Re tsoela pele ho etsa hore ho sebelisa PVS-Studio ho be bonolo haholoanyane. Analyzer ea rona e se e fumaneha ho Chocolatey, molaoli oa sephutheloana oa Windows. Re lumela hore sena se tla thusa ho romelloa ha PVS-Studio, haholo-holo, litšebeletsong tsa leru. E le hore re se ke ra ea hole, a re hlahlobeng khoutu ea mohloli oa Chocolatey e tšoanang. Azure DevOps e tla sebetsa joalo ka sistimi ea CI.
Mona ke lethathamo la lingoliloeng tsa rona tse ling tse mabapi le sehlooho sa ho hokahana le litsamaiso tsa maru:
Ke u eletsa hore u ele hloko sengoloa sa pele se mabapi le ho kopanngoa le Azure DevOps, kaha ntlheng ena lintlha tse ling li siiloe e le hore li se ke tsa kopitsoa.
Kahoo, bahale ba sengoloa sena:
ke sesebelisoa sa ho hlahloba khoutu e tsitsitseng e etselitsoeng ho tseba liphoso le bofokoli bo ka bang teng mananeong a ngotsoeng ka C, C++, C # le Java. E sebetsa ho li-system tsa 64-bit tsa Windows, Linux, le macOS, 'me e khona ho sekaseka khoutu e etselitsoeng li-platform tsa 32-bit, 64-bit le tse kentsoeng tsa ARM. Haeba e le lekhetlo la pele u leka tlhahlobo ea khoutu e tsitsitseng ho hlahloba merero ea hau, re khothaletsa hore u itloaetse mabapi le mokhoa oa ho sheba litemoso tse khahlang ka ho fetesisa tsa PVS-Studio le ho lekola bokhoni ba sesebelisoa sena.
- sete sa lits'ebeletso tsa leru tse kopantseng ts'ebetso eohle ea nts'etsopele. Sethala sena se kenyelletsa lisebelisoa tse kang Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, tse u lumellang ho potlakisa ts'ebetso ea ho theha software le ho ntlafatsa boleng ba eona.
ke molaoli oa sephutheloana o bulehileng oa Windows. Sepheo sa morero ke ho iketsetsa bophelo bohle ba software ho tloha ho ts'ebetsong ho ea ho ntlafatso le ho e ntša ho Windows OS.
Mabapi le ho sebelisa Chocolatey
U ka bona mokhoa oa ho kenya mookameli oa sephutheloana ka boeona ho sena . Litokomane tse felletseng tsa ho kenya analyzer li fumaneha ho Sheba Ho kenya ho sebelisa karolo ea mookameli oa sephutheloana sa Chocolatey. Ke tla pheta lintlha tse ling ho tloha moo ka bokhutšoane.
Laela ho kenya mofuta oa morao-rao oa analyzer:
choco install pvs-studioLaela ho kenya mofuta o itseng oa sephutheloana sa PVS-Studio:
choco install pvs-studio --version=7.05.35617.2075Ka nako e sa lekanyetsoang, ke motheo feela oa analyzer, karolo ea Core, e kentsoeng. Lifolakha tse ling kaofela (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) li ka fetisoa ho sebelisoa --package-parameters.
Mohlala oa taelo e tla kenya analyzer e nang le plugin bakeng sa Visual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Joale a re shebeng mohlala oa tšebeliso e bonolo ea analyzer tlasa Azure DevOps.
phetoho
E-re ke u hopotse hore ho na le karolo e arohaneng mabapi le litaba tse kang ho ngolisa akhaonto, ho theha Pipeline ea Haha le ho hokahanya akhaonto ea hau le morero o sebakeng sa polokelo ea GitHub. . Setupo sa rona se tla qala hang hang ka ho ngola faele ea tlhophiso.
Taba ea pele, ha re theheng sehlomathiso sa ho qala, se bonts'ang hore re qala feela bakeng sa liphetoho ho mong'a lekala:
trigger:
- masterKa mor'a moo, re lokela ho khetha mochine oa sebele. Hajoale e tla ba moemeli ea tsamaisoang ke Microsoft ea nang le Windows Server 2019 le Visual Studio 2019:
pool:
vmImage: 'windows-latest'Ha re feteleng ho 'mele oa faele ea tlhophiso (block mehato). Leha e le taba ea hore ha o khone ho kenya software e hanyetsanang mochining o fumanehang, ha kea eketsa setshelo sa Docker. Re ka eketsa Chocolatey joalo ka katoloso ea Azure DevOps. Ho etsa sena, a re eeng ho . Tobetsa E fumane mahala. E latelang, haeba u se u fuoe tumello, khetha feela akhaonto ea hau, 'me haeba ho se joalo, etsa se tšoanang ka mor'a tumello.
Mona o hloka ho khetha moo re tla eketsa katoloso ebe o tobetsa konopo kenya.
