ProHoster > PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps
Waxaan sii wadeynaa inaan isticmaalno PVS-Studio ka dhigno mid ku habboon. Falanqeeyayaashayada hadda waxaa laga heli karaa Chocolatey, maamulaha xirmada ee Windows. Waxaan aaminsanahay in tani ay fududeyn doonto in la geeyo PVS-Studio, gaar ahaan, adeegyada daruuraha. Si aan meel fog u tagin, aynu eegno koodhka isha ee isla Chocolatey. Azure DevOps waxay u dhaqmi doontaa sidii nidaamka CI.

Waa kuwan liiska maqaalladayada kale ee ku saabsan mawduuca isdhexgalka ee nidaamyada daruuraha:

Waxaan kugula talinayaa inaad fiiro gaar ah u yeelato maqaalka ugu horreeya ee ku saabsan isdhexgalka Azure DevOps, tan iyo kiiskan qodobbada qaar ayaa laga tagay si aan loo nuqulin.

Haddaba, geesiyaasha maqaalkan:

PVS-Studio waa qalab falanqaynta code taagan oo loogu talagalay in lagu aqoonsado khaladaadka iyo dayacanka ka iman kara barnaamijyada ku qoran C, C++, C # iyo Java. Wuxuu ku shaqeeyaa 64-bit Windows, Linux, iyo MacOS nidaamyada, wuxuuna falanqeyn karaa koodka loogu talagalay 32-bit, 64-bit, iyo aaladaha ARM ee kuxiran. Haddii tani ay tahay markii ugu horeysay ee aad isku daydo falanqaynta code static si aad u hubiso mashaariicdaada, waxaan kugula talineynaa inaad is barato maqaal ku saabsan sida degdegga ah loo eego digniinaha PVS-Studio ee ugu xiisaha badan oo loo qiimeeyo awoodda qalabkan.

DevOps Azure - Adeegyo daruuro ah oo si wadajir ah u daboolaya dhammaan geeddi-socodka horumarinta. Qalabkan waxaa ka mid ah qalabka sida Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, kaas oo kuu ogolaanaya inaad dedejiso habka abuurista software iyo hagaajinta tayada.

Chocolatey waa maamulaha xirmada isha furan ee Windows. Hadafka mashruucu waa in si otomaatig ah looga dhigo wareegga nolosha software-ka oo dhan laga bilaabo rakibaadda ilaa cusboonaysiinta iyo ka-saarista nidaamyada hawlgalka Windows.

Ku saabsan isticmaalka Chocolatey

Waxaad arki kartaa sida loo rakibo maareeyaha xirmada laftiisa tan link. Dukumeenti dhamaystiran oo lagu rakibayo falanqaynta ayaa laga heli karaa link Fiiri Rakibaadda addoo isticmaalaya qaybta maamulaha xirmada Chocolatey. Waxaan si kooban ku soo celin doonaa qodobada qaar.

Amarka si aad u rakibto nuqulkii ugu dambeeyay ee falanqeeyayaasha:

choco install pvs-studio

Amarka si loo rakibo nooc gaar ah oo ah xirmada PVS-Studio:

choco install pvs-studio --version=7.05.35617.2075

Sida caadiga ah, kaliya xudunta falanqaynta, qaybta Core, ayaa lagu rakibay. Dhammaan calamada kale (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) waxaa lagu gudbin karaa iyadoo la isticmaalayo --xirmo-parameters.

Tusaale amar ku rakibi doona falanqeeye leh plugin loogu talagalay Visual Studio 2019:

choco install pvs-studio --package-parameters="'/MSVS2019'"

Hadda aan eegno tusaale ka mid ah isticmaalka habboon ee falanqaynta ee hoos yimaada Azure DevOps.

sixitaanka

Aan ku xasuusiyo inay jirto qayb gaar ah oo ku saabsan arrimaha sida diiwaan gelinta akoontiga, abuurista Dhuumaha Dhiska iyo isku-dubaridka akoonkaaga mashruuc ku yaal kaydka GitHub. maqaal. Dejintayadu waxay isla markiiba ku bilaabi doontaa qorista faylka qaabaynta.

