa k e le sa'o, o le a fa'aaogaina e fa'aoga ai se elemene elemene. O le iʻuga, o le a tuʻuina atu se tuusaunoaga IndexOutOfRangeException.

Lapataiga N3, N4

Lapataiga ole su'ega: V3022 [CWE-571] Fa'amatalaga 'shortPrompt' e moni i taimi uma. InteractivePrompt.cs 101
Lapataiga ole su'ega: V3022 [CWE-571] Fa'amatalaga 'shortPrompt' e moni i taimi uma. InteractivePrompt.cs 105

public static string 
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
  ....
  if (shortPrompt)
  {
    var choicePrompt = choice.is_equal_to(defaultChoice) //1
    ?
    shortPrompt //2
    ?
    "[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
    choice.Substring(1,choice.Length - 1))
    :
    "[{0}]".format_with(choice.ToUpperInvariant()) //0
    : 
    shortPrompt //4
    ? 
    "[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
    choice.Substring(1,choice.Length - 1)) 
    :
    choice; //0
    ....
  }
  ....
}

I lenei tulaga, o loʻo i ai se manatu uiga ese i tua atu o le faʻagaioiga a le faʻaogaina o le ternary. Sei o tatou vaʻai totoʻa: afai o le tulaga na ou makaina i le numera 1 ua ausia, ona tatou agai atu lea i le tulaga 2, lea e masani lava. moni, o lona uiga o le laina 3 o le a faia. moni, o lona uiga o le laina 5 o le a faʻataunuʻuina. O le mea lea, o tulaga o loʻo faailogaina i le faʻamatalaga 0 o le a le mafai lava ona faʻataunuʻuina, atonu e le o le faʻaogaina tonu o le gaioiga na faʻamoemoeina e le polokalama.

Lapataiga N5

Lapataiga ole su'ega: V3123 [CWE-783] Masalo o le '?:' e galue i se auala ese nai lo le mea na faamoemoeina. O lona fa'amuamua e maualalo ifo nai lo le fa'amuamua a isi fa'alapotopotoga i lona tulaga. Options.cs 1019

private static string GetArgumentName (...., string description)
{
  string[] nameStart;
  if (maxIndex == 1)
  {
    nameStart = new string[]{"{0:", "{"};
  }
  else
  {
    nameStart = new string[]{"{" + index + ":"};
  }
  for (int i = 0; i < nameStart.Length; ++i) 
  {
    int start, j = 0;
    do 
    {
      start = description.IndexOf (nameStart [i], j);
    } 
    while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
    ....
    return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
  }
}

Na aoga le diagnostic mo le laina:

while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)

Talu mai le fesuiaiga j o nai laina o loʻo i luga e amata i le zero, o le a toe faʻafoʻi e le tagata faʻatautaia le tau sese. Ona o lenei tulaga, o le tino o le matasele o le a faʻataunuʻuina naʻo le tasi. E foliga mai ia te aʻu o lenei fasi code e le aoga e pei ona fuafuaina e le tagata fai polokalame.

Lapataiga N6

Lapataiga ole su'ega: V3022 [CWE-571] Fa'aaliga 'installedPackageVersions.Count != 1' e moni i taimi uma. NugetService.cs 1405

private void remove_nuget_cache_for_package(....)
{
  if (!config.AllVersions && installedPackageVersions.Count > 1)
  {
    const string allVersionsChoice = "All versions";
    if (installedPackageVersions.Count != 1)
    {
      choices.Add(allVersionsChoice);
    }
    ....
  }
  ....
}

O lo'o i ai se tulaga fa'amomoe uiga ese iinei: installationPackageVersions.Count != 1lea o le a i ai pea moni. E masani lava o se lapataiga faʻaalia e faʻaalia ai se mea sese i totonu o le code, ma i isi tulaga e naʻo le faʻaalia o le siakiina.