Ka mor'a ho kenya katleho, tobetsa Tsoela pele mokhatlong:
Joale u ka bona template ea mosebetsi oa Chocolatey fensetereng mesebetsi e meng ntle ha o lokisa faele ea tlhophiso azure-pipelines.yml:
Tobetsa ho Chocolatey 'me u bone lethathamo la masimo:
Mona re hloka ho khetha kenya lebaleng le lihlopha. IN Lebitso la faele la Nuspec bontša lebitso la sephutheloana se hlokahalang - pvs-studio. Haeba u sa hlalose phetolelo, ho tla kenngoa ea morao-rao, e re tšoanelang ka ho feletseng. Ha re tobetse konopo eketsa mme re tla bona mosebetsi o hlahisitsoeng faeleng ea tlhophiso.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Ka mor'a moo, ha re feteleng karolong e ka sehloohong ea faele ea rona:
- task: CmdLine@2
inputs:
script: Hona joale re hloka ho theha faele e nang le laesense ea analyzer. Mona PVSNAME и PVSKEY - mabitso a mefuta-futa eo re e hlalosang ka litekanyetso tsa eona. Ba tla boloka PVS-Studio ea ho kena le senotlolo sa laesense. Ho seta boleng ba bona, bula menyetla Liphetoho-> Phapang e ncha. Ha re theheng lintho tse fapaneng PVSNAME bakeng sa ho kena le PVSKEY bakeng sa senotlolo sa analyzer. U se ke ua lebala ho hlahloba lebokose Boloka sephiri sena sa boleng etsoe PVSKEY. Khouto ea taelo:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Ha re aheng morero re sebelisa faele ea bat e sebakeng sa polokelo:
сall build.batHa re theheng foldara moo lifaele tse nang le liphetho tsa analyzer li tla bolokoa:
сall mkdir PVSTestResultsHa re qale ho sekaseka morero:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Re fetolela tlaleho ea rona ho sebopeho sa html re sebelisa sesebelisoa sa PlogСonverter:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogHona joale o hloka ho theha mosebetsi e le hore o ka kenya tlaleho.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Faele e felletseng ea tlhophiso e shebahala tjena:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Ha re tobetse Boloka-> Boloka-> Matha ho tsamaisa mosebetsi. Ha re khoasolle tlaleho ka ho ea tab ea mesebetsi.
Morero oa Chocolatey o na le mela e 37615 feela ea khoutu ea C #. Ha re shebe tse ling tsa liphoso tse fumanoeng.
Liphetho tsa liteko
Tlhokomeliso N1
Tlhokomeliso ea Analyzer: Phapang ea 'Mofani' e abetsoe eona. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Mohlahlobi o ile a lemoha kabelo ea phetoho ka boeona, e sa utloahaleng. Mohlomong, sebakeng sa e 'ngoe ea mefuta ena ho lokela ho ba le e' ngoe. Che, kapa hona ke typo, mme kabelo e eketsehileng e ka tlosoa feela.
Tlhokomeliso N2
Tlhokomeliso ea Analyzer: [CWE-480] '&' opereishene e lekola lits'ebetso ka bobeli. Mohlomong ho lokela hore ho sebelisoe '&&' opareitara ea potoloho e khuts'oane. Platform.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Phapang ea opereishene & ho tsoa ho motho ea sebetsang && ke hore haeba lehlakore le letšehali la polelo ke bohata, joale lehlakore le letona le ntse le tla baloa, leo tabeng ena le bolelang mehala e sa hlokahaleng ea mokhoa tsamaiso.directory_e teng.
Sekhechana se nkiloeng, sena ke phoso e nyane. Ee, boemo bona bo ka ntlafatsoa ka ho nkela && opareitara sebaka, empa ho latela pono e sebetsang, sena ha se ame letho. Leha ho le joalo, maemong a mang, pherekano pakeng tsa & le && e ka baka mathata a tebileng ha lehlakore le letona la polelo le tšoaroa ka litekanyetso tse fosahetseng / tse sa nepahaleng. Mohlala, pokellong ea rona ea liphoso, , ho na le nyeoe ena:
if ((k < nct) & (s[k] != 0.0))Leha e le index k e fosahetse, e tla sebelisoa ho fihlella karolo ea sehlopha. Ka lebaka leo, ho tla ba le mokhelo IndexOutOfRangeException.
