I-PVS-Studio manje isi-Chocolatey: ibheka i-Chocolatey ngaphansi kwe-Azure DevOps

Siyaqhubeka nokwenza ukusebenzisa i-PVS-Studio kube lula kakhulu. I-analyzer yethu isiyatholakala ku-Chocolatey, umphathi wephakheji we-Windows. Sikholelwa ukuthi lokhu kuzokwenza lula ukuthunyelwa kwe-PVS-Studio, ikakhulukazi, ezinsizeni zamafu. Ukuze singahambi kude, ake sihlole ikhodi yomthombo ye-Chocolatey efanayo. I-Azure DevOps izosebenza njengohlelo lwe-CI.

Nalu uhlu lwezinye izindatshana zethu ngesihloko sokuhlanganiswa nezinhlelo zamafu:

• I-PVS-Studio iya emafini: I-Azure DevOps
• I-PVS-Studio iya emafini: Travis CI
• I-PVS-Studio iya emafini: CircleCI
• I-PVS-Studio iya emafini: GitLab CI/CD

Ngikweluleka ukuthi unake i-athikili yokuqala mayelana nokuhlanganiswa ne-Azure DevOps, ngoba kulokhu amanye amaphuzu asusiwe ukuze angaphindwa.

Ngakho, amaqhawe alesi sihloko:

I-PVS-Studio iyithuluzi lokuhlaziya ikhodi emile elakhelwe ukuhlonza amaphutha kanye nokuba sengozini okungenzeka ezinhlelweni ezibhalwe ngo-C, C++, C# kanye ne-Java. Isebenza ku-64-bit Windows, Linux, kanye nezinhlelo ze-macOS, futhi ingahlaziya ikhodi yakhelwe ama-32-bit, 64-bit, kanye nezinkundla ze-ARM ezishumekiwe. Uma kungokokuqala uzama ukuhlaziya ikhodi emile ukuze uhlole amaphrojekthi akho, sincoma ukuthi uzijwayeze isihloko mayelana nendlela yokubuka ngokushesha izexwayiso ezithakazelisa kakhulu ze-PVS-Studio futhi uhlole amakhono aleli thuluzi.

I-Azure DevOps - isethi yezinsizakalo zefu ezihlanganisa ngokuhlanganyela yonke inqubo yokuthuthukiswa. Le nkundla ifaka amathuluzi afana ne-Azure Pipelines, Azure Boards, Azure Artifacts, Azure Repos, Azure Test Plans, akuvumela ukuthi usheshise inqubo yokudala isoftware futhi uthuthukise ikhwalithi yayo.

Chocolatey ungumphathi wephakheji womthombo ovulekile we-Windows. Inhloso yephrojekthi ukwenza ngokuzenzakalelayo yonke i-software lifecycle kusukela ekufakweni kuya ekubuyekezeni nasekukhipheni kumasistimu okusebenza e-Windows.

Mayelana nokusebenzisa i-Chocolatey

Ungabona ukuthi usifaka kanjani isiphathi sephakheji ngokwaso kulokhu isixhumanisi. Amadokhumenti aphelele okufaka i-analyzer ayatholakala kokuthi isixhumanisi Bheka Ukufakwa usebenzisa ingxenye yesiphathi sephakheji ye-Chocolatey. Ngizophinda kafushane amanye amaphuzu avela lapho.

Yala ukufaka inguqulo yakamuva ye-analyzer:

choco install pvs-studio

Yala ukufaka inguqulo ethile yephakheji ye-PVS-Studio:

choco install pvs-studio --version=7.05.35617.2075

Ngokuzenzakalelayo, ingqikithi kuphela ye-analyzer, ingxenye ye-Core, efakiwe. Wonke amanye amafulegi (Standalone, JavaCore, IDEA, MSVS2010, MSVS2012, MSVS2013, MSVS2015, MSVS2017, MSVS2019) angadluliswa kusetshenziswa --package-parameters.

Isibonelo somyalo ozofaka i-analyzer ene-plugin ye-Visual Studio 2019:

choco install pvs-studio --package-parameters="'/MSVS2019'"

Manje ake sibheke isibonelo sokusetshenziswa okulula kwe-analyzer ngaphansi kwe-Azure DevOps.

