Isu tinoramba tichiita kuti kushandisa PVS-Studio kuve nyore. Yedu analyzer yave kuwanikwa muChocolatey, maneja wepakeji yeWindows. Isu tinotenda kuti izvi zvichafambisa kuendeswa kwePVS-Studio, kunyanya, mumasevhisi emakore. Kuti usaende kure, ngatitarise iyo kodhi kodhi yeiyo Chocolatey imwechete. Azure DevOps ichaita seCI system.
Heino rondedzero yezvimwe zvinyorwa zvedu pamusoro penyaya yekubatanidzwa ne cloud systems:
Ini ndinokupa zano kuti uteerere kune yekutanga chinyorwa nezve kubatanidzwa neAzure DevOps, sezvo mune iyi nyaya mamwe mapoinzi akasiiwa kuti arege kudzokororwa.
Saka, magamba echinyorwa ichi:
iri static kodhi yekuongorora chishandiso chakagadzirirwa kuona zvikanganiso uye zvingango kanganisa muzvirongwa zvakanyorwa muC, C++, C# uye Java. Inomhanya pa64-bit Windows, Linux, uye macOS masisitimu, uye inogona kuongorora kodhi yakagadzirirwa 32-bit, 64-bit, uye yakamisikidzwa ARM mapuratifomu. Kana aka kari kekutanga kuyedza static kodhi yekuongorora kuti utarise mapurojekiti ako, tinokurudzira kuti uzvizive nezve nzira yekukurumidza kuona iyo inonyanya kunakidza PVS-Studio yambiro uye kuongorora kugona kwechishandiso ichi.
- seti yemasevhisi emakore ayo anovhara pamwe chete maitiro ese ekusimudzira. Iyi puratifomu inosanganisira maturusi akadai seAzure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, iyo inokutendera iwe kukurumidzira maitiro ekugadzira software nekuvandudza hunhu hwayo.
ndeye yakavhurika sosi package maneja yeWindows. Chinangwa chepurojekiti ndechekugadzirisa iyo yese software lifecycle kubva pakugadzika kusvika pakuvandudza uye kuburitsa paWindows masisitimu anoshanda.
Nezve kushandisa Chocolatey
Iwe unogona kuona maitiro ekuisa iyo package maneja pachayo pane izvi . Mapepa akazara ekuisa analyzer anowanikwa pa Ona Kuiswa uchishandisa Chocolatey package maneja chikamu. Ndichadzokorora muchidimbu dzimwe pfungwa kubva ipapo.
Raira kuisa yazvino vhezheni yeanalyzer:
choco install pvs-studioRaira kuisa imwe vhezheni yePVS-Studio package:
choco install pvs-studio --version=7.05.35617.2075Nekusagadzikana, chete musimboti weanalyzer, iyo Core chikamu, inoiswa. Mamwe mimwe mireza (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) inogona kupfuudzwa uchishandisa --package-parameter.
Muenzaniso wemurairo unozoisa analyzer ine plugin yeVisual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Zvino ngatitarisei muenzaniso wekushandiswa kuri nyore kweanalyzer pasi peAzure DevOps.
kuchinja
Rega ndikuyeuchidze kuti pane chikamu chakasiyana nezvenyaya dzakadai sekunyoresa account, kugadzira Pipeline Yakavaka uye kuwiriranisa account yako nepurojekiti iri muGitHub repository. . Kuseta kwedu kunobva kwatanga nekunyora faira yekumisikidza.
Chekutanga, ngatisemei chinokonzeresa, zvichiratidza kuti isu tinovhura chete shanduko mukati tenzi bazi:
trigger:
- masterTevere tinoda kusarudza muchina chaiwo. Parizvino ichave mumiriri weMicrosoft ane Windows Server 2019 uye Visual Studio 2019:
pool:
vmImage: 'windows-latest'Ngatienderei kumutumbi wefaira yekumisikidza (block matanho) Kunyangwe ichokwadi chekuti haugone kuisa yekupokana software mumushini chaiwo, ini handina kuwedzera Docker mudziyo. Tinogona kuwedzera Chocolatey sekuwedzera kweAzure DevOps. Kuti tiite izvi, ngatiende . Dzvanya Sununguka. Tevere, kana iwe watopihwa mvumo, ingosarudza account yako, uye kana zvisiri, woita chinhu chimwe chete mushure memvumo.
Pano iwe unofanirwa kusarudza kwatichawedzera kuwedzera uye tinya bhatani gadza.
