Siyaqhubeka nokwenza ukusebenzisa iPVS-Studio kube lula ngakumbi. Umhlalutyi wethu ngoku uyafumaneka kwiChocolatey, umphathi wepakethe yeWindows. Sikholelwa ukuba oku kuya kuququzelela ukuthunyelwa kwe-PVS-Studio, ngokukodwa, kwiinkonzo zefu. Ukuze singahambi kude, makhe sijonge ikhowudi yomthombo weChocolatey efanayo. I-Azure DevOps iya kusebenza njengenkqubo yeCI.
Nalu uluhlu lwamanye amanqaku ethu ngesihloko sokudityaniswa neenkqubo zamafu:
Ndikucebisa ukuba ubeke ingqalelo kwinqaku lokuqala malunga nokudityaniswa kunye ne-Azure DevOps, kuba kule meko amanye amanqaku ashiywe ukuze angaphindwa.
Ke, amaqhawe eli nqaku:
sisixhobo sokuhlalutya ikhowudi emileyo eyenzelwe ukuchonga iimpazamo kunye nobuthathaka obunokubakho kwiinkqubo ezibhalwe kwiC, C ++, C # kunye neJava. Isebenza kwiinkqubo ze-64-bit Windows, Linux, kunye ne-macOS, kwaye inokuhlalutya ikhowudi eyenzelwe i-32-bit, i-64-bit, kunye namaqonga e-ARM afakwe ngaphakathi. Ukuba eli lixesha lakho lokuqala uzama uhlalutyo lwekhowudi engatshintshiyo ukujonga iiprojekthi zakho, sicebisa ukuba uziqhelanise nazo malunga nendlela yokujonga ngokukhawuleza ezona zilumkiso ze-PVS-Studio kunye nokuvavanya ubuchule besi sixhobo.
- isethi yeenkonzo zefu ezihlanganisa ngokubambisana yonke inkqubo yophuhliso. Eli qonga libandakanya izixhobo ezifana neMibhobho ye-Azure, iiBhodi ze-Azure, i-Azure Artifacts, i-Azure Repos, i-Azure Test Plans, ekuvumela ukuba ukhawuleze inkqubo yokudala isofthiwe kunye nokuphucula umgangatho wayo.
ngumphathi wempahla evulelekileyo yeWindows. Injongo yale projekthi kukwenza ngokuzenzekelayo umjikelo wobomi besoftware ukusuka kufakelo ukuya kuhlaziyo kunye nokukhutshwa kwiinkqubo ezisebenzayo zeWindows.
Malunga nokusebenzisa iChocolatey
Ungabona indlela yokufaka umphathi wepakethe ngokwayo kule . Amaxwebhu apheleleyo okufaka i-analyzer ayafumaneka Jonga uFakelo usebenzisa icandelo lomphathi wepakethe yeChocolatey. Ndiza kuphinda ngokufutshane ezinye iingongoma ukusuka apho.
Umyalelo wokufaka inguqulelo yamva nje yomhlalutyi:
choco install pvs-studioUmyalelo wokufaka uhlobo oluthile lwephakheji ye-PVS-Studio:
choco install pvs-studio --version=7.05.35617.2075Ngokungagqibekanga, kuphela ingundoqo ye-analyzer, i-Core component, ifakwe. Zonke ezinye iiflegi (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) zinokugqithiswa kusetyenziswa --package-parameters.
Umzekelo womyalelo oza kufaka i-analyzer kunye neplagin ye-Visual Studio 2019:
choco install pvs-studio --package-parameters="'/MSVS2019'"Ngoku makhe sijonge kumzekelo wokusetyenziswa ngokulula kwe-analyzer phantsi kwe-Azure DevOps.
Yenza ngokwezifiso
Makhe ndikukhumbuze ukuba kukho icandelo elahlukileyo malunga nemiba efana nokubhalisa i-akhawunti, ukudala iPipeline yoKwakha kunye nokulungelelanisa i-akhawunti yakho kunye neprojekthi ebekwe kwindawo yokugcina i-GitHub. . Ukuseta kwethu kuya kuqalisa ngokukhawuleza ngokubhala ifayile yoqwalaselo.
Okokuqala, makhe sisete i-trigger yokuqalisa, ebonisa ukuba siqalisa kuphela utshintsho kwi inkosi isebe:
trigger:
- masterOkulandelayo kufuneka sikhethe umatshini wenyani. Okwangoku iya kuba yiarhente ebanjwe nguMicrosoft eneWindows Server 2019 kunye neVisual Studio 2019:
pool:
vmImage: 'windows-latest'Masiqhubele phambili kumzimba wefayile yoqwalaselo (bhloka amanyathelo). Ngaphandle kwenyani yokuba awukwazi ukufaka isoftware engafanelekanga kumatshini obonakalayo, andikhange ndongeze isitya seDocker. Singongeza iChocolatey njengolwandiso lweAzure DevOps. Ukwenza oku, masiye ku . Cofa Yifumana simahla. Okulandelayo, ukuba sele ugunyazisiwe, khetha ngokulula iakhawunti yakho, kwaye ukuba akunjalo, yenza into efanayo emva kogunyaziso.