Marka hore, aynu dejinno kicinta kicinta, taas oo muujinaysa in aan bilowno kaliya isbeddellada gudaha Master laan:

trigger:
- master

Marka xigta waxaan u baahanahay inaan doorano mashiinka farsamada. Hadda waxay noqon doontaa wakiil ay Microsoft-marti galisay Windows Server 2019 iyo Visual Studio 2019:

pool:
  vmImage: 'windows-latest'

Aan u gudubno jirka faylka qaabeynta (block talaabooyinka). In kasta oo xaqiiqda ah in aadan ku rakibi karin software sabab la'aan ah mashiinka farsamada, kuma darin weelka Docker. Waxaan ku dari karnaa Chocolatey sidii kordhinta Azure DevOps. Si tan loo sameeyo, aan aadno link. Guji Soo hel bilaash. Marka xigta, haddii aad horeba loo oggolaaday, si fudud u dooro akoonkaaga, haddii kale, ka dibna samee wax la mid ah oggolaanshaha ka dib.

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Halkan waxaad u baahan tahay inaad doorato meesha aan ku dari doono kordhinta oo guji badhanka Ku rakib.

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Ka dib markii lagu guulaysto rakibidda, guji U gudub abaabulka:

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Hadda waxaad daaqadda ka arki kartaa templateka hawsha Chocolatey hawlaha marka aad tafatirto faylka qaabeynta Azure-pipelines.yml:

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Guji Chocolatey oo arag liiska beeraha:

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Halkan waxaan u baahanahay inaan doorano rakibi garoonka dhexdiisa kooxaha. IN Nuspec Magaca faylka Tilmaan magaca xirmada loo baahan yahay - pvs-studio. Haddii aadan cayimin nooca, kan ugu dambeeya ayaa lagu rakibi doonaa, kaas oo gebi ahaanba nagu habboon. Aynu riixno badhanka ku dar waxaanan arki doonaa hawsha la soo saaray ee faylka qaabeynta.

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

Marka xigta, aan u gudubno qaybta ugu weyn ee faylkayaga:

- task: CmdLine@2
  inputs:
    script:

Hadda waxaan u baahanahay inaan abuurno fayl leh shatiga falanqaynta. Halkan PVSNAME и PVSKEY - Magacyada doorsoomayaal kuwaas oo qiimahooda aan ku qeexnay goobaha. Waxay kaydin doonaan PVS-Studio galitaanka iyo furaha shatiga. Si aad u dejiso qiimahooda, fur menu-ka Variables-> Doorsoome cusub. Aynu abuurno doorsoomayaasha PVSNAME login iyo PVSKEY furaha falanqaynta. Ha ilaawin inaad saxdo sanduuqa Ilaali qiimahan sir si ay u PVSKEY. Koodhka amarka:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials 
–u $(PVSNAME) –n $(PVSKEY)

Aynu dhisno mashruuca anagoo adeegsanayna faylka fiidmeerta ee ku yaal kaydka:

сall build.bat

Aynu abuurno gal meesha faylalka leh natiijooyinka falanqaynta lagu kaydin doono:

сall mkdir PVSTestResults

Aan bilowno falanqaynta mashruuca:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog

Waxaan warbixintayada u beddelnaa qaab HTML annagoo adeegsanayna utility PlogConverter:

сall "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
–t html –o PVSTestResults .PVSTestResultsChoco.plog

Hadda waxaad u baahan tahay inaad abuurto hawl si aad u geliso warbixinta.

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Faylka qaabeynta oo dhameystiran wuxuu u eg yahay sidan:

trigger:
- master

pool:
  vmImage: 'windows-latest'

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

- task: CmdLine@2
  inputs:
    script: |
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      credentials –u $(PVSNAME) –n $(PVSKEY)
      call build.bat
      call mkdir PVSTestResults
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      –t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
      call "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
      –t html –o .PVSTestResults .PVSTestResultsChoco.plog

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Aynu gujino Save->Save->Orod si loo socodsiiyo hawsha. Aan soo dejinno warbixinta anagoo aadaya tab hawlaha.