Mushure mekubudirira kuisa, tinya Enderera kune sangano:
Iwe unogona ikozvino kuona template yeChocolatey basa pahwindo mabasa paunenge uchigadzirisa faira rekugadzirisa azure-pipelines.yml:
Dzvanya paChocolatey uye ona rondedzero yeminda:
Pano tinofanira kusarudza install mumunda nezvikwata. IN Nuspec File Name ratidza zita repasuru inodiwa - pvs-studio. Kana iwe ukasatsanangura iyo vhezheni, yazvino ichaiswa, iyo inokodzera isu zvachose. Ngatidzvanye bhatani wedzera uye isu tichaona basa rakagadzirwa mufaira rekugadzirisa.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Tevere, ngatiendei kune chikamu chikuru chefaira redu:
- task: CmdLine@2
inputs:
script: Iye zvino tinoda kugadzira faira ine analyzer rezinesi. Here PVSNAME и PVSKEY -mazita emhando dzakasiyana dzatinotsanangura mumaseting. Ivo vanochengeta iyo PVS-Studio yekupinda uye rezinesi kiyi. Kuti uise kukosha kwavo, vhura menyu Variables-> New variable. Ngatigadzire zvinoshanduka PVSNAME ye login uye PVSKEY yekiyi analyzer. Usakanganwa kutarisa bhokisi Chengetedza kukosha uku kwakavanzika nokuti PVSKEY. Kodhi yekuraira:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Ngativake purojekiti tichishandisa iyo bat faira iri mune repository:
сall build.batNgatigadzire folda iyo mafaera ane mhedzisiro yeanalyzer achachengetwa:
сall mkdir PVSTestResultsNgatitangei kuongorora purojekiti:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Isu tinoshandura rondedzero yedu kuita html fomati tichishandisa iyo PlogСonverter utility:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogIye zvino iwe unofanirwa kugadzira basa kuti iwe ugone kurodha iyo report.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Iyo yakazara faira yekumisikidza inoita seizvi:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Ngatidzvanye Sevha-> Sevha-> Mhanya kumhanya basa. Ngatitorei mushumo nekuenda kune yebasa tab.
Iyo Chocolatey purojekiti ine chete 37615 mitsetse yeC # kodhi. Ngatitarisei zvimwe zvezvikanganiso zvakawanikwa.
Test Results
Yambiro N1
Analyzer yambiro: Iyo 'Provider' musiyano inopihwa pachayo. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Iyo analyzer yakaona kugoverwa kweiyo vhezheni pachayo, izvo zvisina musoro. Zvingangodaro, panzvimbo yeimwe yeiyi misiyano panofanira kunge paine imwe. Zvakanaka, kana iyi typo, uye basa rekuwedzera rinogona kungobviswa.
Yambiro N2
Analyzer yambiro: [CWE-480] Iyo '&' mushandisi anoongorora ese ari maviri oparesheni. Zvichida mushandisi wenguva pfupi '&&' anofanira kushandiswa pachinzvimbo. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Operator musiyano & kubva kumushandisi && ndiko kuti kana rutivi rworuboshwe rwechirevo chiri venhema, ipapo rutivi rworudyi rucharamba ruchiverengwa, iyo munyaya iyi inoreva nzira dzisina kufanira dzinofona system.directory_exists.
Muchidimbu chinotariswa, ichi chikanganiso chidiki. Ehe, mamiriro aya anogona kuvandudzwa nekutsiva iyo & opareta ne && opareta, asi kubva pamaonero anoshanda, izvi hazvikanganisa chero chinhu. Nekudaro, mune zvimwe zviitiko, kuvhiringika pakati & uye && kunogona kukonzera matambudziko akakomba kana rutivi rwerudyi rwechirevo rukabatwa nemaitiro asiri iwo / asina kunaka. Semuenzaniso, mukuunganidza kwedu kukanganisa, , pane nyaya iyi:
if ((k < nct) & (s[k] != 0.0))Kunyangwe iyo index k haina kururama, ichashandiswa kuwana array element. Nekuda kweizvozvo, kusarudzika kuchakandirwa IndexOutOfRangeException.