Apha kufuneka ukhethe apho siyakongeza khona ulwandiso kwaye ucofe iqhosha Faka.
Emva kokufaka ngempumelelo, cofa Qhubekela kwintlangano:
Ngoku unokubona itemplate yomsebenzi weChocolatey kwifestile imisebenzi xa uhlela ifayile yoqwalaselo azure-pipelines.yml:
Cofa kwiChocolatey kwaye ubone uluhlu lwamasimi:
Apha kufuneka sikhethe fakela ebaleni namaqela. IN Nuspec Igama Lefayile bonisa igama lempahla efunekayo – pvs-studio. Ukuba awuyikhankanyi inguqulelo, eyamva nje iya kufakwa, evumelana nathi ngokupheleleyo. Masicofe iqhosha ukongeza kwaye siya kubona umsebenzi owenziweyo kwifayile yoqwalaselo.
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'Okulandelayo, masiqhubele phambili kwinxalenye ephambili yefayile yethu:
- task: CmdLine@2
inputs:
script: Ngoku kufuneka senze ifayile kunye nelayisensi yokuhlaziya. Apha PVSNAME и PVSKEY -Amagama ezinto eziguquguqukayo esizichazayo kwiisethingi. Baza kugcina i-PVS-Studio yokungena kunye nesitshixo selayisensi. Ukuseta amaxabiso abo, vula imenyu Uguquguquko-> Utshintsho olutsha. Masenze iinguqu PVSNAME yokungena kunye PVSKEY kwiqhosha le analyzer. Ungalibali ukujonga ibhokisi Gcina eli xabiso liyimfihlo kuba PVSKEY. Ikhowudi yomyalelo:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials
–u $(PVSNAME) –n $(PVSKEY)Masiyakhe iprojekthi sisebenzisa ifayile ye-bat ebekwe kwindawo yokugcina:
сall build.batMasenze ifolda apho iifayile ezineziphumo zomhlalutyi ziya kugcinwa khona:
сall mkdir PVSTestResultsMasiqale ukuhlalutya iprojekthi:
сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog Siguqulela ingxelo yethu kwifomati ye-html sisebenzisa into eluncedo yePlogСonverter:
сall "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o PVSTestResults .PVSTestResultsChoco.plogNgoku kufuneka udale umsebenzi ukuze ukwazi ukulayisha ingxelo.
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Ifayile yoqwalaselo epheleleyo ibonakala ngolu hlobo:
trigger:
- master
pool:
vmImage: 'windows-latest'
steps:
- task: ChocolateyCommand@0
inputs:
command: 'install'
installPackageId: 'pvs-studio'
- task: CmdLine@2
inputs:
script: |
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
credentials –u $(PVSNAME) –n $(PVSKEY)
call build.bat
call mkdir PVSTestResults
call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe"
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
call "C:Program Files (x86)PVS-StudioPlogConverter.exe"
–t html –o .PVSTestResults .PVSTestResultsChoco.plog
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: PVSTestResults
artifactName: PVSTestResults
condition: always()Masicofe Gcina-> Gcina-> Qhuba ukuqhuba umsebenzi. Masikhuphele ingxelo ngokuya kwithebhu yemisebenzi.
Iprojekthi yeChocolatey iqulethe kuphela imigca ye-37615 yekhowudi ye-C #. Makhe sijonge ezinye zeempazamo ezifunyenweyo.
Iziphumo zovavanyo
Isilumkiso N1
Isilumkiso somhlalutyi: Uguqulo 'loMboneleli' lunikezelwe ngokwalo. CrytpoHashProviderSpecs.cs 38
public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
....
protected CryptoHashProvider Provider;
....
public override void Context()
{
Provider = Provider = new CryptoHashProvider(FileSystem.Object);
}
}Umhlalutyi uchonge isabelo sokuguquguquka ngokwaso, esingenzi ngqiqo. Ngokunokwenzeka, endaweni yenye yezi ziguquko kufuneka kubekho enye. Ewe, okanye oku kukuchwetheza, kwaye isabelo esongezelelweyo sinokususwa ngokulula.
Isilumkiso N2
Isilumkiso somhlalutyi: [CWE-480] Umsebenzisi '&' uvavanya zombini ii-operands. Mhlawumbi umsebenzisi wendlela emfutshane '&&' kufuneka asetyenziswe endaweni yoko. Iqonga.cs 64
public static PlatformType get_platform()
{
switch (Environment.OSVersion.Platform)
{
case PlatformID.MacOSX:
{
....