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Mashruuca Chocolatey wuxuu ka kooban yahay 37615 khadadka C # oo keliya. Aynu eegno qaar ka mid ah khaladaadka la helay.

Natiijooyinka tijaabada

Digniin N1

Digniinta Falanqeeyaha: V3005 Doorsoomiyaha 'Bixiyaha' laftiisa ayaa loo qoondeeyay. CrytpoHashProviderSpecs.cs 38

public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
  ....
  protected CryptoHashProvider Provider;
  ....
  public override void Context()
  {
    Provider = Provider = new CryptoHashProvider(FileSystem.Object);
  }
}

Falanqeeyuhu wuxuu ogaaday hawsha doorsoomaha laftiisa, taas oo aan macno samaynayn. Waxay u badan tahay, in beddelka doorsoomayaashan midkood uu jiro mid kale. Hagaag, ama kani waa been abuur, hawsha dheeraadka ahna si fudud ayaa looga saari karaa.

Digniin N2

Digniinta Falanqeeyaha: V3093 [CWE-480] Hawlwadeenka '&' wuxuu qiimeeyaa labada hawlgal. Waxaa laga yaabaa in hawl wadeenka wareegga gaaban ee '&&' beddelkiisa la isticmaalo. Platform.cs 64

public static PlatformType get_platform()
{
  switch (Environment.OSVersion.Platform)
  {
    case PlatformID.MacOSX:
    {
      ....
    }
    case PlatformID.Unix:
    if(file_system.directory_exists("/Applications")
      & file_system.directory_exists("/System")
      & file_system.directory_exists("/Users")
      & file_system.directory_exists("/Volumes"))
      {
        return PlatformType.Mac;
      }
        else
          return PlatformType.Linux;
    default:
      return PlatformType.Windows;
  }
}

Farqiga hawlwadeenka & ka hawlwadeenka && waa in haddii dhinaca bidix ee odhaahdu tahay been ah, ka dibna dhinaca midig weli waa la xisaabin doonaa, taas oo kiiskan ka dhigan tahay wicitaanada hab aan loo baahnayn nidaamka.hagaha_jira.

Qaybta la tixgaliyay, tani waa cillad yar. Haa, xaaladan waxa lagu wanaajin karaa iyada oo lagu bedelo hawlwadeenka && hawlwadeenka, laakiin marka laga eego dhinaca wax ku oolka ah, tani waxba saamayn kuma yeelanayso. Si kastaba ha ahaatee, xaaladaha kale, jahawareerka u dhexeeya & && wuxuu keeni karaa dhibaatooyin halis ah marka dhinaca midig ee tibaaxaha lagu daweeyo qiime khaldan/aan sax ahayn. Tusaale ahaan, ururinta khaladkayaga, lagu aqoonsaday iyadoo la isticmaalayo ogaanshaha V3093, waxaa jira kiiskan:

if ((k < nct) & (s[k] != 0.0))

Xitaa haddii tusaha k sax maaha, waxaa loo isticmaali doonaa in lagu galo curiyaha diyaarsan. Natiijo ahaan, ka reebid ayaa la tuurayaa IndexOutOfRangeException.

Digniin N3, N4

Digniinta Falanqeeyaha: V3022 [CWE-571] Odhaahda 'shortPrompt' had iyo jeer waa run. InteractivePrompt.cs 101
Digniinta Falanqeeyaha: V3022 [CWE-571] Odhaahda 'shortPrompt' had iyo jeer waa run. InteractivePrompt.cs 105

public static string 
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
  ....
  if (shortPrompt)
  {
    var choicePrompt = choice.is_equal_to(defaultChoice) //1
    ?
    shortPrompt //2
    ?
    "[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
    choice.Substring(1,choice.Length - 1))
    :
    "[{0}]".format_with(choice.ToUpperInvariant()) //0
    : 
    shortPrompt //4
    ? 
    "[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
    choice.Substring(1,choice.Length - 1)) 
    :
    choice; //0
    ....
  }
  ....
}