Yambiro N3, N4
Analyzer yambiro: [CWE-571] Tsanangudzo 'pfupiPrompt' ndeyechokwadi nguva dzose. InteractivePrompt.cs 101
Analyzer yambiro: [CWE-571] Tsanangudzo 'pfupiPrompt' ndeyechokwadi nguva dzose. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}Muchiitiko ichi, kune pfungwa inoshamisa shure kwekushanda kwe ternary operator. Ngatitarisei zvakanyanya: kana mamiriro andakamaka nenhamba 1 asangana, tobva taenda kune chimiro 2, chinogara chiripo. zvechokwadi, zvinoreva kuti mutsara 3 uchaitwa.Kana chimiro 1 chikava chenhema, tobva taenda kumutsara wakanyorwa nhamba 4, mamiriro ayo anogara ariwo nguva dzose. zvechokwadi, zvinoreva kuti mutsara 5 uchaitwa.Saka, mamiriro akaiswa nekutaura 0 haazombozadzikiswa, izvo zvingave zvisiri izvo chaizvo zvinonzwisisika zvekushanda izvo zvakatarisirwa nemugadziri.
Yambiro N5
Analyzer yambiro: [CWE-783] Pamwe iyo '?:' anoshanda neimwe nzira yakasiyana pane yaitarisirwa. Kukoshesa kwaro kwakaderera pane kukoshesa kwevamwe vashandisi mumamiriro ayo. Options.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Iyo diagnostic yakashanda kune iyo mutsara:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Kubva pane zvakasiyana j mitsetse mishoma iri pamusoro inotangwa kusvika zero, iyo ternary opareta ichadzosa kukosha venhema. Nekuda kwechiitiko ichi, muviri wechiuno unozoitwa kamwe chete. Zvinoratidzika kwandiri kuti chidimbu chekodhi hachishandi zvachose sezvaidiwa nemugadziri.
Yambiro N6
Analyzer yambiro: [CWE-571] Kutaura 'installedPackageVersions.Count != 1' ndeyechokwadi nguva dzose. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Pane imwe nested condition inoshamisa pano: yakaiswaPackageVersions.Count != 1izvo zvichagara zviripo zvechokwadi. Kazhinji yambiro yakadaro inoratidza chikanganiso chine musoro mukodhi, uye mune dzimwe nguva inongoratidza kusatarisisa.
Yambiro N7
Analyzer yambiro: Kune akafanana madiki-mazwi 'commandArguments.contains("-apikey")' kuruboshwe uye kurudyi rwe'||' opareta. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Mugadziri akanyora chikamu ichi chekodhi akakopa uye akaisa mitsetse miviri yekupedzisira ndokukanganwa kuigadzirisa. Nekuda kweizvi, vashandisi veChocolatey havana kukwanisa kuisa iyo parameter apikey dzimwe nzira mbiri. Zvakafanana nema parameter ari pamusoro, ndinogona kupa zvinotevera sarudzo:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Copy-paste zvikanganiso zvine mukana wakakura wekuonekwa munguva pfupi kana gare gare mune chero chirongwa chine huwandu hukuru hwekodhi yekodhi, uye chimwe chezvishandiso zvakanakisa zvekurwa nazvo ndeye static analysis.
PS Uye senguva dzose, kukanganisa uku kunowanzo kuoneka pamagumo emamiriro e-multi-line :). Ona chinyorwa "".
Yambiro N8
Analyzer yambiro: [CWE-476] Chinhu 'chakaiswaPackage' chakashandiswa chisati chasimbiswa chisina maturo. Tarisa mitsetse: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Classic kukanganisa: chinhu chekutanga yakaiswaPackage inoshandiswa uye yoongororwa null. Iyi yekuongorora inotitaurira nezveimwe yematambudziko maviri muchirongwa: kana yakaiswaPackage kusamboenzana null, izvo zvisina chokwadi, uyezve cheki haina basa, kana isu tinogona kuwana chikanganiso chakakomba mukodhi - kuyedza kuwana isina chinhu.
mhedziso
Saka takatora rimwe danho diki - iko zvino kushandisa PVS-Studio kwave nyore uye kuri nyore. Ini ndinodawo kutaura kuti Chocolatey yakanaka pasuru maneja ane diki nhamba yezvikanganiso mukodhi, inogona kunge iri shoma kana uchishandisa PVS-Studio.
Tinokukoka iwe uye edza PVS-Studio. Kugara uchishandisa static analyzer kunovandudza kunaka uye kuvimbika kwekodhi inogadzirwa nechikwata chako uye kubatsira kudzivirira akawanda. .
PS
Tisati taburitswa, takatumira chinyorwa kune vanogadzira Chocolatey, uye vakachigamuchira zvakanaka. Hatina kuwana chero chinhu chakakosha, asi ivo, semuenzaniso, vakafarira bug yatakawana ine chekuita nekiyi "api-kiyi".
Kana iwe uchida kugovera chinyorwa ichi nevateereri vanotaura Chirungu, tapota shandisa shanduro yekushandura: Vladislav Stolyarov. .
Source: www.habr.com