Litemoso N3, N4
Tlhokomeliso ea Analyzer: [CWE-571] Expression 'shortPrompt' e lula e le 'nete. InteractivePrompt.cs 101
Tlhokomeliso ea Analyzer: [CWE-571] Expression 'shortPrompt' e lula e le 'nete. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}Tabeng ena, ho na le mohopolo o makatsang ka mor'a ts'ebetso ea ternary operator. Ha re hlahlobeng ka hloko: haeba boemo boo ke bo tšoaileng ka nomoro ea 1 bo fihletsoe, joale re tla fetela ho boemo ba 2, boo kamehla. 'nete, e bolelang hore ho tla etsoa mola oa 3. Haeba boemo ba 1 bo bonahala bo le leshano, joale re tla ea moleng o tšoailoeng ka nomoro ea 4, boemo boo le bona bo leng teng kamehla. 'nete, e bolelang hore ho tla etsoa mola oa 5. Ka hona, maemo a tšoailoeng ka tlhaloso 0 a ke ke a phethahala, e ka 'nang ea se ke ea e-ba mokhoa o nepahetseng oa ts'ebetso oo moqapi oa lenaneo a neng a o lebeletse.
Tlhokomeliso N5
Tlhokomeliso ea Analyzer: [CWE-783] Mohlomong '?:' o sebetsa ka tsela e fapaneng ho feta kamoo e neng e lebelletsoe. Bohlokoa ba eona bo tlase ho feta bo etelletsoeng pele ke basebelisi ba bang maemong a eona. Options.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Tlhahlobo e sebetsa molemong oa:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Ho tloha ho feto-fetoha j mela e 'maloa e ka holimo e qalisoa ho ea ho zero, ternary operator e tla khutlisetsa boleng bohata. Ka lebaka la boemo bona, 'mele oa loop o tla bolaoa hang feela. Ho 'na ho bonahala eka karolo ena ea khoutu ha e sebetse ho hang joalo ka ha moqapi oa lenaneo a rerile.
Tlhokomeliso N6
Tlhokomeliso ea Analyzer: [CWE-571] Expression 'installedPackageVersions.Count != 1' ke 'nete kamehla. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Ho na le boemo bo makatsang ba sehlaha mona: installPackageVersions.Count != 1e tla dula e le teng 'nete. Hangata temoso e joalo e bontša phoso e utloahalang khoutu, 'me maemong a mang e bontša feela ho hlahloba ho sa hlokahaleng.
Tlhokomeliso N7
Tlhokomeliso ea Analyzer: Ho na le mantsoe-tlase a tšoanang 'commandArguments.contains("-apikey")' ka ho le letšehali le ka ho le letona la '||' mosebeletsi. ArgumentsUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Sebapali se ngotseng karolo ena ea khoutu o kopitsitse le ho beha mela e 'meli ea ho qetela mme a lebala ho e hlophisa. Ka lebaka lena, basebelisi ba Chocolatey ha ba khone ho sebelisa paramente apikey litsela tse ling tse peli. Joalo ka li-parameter tse kaholimo, nka fana ka likhetho tse latelang:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Liphoso tsa Copy-paste li na le monyetla o moholo oa ho hlaha kapele kapa hamorao morerong ofe kapa ofe o nang le palo e kholo ea khoutu ea mohloli, 'me e' ngoe ea lisebelisoa tse ntle ka ho fetisisa tsa ho li loantša ke tlhahlobo e tsitsitseng.
PS 'Me joalo ka kamehla, phoso ena e atisa ho hlaha qetellong ea boemo ba mela e mengata :). Sheba khatiso "".
Tlhokomeliso N8
Tlhokomeliso ea Analyzer: [CWE-476] Ntho ea 'installedPackage' e sebelisitsoe pele e netefatsoa khahlanong le lefeela. Hlahloba mela: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Phoso ea khale: ntho pele kenyaPackage e sebelisoa ebe e hlahlojoa null. Tlhahlobo ena e re bolella ka e 'ngoe ea mathata a mabeli lenaneong: ebang ke kenyaPackage ha ho mohla e lekanang null, e leng lipelaelo, 'me joale cheke ha e na thuso, kapa re ka' na ra fumana phoso e tebileng ho khoutu - boiteko ba ho fumana boitsebiso bo se nang thuso.
fihlela qeto e
Kahoo re nkile mohato o mong o monyane - joale ho sebelisa PVS-Studio ho se ho le bonolo le ho feta. Ke kopa hape ho bolela hore Chocolatey ke mookameli oa sephutheloana ea nang le liphoso tse fokolang ka khoutu, tse ka fokolang le ho feta ha u sebelisa PVS-Studio.
Rea u mema 'me u leke PVS-Studio. Tšebeliso ea kamehla ea static analyzer e tla ntlafatsa boleng le ts'epahalo ea khoutu eo sehlopha sa hau se e hlahisang le ho thusa ho thibela tse ngata. .
PES
Pele se phatlalatsoa, re ile ra romela sengoloa ho bahlahisi ba Chocolatey, 'me ba se amohetse hantle. Ha rea ka ra fumana letho la bohlokoa, empa bona, mohlala, ba ratile phoso eo re e fumaneng e amanang le senotlolo sa "api-key".
Haeba u batla ho arolelana sehlooho sena le bamameli ba buang Senyesemane, ka kopo sebelisa sehokelo sa phetolelo: Vladislav Stolyarov. .
Source: www.habr.com