Yenza ngokwezifiso

Ake ngikukhumbuze ukuthi kunesigaba esihlukile mayelana nezindaba ezinjengokubhalisa i-akhawunti, ukudala Ipayipi Lokwakha kanye nokuvumelanisa i-akhawunti yakho nephrojekthi etholakala endaweni yokugcina ye-GitHub. indatshana. Ukusetha kwethu kuzoqala ngokushesha ngokubhala ifayela lokumisa.

Okokuqala, ake simise i-trigger yokuqalisa, ebonisa ukuthi siqalisa izinguquko kuphela master igatsha:

trigger:
- master

Okulandelayo sidinga ukukhetha umshini obonakalayo. Okwamanje kuzoba yi-ejenti ephethwe yi-Microsoft eneWindows Server 2019 kanye ne-Visual Studio 2019:

pool:
  vmImage: 'windows-latest'

Asiqhubekele emzimbeni wefayela lokucushwa (block izinyathelo). Ngaphandle kweqiniso lokuthi awukwazi ukufaka isoftware engafanele emshinini obonakalayo, angizange ngingeze isitsha se-Docker. Singangeza i-Chocolatey njengesandiso se-Azure DevOps. Ukuze wenze lokhu, ake siye ku isixhumanisi. Chofoza Thola mahhala. Okulandelayo, uma usugunyaziwe, mane ukhethe i-akhawunti yakho, futhi uma kungenjalo, yenza okufanayo ngemva kokugunyazwa.

Lapha udinga ukukhetha lapho sizokwengeza khona isandiso bese uchofoza inkinobho ukufaka.

Ngemva kokufaka ngempumelelo, chofoza Qhubekela enhlanganweni:

Manje ungabona isifanekiso somsebenzi we-Chocolatey efasiteleni imisebenzi lapho uhlela ifayela lokumisa i-azure-pipelines.yml:

Chofoza ku-Chocolatey futhi ubone uhlu lwezinkambu:

Lapha sidinga ukukhetha Faka enkundleni namaqembu. IN Igama lefayela le-Nuspec khombisa igama lephakheji elidingekayo - pvs-studio. Uma ungayicacisi inguqulo, kuzofakwa eyakamuva, evumelana nathi ngokuphelele. Asicindezele inkinobho engeza futhi sizobona umsebenzi owenziwe kufayela lokumisa.

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

Okulandelayo, asiqhubekele engxenyeni eyinhloko yefayela lethu:

- task: CmdLine@2
  inputs:
    script: 

Manje sidinga ukudala ifayela elinelayisensi yokuhlaziya. Lapha I-PVSNAME и I-PVSKEY - Amagama okuguquguqukayo esiwacacisayo amanani azo kuzilungiselelo. Bazogcina ukungena ngemvume kwe-PVS-Studio kanye nokhiye welayisense. Ukuze usethe amanani abo, vula imenyu Okuguquguqukayo->Okuhlukile okusha. Ake sakhe okuguquguqukayo I-PVSNAME ukuze ungene futhi I-PVSKEY ngokhiye we-analyzer. Ungakhohlwa ukumaka ibhokisi Gcina lokhu kubaluleka kuyimfihlo ngoba I-PVSKEY. Ikhodi yomyalo:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" credentials 
–u $(PVSNAME) –n $(PVSKEY)

Ake sakhe iphrojekthi sisebenzisa ifayela le-bat elitholakala endaweni yokugcina:

сall build.bat

Masidale ifolda lapho amafayela anemiphumela yokuhlaziya ezogcinwa khona:

сall mkdir PVSTestResults

Ake siqale ukuhlaziya iphrojekthi:

сall "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
–t .srcchocolatey.sln –o .PVSTestResultsChoco.plog 

Siguqulela umbiko wethu kufomethi ye-html sisebenzisa insiza ye-PlogСonverter:

сall "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
–t html –o PVSTestResults .PVSTestResultsChoco.plog

Manje udinga ukudala umsebenzi ukuze ukwazi ukulayisha umbiko.