}
case PlatformID.Unix:
if(file_system.directory_exists("/Applications")
& file_system.directory_exists("/System")
& file_system.directory_exists("/Users")
& file_system.directory_exists("/Volumes"))
{
return PlatformType.Mac;
}
else
return PlatformType.Linux;
default:
return PlatformType.Windows;
}
}Umahluko womqhubi & kumsebenzisi && kukuba ukuba icala lasekhohlo lentetho li amanga, ngoko icala lasekunene liya kubalwa, nto leyo kulo mzekelo ithetha iminxeba ngendlela engadingekile inkqubo.uluhlu_lukhona.
Kwiqhekeza eliqwalaselweyo, esi sisiphako esincinci. Ewe, le meko inokwenziwa ngokwenziwa endaweni ye && umsebenzisi, kodwa ngokwembono esebenzayo, oku akuchaphazeli nantoni na. Nangona kunjalo, kwezinye iimeko, ukubhideka phakathi & kunye && kunokubangela iingxaki ezinzulu xa icala lasekunene lentetho liphathwa ngamaxabiso angachanekanga/angasebenziyo. Umzekelo, kwingqokelela yethu yeempazamo, , kukho le meko:
if ((k < nct) & (s[k] != 0.0))Nokuba isalathisi k ayichanekanga, izakusetyenziswa ukufikelela kwindawo yoluhlu. Ngenxa yoko, okuchaseneyo kuya kuphoswa I-IndexOutOfRangeException.
Izilumkiso N3, N4
Isilumkiso somhlalutyi: [CWE-571] Inkcazo ethi 'shortPrompt' isoloko iyinyani. InteractivePrompt.cs 101
Isilumkiso somhlalutyi: [CWE-571] Inkcazo ethi 'shortPrompt' isoloko iyinyani. InteractivePrompt.cs 105
public static string
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
....
if (shortPrompt)
{
var choicePrompt = choice.is_equal_to(defaultChoice) //1
?
shortPrompt //2
?
"[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
choice.Substring(1,choice.Length - 1))
:
"[{0}]".format_with(choice.ToUpperInvariant()) //0
:
shortPrompt //4
?
"[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
choice.Substring(1,choice.Length - 1))
:
choice; //0
....
}
....
}Kule meko, kukho ingqiqo engaqhelekanga emva kokusebenza komsebenzi we-ternary. Masikhe sijonge ngakumbi: ukuba imeko endiyiphawule ngenombolo 1 ifezekisiwe, siya kudlulela kwimeko yesi-2, ehlala ihleli. oyinyaniso, oku kuthetha ukuba umgca 3 uya kuphunyezwa. Ukuba imeko 1 ijika ibe bubuxoki, ngoko siya kumgca ophawulwe ngenombolo yesi-4, imeko ekwahlala kuyo. oyinyaniso, oku kuthetha ukuba kuya kuphunyezwa umgca 5. Ngaloo ndlela, imiqathango ephawulwe nge-comment 0 ayinakuze izaliseke, enokuthi ingabi yingcinga yokusebenza elindelwe ngumdwelisi.
Isilumkiso N5
Isilumkiso somhlalutyi: [CWE-783] Mhlawumbi umsebenzisi '?:' usebenza ngendlela eyahlukileyo kunokuba ibilindelwe. Ukubaluleka kwayo kuphantsi kunokubaluleka kwabanye abaqhubi kwimeko yayo. Iinketho.cs 1019
private static string GetArgumentName (...., string description)
{
string[] nameStart;
if (maxIndex == 1)
{
nameStart = new string[]{"{0:", "{"};
}
else
{
nameStart = new string[]{"{" + index + ":"};
}
for (int i = 0; i < nameStart.Length; ++i)
{
int start, j = 0;
do
{
start = description.IndexOf (nameStart [i], j);
}
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
....
return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
}
}Uxilongo lusebenzele umgca:
while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)Ukusukela ukuguquguquka j imigca embalwa apha ngasentla iqaliswe ku-zero, umqhubi we-ternary uyakubuyisela ixabiso amanga. Ngenxa yale meko, umzimba welophu uya kubulawa kube kanye kuphela. Kum kubonakala ngathi le khowudi ayisebenzi konke konke njengoko umdwelisi wenkqubo enenjongo.
Isilumkiso N6
Isilumkiso somhlalutyi: [CWE-571] Inkcazo ethi 'installedPackageVersions.Count != 1' isoloko iyinyani. NugetService.cs 1405
private void remove_nuget_cache_for_package(....)