Lapataiga N7

Lapataiga ole su'ega: V3001 E iai fa'amatalaga tutusa 'commandArguments.contains("-apikey")' i le agavale ma le taumatau o le '||' fa'afoe. ArgumentsUtility.cs 42

public static bool arguments_contain_sensitive_information(string
 commandArguments)
{
  return commandArguments.contains("-install-arguments-sensitive")
  || commandArguments.contains("-package-parameters-sensitive")
  || commandArguments.contains("apikey ")
  || commandArguments.contains("config ")
  || commandArguments.contains("push ")
  || commandArguments.contains("-p ")
  || commandArguments.contains("-p=")
  || commandArguments.contains("-password")
  || commandArguments.contains("-cp ")
  || commandArguments.contains("-cp=")
  || commandArguments.contains("-certpassword")
  || commandArguments.contains("-k ")
  || commandArguments.contains("-k=")
  || commandArguments.contains("-key ")
  || commandArguments.contains("-key=")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key");
}

O le fai polokalame na tusia lenei vaega o le code na kopiina ma faapipii laina mulimuli e lua ma galo ai ona toe teuteu. Ona o lenei mea, na le mafai ai e tagata faʻaoga Chocolatey ona faʻaogaina le parakalafa apikey lua isi auala. E tutusa ma faʻamaufaʻailoga o loʻo i luga, e mafai ona ou ofoina atu filifiliga nei:

commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");

Kopi-pa'i mea sese e i ai se avanoa maualuga e aliali mai i se taimi vave pe mulimuli ane i so'o se poloketi ma le tele o fa'amatalaga puna'oa, ma o se tasi o meafaigaluega sili e fa'afefe ai o le su'esu'ega fa'amau.

PS Ma e pei lava o taimi uma, o lenei mea sese e foliga mai e aliali mai i le pito o se tulaga tele-laina :). Va'ai lomiga "Aafiaga laina mulimuli".

Lapataiga N8

Lapataiga ole su'ega: V3095 [CWE-476] O le mea 'installedPackage' na fa'aaogaina a'o le'i fa'amaonia mai le null. Siaki laina: 910, 917. NugetService.cs 910

public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
  ....
  var pinnedPackageResult = outdatedPackages.GetOrAdd(
    packageName, 
    new PackageResult(installedPackage, 
                      _fileSystem.combine_paths(
                        ApplicationParameters.PackagesLocation, 
                        installedPackage.Id)));
  ....
  if (   installedPackage != null
      && !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion) 
      && !config.UpgradeCommand.ExcludePrerelease)
  {
    ....
  }
  ....
}

Sese masani: mea muamua fa'apipi'iPackage fa'aoga ona siaki lea mo soloia. Ole su'esu'ega lea e ta'u mai ai ia i tatou se tasi o fa'afitauli e lua ile polokalame: pe fa'apipi'iPackage e le tutusa lava soloia, lea e masalosalo, ona le toe faʻaaogaina lea o le siaki, pe mafai ona tatou maua se mea sese matuia i le code - o se taumafaiga e maua se faʻamatalaga e leai se aoga.

iʻuga

O lea ua matou faia se isi laʻasaga laʻititi - o le faʻaaogaina o le PVS-Studio ua sili atu ona faigofie ma sili atu ona faigofie. Ou te fia fai atu foi o Chocolatey o se pule pusa lelei ma se numera itiiti o mea sese i le code, lea e mafai ona itiiti ifo pe a faʻaaoga le PVS-Studio.

Matou te valaaulia oe скачать ma taumafai PVS-Studio. O le fa'aaogaina faifaipea o se su'esu'ega fa'amautu o le a fa'aleleia atili ai le lelei ma le fa'amaoni o le tulafono e atia'e e lau 'au ma fesoasoani e puipuia le tele leai se aso vaivai.

SALA

Aʻo leʻi faʻasalalauina, na matou lafoina le tusiga i le au faʻapipiʻi Chocolatey, ma na latou mauaina lelei. Matou te leʻi mauaina se mea taua, ae latou, mo se faʻataʻitaʻiga, fiafia i le pusa na matou maua e fesoʻotaʻi ma le ki "api-key".

PVS-Studio o loʻo i le Chocolatey: siaki Chocolatey mai lalo o Azure DevOps

Afai e te manaʻo e faʻasoa lenei tusiga i se faʻalogo Igilisi, faʻamolemole faʻaoga le fesoʻotaʻiga faʻaliliu: Vladislav Stolyarov. PVS-Studio o loʻo i ai nei i le sukalati: siaki le sukalati i lalo o Azure DevOps.

puna: www.habr.com

Faaopoopo i ai se faamatalaga