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Ifayela lokumisa eliphelele libukeka kanje:

trigger:
- master

pool:
  vmImage: 'windows-latest'

steps:
- task: ChocolateyCommand@0
  inputs:
    command: 'install'
    installPackageId: 'pvs-studio'

- task: CmdLine@2
  inputs:
    script: |
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      credentials –u $(PVSNAME) –n $(PVSKEY)
      call build.bat
      call mkdir PVSTestResults
      call "C:Program Files (x86)PVS-StudioPVS-Studio_Cmd.exe" 
      –t .srcchocolatey.sln –o .PVSTestResultsChoco.plog
      call "C:Program Files (x86)PVS-StudioPlogConverter.exe" 
      –t html –o .PVSTestResults .PVSTestResultsChoco.plog

- task: PublishBuildArtifacts@1
  inputs:
    pathToPublish: PVSTestResults
    artifactName: PVSTestResults
    condition: always()

Masichofoze Londoloza->Londoloza->Qalisa ukuqhuba umsebenzi. Masilande umbiko ngokuya kuthebhu yemisebenzi.

Iphrojekthi ye-Chocolatey iqukethe kuphela imigqa engu-37615 yekhodi ye-C #. Ake sibheke amanye amaphutha atholakele.

Imiphumela yokuhlolwa

Isexwayiso N1

Isexwayiso sokuhlaziya: V3005 Okuguquguqukayo 'komhlinzeki' kwabelwe wona ngokwawo. CrytpoHashProviderSpecs.cs 38

public abstract class CrytpoHashProviderSpecsBase : TinySpec
{
  ....
  protected CryptoHashProvider Provider;
  ....
  public override void Context()
  {
    Provider = Provider = new CryptoHashProvider(FileSystem.Object);
  }
}

I-analyzer ithole isabelo sokuguquguquka ngokwaso, esingenzi mqondo. Ngokunokwenzeka, esikhundleni sokunye kwalokhu okuguquguqukayo kufanele kube khona okunye. Hhayi-ke, noma lokhu kuyiphutha, futhi umsebenzi owengeziwe ungamane ususwe.

Isexwayiso N2

Isexwayiso sokuhlaziya: V3093 [CWE-480] Umsebenzisi we-'&' uhlola kokubili ukusebenza. Mhlawumbe esikhundleni se-opharetha ye-'&&' yesifunda esifushane kufanele kusetshenziswe. I-Platform.cs 64

public static PlatformType get_platform()
{
  switch (Environment.OSVersion.Platform)
  {
    case PlatformID.MacOSX:
    {
      ....
    }
    case PlatformID.Unix:
    if(file_system.directory_exists("/Applications")
      & file_system.directory_exists("/System")
      & file_system.directory_exists("/Users")
      & file_system.directory_exists("/Volumes"))
      {
        return PlatformType.Mac;
      }
        else
          return PlatformType.Linux;
    default:
      return PlatformType.Windows;
  }
}

Umehluko we-opharetha & kusuka ku-opharetha && ukuthi uma uhlangothi lwesobunxele lwenkulumo luyi bamanga, khona-ke uhlangothi lwesokudla lusazobalwa, okusho ukuthi kulokhu kusho izingcingo zendlela ezingadingekile uhlelo.inkomba_lukhona.

Esiqeshini esicatshangelwayo, lokhu kuyiphutha elincane. Yebo, lesi simo singathuthukiswa ngokufaka i-&& opharetha esikhundleni, kodwa ngokombono ongokoqobo, lokhu akuthinti lutho. Nokho, kwezinye izimo, ukudideka phakathi & kanye && kungabangela izinkinga ezinkulu lapho uhlangothi lwesokudla lwenkulumo luphathwa ngamavelu angalungile/angalungile. Isibonelo, eqoqweni lethu lamaphutha, ikhonjwe kusetshenziswa i-V3093 diagnostic, kukhona leli cala:

if ((k < nct) & (s[k] != 0.0))

Noma inkomba k ayilungile, izosetshenziselwa ukufinyelela i-elementi yamalungu afanayo. Ngenxa yalokho, okuhlukile kuzokwenziwa I-IndexOutOfRangeException.