{
if (!config.AllVersions && installedPackageVersions.Count > 1)
{
const string allVersionsChoice = "All versions";
if (installedPackageVersions.Count != 1)
{
choices.Add(allVersionsChoice);
}
....
}
....
}Kukho imeko engaqhelekanga yendlu apha: installageVersions.Count != 1eya kuhlala ikhona oyinyaniso. Ngokuqhelekileyo isilumkiso esinjalo sibonisa impazamo esengqiqweni kwikhowudi, kwaye kwezinye iimeko sibonisa nje ukujonga okungafunekiyo.
Isilumkiso N7
Isilumkiso somhlalutyi: Kukho amagama asezantsi afanayo 'commandArguments.contains("-apikey")' ekhohlo nasekunene kwe '||' umqhubi. IingxoxoUtility.cs 42
public static bool arguments_contain_sensitive_information(string
commandArguments)
{
return commandArguments.contains("-install-arguments-sensitive")
|| commandArguments.contains("-package-parameters-sensitive")
|| commandArguments.contains("apikey ")
|| commandArguments.contains("config ")
|| commandArguments.contains("push ")
|| commandArguments.contains("-p ")
|| commandArguments.contains("-p=")
|| commandArguments.contains("-password")
|| commandArguments.contains("-cp ")
|| commandArguments.contains("-cp=")
|| commandArguments.contains("-certpassword")
|| commandArguments.contains("-k ")
|| commandArguments.contains("-k=")
|| commandArguments.contains("-key ")
|| commandArguments.contains("-key=")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key")
|| commandArguments.contains("-apikey")
|| commandArguments.contains("-api-key");
}Umdwelisi wenkqubo obhale eli candelo lekhowudi ukope kwaye wancamathisela imigca emibini yokugqibela kwaye walibala ukuyihlela. Ngenxa yoku, abasebenzisi beChocolatey abakwazanga ukusebenzisa iparamitha apikey ezinye iindlela ezimbalwa. Ngokufana neeparamitha ezingentla, ndinokubonelela ngolu khetho lulandelayo:
commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");Iimpazamo ze-Copy-paste zinethuba eliphezulu lokuvela ngokukhawuleza okanye kamva kuyo nayiphi na iprojekthi kunye nenani elikhulu lekhowudi yomthombo, kwaye esinye sezona zixhobo zokulwa nazo luhlalutyo lwe-static.
PS Kwaye njengesiqhelo, le mpazamo idla ngokubonakala ekupheleni kwemeko yemigca emininzi :). Bona upapasho "".
Isilumkiso N8
Isilumkiso somhlalutyi: [CWE-476] Into 'efakwe kwiPackage' yasetyenziswa phambi kokuba ingqinwe ngokuchasene ne-null. Khangela imigca: 910, 917. NugetService.cs 910
public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
....
var pinnedPackageResult = outdatedPackages.GetOrAdd(
packageName,
new PackageResult(installedPackage,
_fileSystem.combine_paths(
ApplicationParameters.PackagesLocation,
installedPackage.Id)));
....
if ( installedPackage != null
&& !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion)
&& !config.UpgradeCommand.ExcludePrerelease)
{
....
}
....
}Impazamo yakudala: into kuqala iPackage efakiweyo iyasetyenziswa kwaye emva koko ikhangelwe null. Olu xilongo lusixelela ngenye yeengxaki ezimbini kwinkqubo: nokuba iPackage efakiweyo soze ilingane null, ethandabuzekayo, kwaye ke itshekhi ayifuni, okanye sinokufumana impazamo enkulu kwikhowudi - umzamo wokufikelela kwireferensi engenanto.
isiphelo
Ke sithathe elinye inyathelo elincinci - ngoku ukusebenzisa i-PVS-Studio kuye kwaba lula kwaye kulula ngakumbi. Ndingathanda kwakhona ukuthi i-Chocolatey ngumphathi wephakheji olungileyo kunye nenani elincinci leempazamo kwikhowudi, enokuba mbalwa ngakumbi xa usebenzisa i-PVS-Studio.
Siyakumema kwaye uzame iPVS-Studio. Ukusetyenziswa rhoqo kwe-static analyzer kuya kuphucula umgangatho kunye nokuthembeka kwekhowudi ephuhliswa liqela lakho kwaye uncede ukuthintela uninzi. .
PS
Ngaphambi kokupapashwa, sathumela inqaku kubaphuhlisi beChocolatey, kwaye balifumene kakuhle. Asifumananga nto ibalulekileyo, kodwa bona, umzekelo, bathande ibug esiyifumeneyo enxulumene neqhosha elithi "api-key".
Ukuba ufuna ukwabelana ngeli nqaku kunye nabaphulaphuli abathetha isiNgesi, nceda usebenzise ikhonkco lokuguqulela: Vladislav Stolyarov. .
umthombo: www.habr.com