Xaaladdan oo kale, waxaa jira caqli-gal yaab leh oo ka dambeeya hawlgalka hawlwadeenka ternary. Aan si qoto dheer u eegno: haddii shuruudii aan ku calaamadeeyay lambarka 1 la buuxiyo, markaa waxaan u gudbi doonaa shuruudda 2, oo ah mar walba. run, taas oo macnaheedu yahay sadarka 3 waa la fulin doonaa, haddii shuruudda 1 ay noqoto mid been ah, markaa waxaan aadi doonaa xariiqda ku calaamadsan lambarka 4, xaalad taas oo mar walba ah. run, taas oo macnaheedu yahay in laynka 5 la fulin doono. Sidaa darteed, shuruudaha ku calaamadsan faallooyinka 0 weligood lama dhammaystiri doono, taas oo laga yaabo inaysan ahayn dhab ahaan macquulnimada hawlgalka ee uu filayo barnaamijka.

Digniin N5

Digniinta Falanqeeyaha: V3123 [CWE-783] Waxaa laga yaabaa in '?:' hawlwadeenku u shaqeeyo si ka duwan sidii la filayay. Mudnaanteedu way ka hoosaysaa mudnaanta hawl-wadeennada kale xaaladdeeda. Ikhtiyaarada.cs 1019

private static string GetArgumentName (...., string description)
{
  string[] nameStart;
  if (maxIndex == 1)
  {
    nameStart = new string[]{"{0:", "{"};
  }
  else
  {
    nameStart = new string[]{"{" + index + ":"};
  }
  for (int i = 0; i < nameStart.Length; ++i) 
  {
    int start, j = 0;
    do 
    {
      start = description.IndexOf (nameStart [i], j);
    } 
    while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
    ....
    return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
  }
}

Cilad-sheegashadu waxay u shaqeysay khadka:

while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)

Tan iyo doorsoomiyaha j dhawr xariiq oo sare ayaa lagu bilaabay eber, hawlwadeenka ternary ayaa soo celin doona qiimaha been ah. Xaaladdan awgeed, jirka wareegga waxaa la fulin doonaa hal mar oo keliya. Waxay iila muuqataa in qoraalkan aanu haba yaraatee u shaqaynayn sidii uu barnaamij-sameeyaha ugu talo galay.

Digniin N6

Digniinta Falanqeeyaha: V3022 [CWE-571] Odhaahda 'installedPackageVersions.Count != 1' had iyo jeer waa run. NugetService.cs 1405

private void remove_nuget_cache_for_package(....)
{
  if (!config.AllVersions && installedPackageVersions.Count > 1)
  {
    const string allVersionsChoice = "All versions";
    if (installedPackageVersions.Count != 1)
    {
      choices.Add(allVersionsChoice);
    }
    ....
  }
  ....
}

Halkan waxaa ka jirta xaalad la yaab leh: rakibayPackageVersions.Tirinta!= 1taasoo had iyo jeer ahaan doonta run. Badanaa digniinta noocan oo kale ah waxay muujisaa khalad macquul ah oo ku jira koodka, iyo xaaladaha kale waxay si fudud u tilmaamaysaa hubinta joogtada ah.

Digniin N7

Digniinta Falanqeeyaha: V3001 Waxa jira tibaaxo-hoosaadyo isku mid ah 'commandArguments.contains("-apikey") ee bidix iyo midig ee '||' hawlwadeen. ArgumentsUtility.cs 42

public static bool arguments_contain_sensitive_information(string
 commandArguments)
{
  return commandArguments.contains("-install-arguments-sensitive")
  || commandArguments.contains("-package-parameters-sensitive")
  || commandArguments.contains("apikey ")
  || commandArguments.contains("config ")
  || commandArguments.contains("push ")
  || commandArguments.contains("-p ")
  || commandArguments.contains("-p=")
  || commandArguments.contains("-password")
  || commandArguments.contains("-cp ")
  || commandArguments.contains("-cp=")
  || commandArguments.contains("-certpassword")
  || commandArguments.contains("-k ")
  || commandArguments.contains("-k=")
  || commandArguments.contains("-key ")
  || commandArguments.contains("-key=")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key");
}