Izexwayiso N3, N4

Isexwayiso sokuhlaziya: V3022 [CWE-571] Inkulumo ethi 'shortPrompt' ihlale iyiqiniso. I-InteractivePrompt.cs 101
Isexwayiso sokuhlaziya: V3022 [CWE-571] Inkulumo ethi 'shortPrompt' ihlale iyiqiniso. I-InteractivePrompt.cs 105

public static string 
prompt_for_confirmation(.... bool shortPrompt = false, ....)
{
  ....
  if (shortPrompt)
  {
    var choicePrompt = choice.is_equal_to(defaultChoice) //1
    ?
    shortPrompt //2
    ?
    "[[{0}]{1}]".format_with(choice.Substring(0, 1).ToUpperInvariant(), //3
    choice.Substring(1,choice.Length - 1))
    :
    "[{0}]".format_with(choice.ToUpperInvariant()) //0
    : 
    shortPrompt //4
    ? 
    "[{0}]{1}".format_with(choice.Substring(0,1).ToUpperInvariant(), //5
    choice.Substring(1,choice.Length - 1)) 
    :
    choice; //0
    ....
  }
  ....
}

Kulokhu, kukhona i-logic engavamile ngemuva kokusebenza komsebenzisi we-ternary. Ake sibhekisise: uma isimo engisimake ngenombolo 1 sifeziwe, sizodlulela ku- condition 2, ohlale njalo. weqiniso, okusho ukuthi kuzokwenziwa umugqa wesi-3. Uma umbandela 1 kuvela ukuthi ungamanga, sizobe sesiya kulayini omakwe inombolo 4, isimo esihlala sikuso. weqiniso, okusho ukuthi kuzosetshenziswa umugqa wesi-5. Ngakho-ke, imibandela ephawulwe ngokuthi 0 ayisoze yagcwaliseka, okungenzeka kungabi yikho kanye ukucabangela kokusebenza obekulindelekile umhleli.

Isexwayiso N5

Isexwayiso sokuhlaziya: V3123 [CWE-783] Mhlawumbe i-'?:' opharetha isebenza ngendlela ehlukile kunaleyo ebilindelwe. Okuhamba phambili kwayo kungaphansi kunokubaluleka kwabanye opharetha esimweni sayo. Izinketho.cs 1019

private static string GetArgumentName (...., string description)
{
  string[] nameStart;
  if (maxIndex == 1)
  {
    nameStart = new string[]{"{0:", "{"};
  }
  else
  {
    nameStart = new string[]{"{" + index + ":"};
  }
  for (int i = 0; i < nameStart.Length; ++i) 
  {
    int start, j = 0;
    do 
    {
      start = description.IndexOf (nameStart [i], j);
    } 
    while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false);
    ....
    return maxIndex == 1 ? "VALUE" : "VALUE" + (index + 1);
  }
}

Ukuxilonga kusebenze kulayini:

while (start >= 0 && j != 0 ? description [j++ - 1] == '{' : false)

Kusukela variable j imigqa embalwa ngenhla iqaliswa ibe yiziro, u-opharetha we-ternary uzobuyisela inani bamanga. Ngenxa yalesi simo, umzimba we-loop uzokwenziwa kanye kuphela. Kimina kubonakala sengathi lolu cezu lwekhodi alusebenzi nhlobo njengoba umhleli wayehlosile.

Isexwayiso N6

Isexwayiso sokuhlaziya: V3022 [CWE-571] Inkulumo ethi 'installedPackageVersions.Count != 1' ihlale iyiqiniso. I-NugetService.cs 1405

private void remove_nuget_cache_for_package(....)
{
  if (!config.AllVersions && installedPackageVersions.Count > 1)
  {
    const string allVersionsChoice = "All versions";
    if (installedPackageVersions.Count != 1)
    {
      choices.Add(allVersionsChoice);
    }
    ....
  }
  ....
}

Kukhona isidleke esingavamile lapha: installPackageVersions.Count != 1eyohlala ikhona weqiniso. Ngokuvamile isixwayiso esinjalo sibonisa iphutha elinengqondo kukhodi, futhi kwezinye izimo sibonisa ukuhlola okungafuneki.

Isexwayiso N7

Isexwayiso sokuhlaziya: V3001 Kukhona izinkulumo ezincanyana ezifanayo 'commandArguments.contains("-apikey")' kwesokunxele nakwesokudla se-'||' opharetha. I-ArgumentsUtility.cs 42

public static bool arguments_contain_sensitive_information(string
 commandArguments)
{
  return commandArguments.contains("-install-arguments-sensitive")
  || commandArguments.contains("-package-parameters-sensitive")
  || commandArguments.contains("apikey ")
  || commandArguments.contains("config ")
  || commandArguments.contains("push ")
  || commandArguments.contains("-p ")
  || commandArguments.contains("-p=")
  || commandArguments.contains("-password")
  || commandArguments.contains("-cp ")
  || commandArguments.contains("-cp=")
  || commandArguments.contains("-certpassword")
  || commandArguments.contains("-k ")
  || commandArguments.contains("-k=")
  || commandArguments.contains("-key ")
  || commandArguments.contains("-key=")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key")
  || commandArguments.contains("-apikey")
  || commandArguments.contains("-api-key");
}

Umhleli obhale lesi sigaba sekhodi ukopishe futhi wanamathisela imigqa emibili yokugcina wakhohlwa ukuyihlela. Ngenxa yalokhu, abasebenzisi bakaChocolatey abakwazanga ukusebenzisa ipharamitha apikey ezinye izindlela ezimbalwa. Ngokufana namapharamitha angenhla, nginganikeza izinketho ezilandelayo:

commandArguments.contains("-apikey=");
commandArguments.contains("-api-key=");

Amaphutha wokukopisha unamathisele anethuba eliphezulu lokuvela maduze noma kamuva kunoma iyiphi iphrojekthi enenani elikhulu lekhodi yomthombo, futhi elinye lamathuluzi angcono kakhulu okulwa nawo ukuhlaziya okumile.

PS Futhi njengenjwayelo, leli phutha livame ukuvela ekugcineni kwesimo semigqa eminingi :). Bona okushicilelwe "Umphumela womugqa wokugcina".

Isexwayiso N8

Isexwayiso sokuhlaziya: V3095 [CWE-476] Into ethi 'installedPackage' isetshenziswe ngaphambi kokuthi iqinisekiswe ngokumelene ne-null. Hlola imigqa: 910, 917. NugetService.cs 910

public virtual ConcurrentDictionary<string, PackageResult> get_outdated(....)
{
  ....
  var pinnedPackageResult = outdatedPackages.GetOrAdd(
    packageName, 
    new PackageResult(installedPackage, 
                      _fileSystem.combine_paths(
                        ApplicationParameters.PackagesLocation, 
                        installedPackage.Id)));
  ....
  if (   installedPackage != null
      && !string.IsNullOrWhiteSpace(installedPackage.Version.SpecialVersion) 
      && !config.UpgradeCommand.ExcludePrerelease)
  {
    ....
  }
  ....
}

Iphutha lakudala: into kuqala ifakiweIphakheji iyasetshenziswa bese iyahlolwa null. Lokhu kuxilongwa kusitshela ngenkinga eyodwa kwezimbili ohlelweni: noma ifakiweIphakheji neze alingane null, okungabazekayo, bese kuthi isheke lingasasebenzi, noma singathola iphutha elibi kakhulu kukhodi - umzamo wokufinyelela ireferensi eyize.

isiphetho

Ngakho-ke sithathe esinye isinyathelo esincane - manje ukusebenzisa i-PVS-Studio sekulula kakhulu futhi kulula kakhulu. Ngingathanda futhi ukusho ukuthi u-Chocolatey ungumphathi wephakheji omuhle onenani elincane lamaphutha kukhodi, okungenzeka kube mbalwa nakakhulu uma usebenzisa i-PVS-Studio.

Siyakumema скачать bese uzama i-PVS-Studio. Ukusebenzisa njalo i-static analyzer kuzothuthukisa ikhwalithi nokuthembeka kwekhodi eyakhiwa iqembu lakho futhi kusize ekuvimbeleni abaningi. ubungozi bosuku lwe-zero.

PS

Ngaphambi kokushicilelwa, sithumele indatshana kubathuthukisi beChocolatey, futhi bayithola kahle. Asitholanga lutho olubucayi, kodwa bona, ngokwesibonelo, bathande iphutha esilitholile elihlobene nokhiye othi “api-key”.

Uma ufuna ukwabelana ngalesi sihloko nezithameli ezikhuluma isiNgisi, sicela usebenzise isixhumanisi sokuhumusha: Vladislav Stolyarov. I-PVS-Studio Manje IsikuChocolatey: Ihlola I-Chocolatey ngaphansi kwe-Azure DevOps.

Source: www.habr.com