Barmaamijkii qoray qaybtan koodka ayaa koobiyay oo dhajiyay labadii sadar ee u dambeeyay oo ilaabay in uu tafatiro. Sababtaas awgeed, isticmaalayaasha Chocolatey way awoodi waayeen inay adeegsadaan cabbirka apikey dhowr siyaabood oo kale. Si la mid ah cabbirrada sare, waxaan bixin karaa xulashooyinka soo socda:

commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");

Khaladaadka koobi-koobidu waxay leeyihiin fursad sare oo ay ku soo baxaan mar dhow ama ka dib mashruuc kasta oo leh qadar badan oo code ah, iyo mid ka mid ah qalabka ugu fiican ee lagula dagaallamo iyaga waa falanqaynta joogtada ah.

PS Iyo sida had iyo jeer, qaladkani wuxuu u muuqdaa inuu ka soo muuqdo dhamaadka xaalad xariiqo badan :). Eeg daabacaadda"Saamaynta khadka u dambeeya".

Digniin N8

Digniinta Falanqeeyaha: V3095 [CWE-476] Shayga 'installedPackage' waxa la isticmaalay ka hor inta aan la xaqiijin ka soo horjeedda waxba. Hubi khadadka: 910, 917. NugetService.cs 910

public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
  ....
  var pinnedPackageResult = outdatedPackages.GetOrAdd(
    packageName, 
    new PackageResult(installedPackage, 
                      _fileSystem.combine_paths(
                        ApplicationParameters.PackagesLocation, 
                        installedPackage.Id)));
  ....
  if (   installedPackage != null
      && !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion) 
      && !config.UpgradeCommand.ExcludePrerelease)
  {
    ....
  }
  ....
}

Qaladka caadiga ah: shay horta Xidhmada la rakibay waa la isticmaalaa ka dibna la hubiyaa waxba. Cilad-baadhistani waxay nooga sheegaysaa mid ka mid ah labada dhibaato ee barnaamijka: midkood Xidhmada la rakibay marna sinna waxba, taas oo shaki leh, ka dibna jeeggu waa la dhimman yahay, ama waxaa suurtagal ah in aan helno qalad halis ah koodka - isku day lagu galo tixraac aan jirin.

gunaanad

Markaa waxaan qaadnay tillaabo yar oo kale - hadda adeegsiga PVS-Studio waxay noqotay mid ka sii fudud oo aad u habboon. Waxaan sidoo kale jeclaan lahaa inaan sheego in Chocolatey uu yahay maamule xirmo wanaagsan oo leh tiro yar oo khaladaad ah oo ku jira koodhka, taas oo xitaa ka yarayn karta marka la isticmaalayo PVS-Studio.

Waanu ku martiqaadnay скачать oo isku day PVS-Studio. Isticmaalka joogtada ah ee falanqeeye taagan waxay wanaajin doontaa tayada iyo isku halaynta koodhka ay kooxdaadu horumariso waxayna kaa caawin doontaa ka hortagga qaar badan nuglaanta maalin eber ah.

PS

Kahor intaan la daabicin, waxaan maqaalka u dirnay soosaarayaasha Chocolatey, waxayna si fiican u heleen. Ma aanan helin wax muhiim ah, laakiin waxay, tusaale ahaan, jeclaadeen cayayaanka aan helnay ee la xiriira furaha "api-key".

PVS-Studio hadda waxay ku taal Chocolatey: ka hubinta Chocolatey hoosta Azure DevOps

Haddii aad rabto inaad maqaalkan la wadaagto dhagaystayaasha ku hadla Ingiriisiga, fadlan isticmaal xidhiidhka tarjumaadda: Vladislav Stolyarov. PVS-Studio Hadda wuxuu ku jiraa Chocolatey: Hubinta Chocolatey ee hoos timaada Azure DevOps.

Source: www.habr.com

Add a comment