pvs 7.1 iso_PVS-Studio 7.04

最新推荐文章于 2021-04-07 09:00:15 发布

cullen2012

最新推荐文章于 2021-04-07 09:00:15 发布

阅读量442

点赞数

文章标签： linux java python 编程语言大数据

原文链接：https://habr.com/en/company/pvs-studio/blog/466195/

版权

pvs 7.1 iso

Summer is not only a holiday season, but also time of fruitful work. Sunny days are so inspiring that there's enough energy both for late walks and large code commits. The second summer PVS-Studio 7.04 release turned out to be quite large, so we suggest for your attention this press release, in which we'll tell you about everything.

夏季不仅是假期，而且是丰硕的工作时间。阳光明媚的日子令人振奋，以至于有足够的精力进行后期散步和大型代码提交。事实证明，第二个夏季PVS-Studio 7.04版本相当大，因此，建议您注意此新闻稿，其中将告诉您所有情况。

PVS-Studio is a tool designed to detect errors and potential vulnerabilities in the source code of programs, written in C, C++, C#, Java. It works in Windows, Linux, and macOS environment. PVS-Studio是一种工具，旨在检测用C，C ++，C＃，Java编写的程序源代码中的错误和潜在漏洞。它适用于Windows，Linux和macOS环境。

An extensive collection of errors found in code during the checks of various open source projects clearly demonstrates the abilities of the analyser.

在检查各种开源项目期间在代码中发现的大量错误清楚地证明了分析器的功能。

Here's an overview of new features coming with the PVS-Studio 7.04 release.

这是PVS-Studio 7.04版本附带的新功能的概述。

搜索具有Copyleft许可证的文件 (Search for Files with Copyleft Licenses)

When working on a task developers take code from so many various places. A popular source of Copy-Paste code is the Stackoverflow website and similar ones. There are cases when a developer takes the code from an open source project and doesn't check license requirements. Thus, a closed source project may accidentally get a few files from an open source project with a Copyleft license, which obliges to make the entire project code open source. In companies with a large number of employees, it's difficult to keep track of this, whereas such actions might cause adverse risks and problems. So, PVS-Studio now has a diagnostic, which will help to find such files. It relates to all supported languages (C, C++, C#, Java).

在执行任务时，开发人员会从许多不同的地方获取代码。复制粘贴代码的一个流行来源是Stackoverflow网站和类似网站。在某些情况下，开发人员会从开源项目中获取代码，而不检查许可证要求。因此，封闭源项目可能会意外地从具有Copyleft许可证的开放源项目中获取一些文件，这有义务使整个项目代码开放。在拥有大量员工的公司中，很难对此进行跟踪，而此类行为可能会带来不利的风险和问题。因此，PVS-Studio现在具有诊断程序，它将有助于查找此类文件。它与所有支持的语言(C，C ++，C＃，Java)有关。

Diagnostic numbers for different languages:

不同语言的诊断号：

C, C++: V1042
C，C ++： V1042
C#: V3144
C＃： V3144
Java: V6071
的Java： V6071

Let's take a closer look at these diagnostics and figure out what they are made for. An example of a comment that the analyser will issue a warning to:

让我们仔细看看这些诊断并找出它们的用途。分析器将发出警告的注释示例：

/*  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

对于封闭项目 (For Closed Projects)

If you add a file with such a license (in this case, GPL3) in a closed project, you'll have to open the rest code due to specifics of this license.

如果在关闭的项目中添加具有此类许可证(在本例中为GPL3)的文件，则由于该许可证的特殊性，您必须打开其余代码。

Such a type of licenses is called "viral" because of their ability to extend to the rest of the project files. The problem is that usage of at least one file with such a license in a closed project automatically makes the entire source code open and obliges to distribute it along with binary files.

这种许可证被称为“ 病毒式 ”，因为它们具有扩展到项目文件其余部分的能力。问题是，在关闭的项目中至少使用一个带有这种许可证的文件会自动使整个源代码打开，并有义务将其与二进制文件一起分发。

The diagnostic is looking for the following «virus» licenses:

诊断程序正在寻找以下《病毒》许可证：

AGPL-3.0
AGPL-3.0
GPL-2.0
GPL-2.0
GPL-3.0
GPL-3.0
LGPL-3.0
LGPL-3.0

Here are the options of what you can do in case if you detect usage of files with a copyleft license in a closed project:

如果在关闭的项目中检测到具有Copyleft许可证的文件的使用情况，可以采取以下操作：

Refrain from using such code (library) in your project;
不要在您的项目中使用此类代码(库)；
Substitute the used library;
替换使用的库；
Make the project open source.
使项目开源。

对于开放项目 (For Open Projects)

We understand that this diagnostic is inappropriate for open source projects. The PVS-Studio team contributes to developing of open source projects, helps to fix errors in them and provides free license options. However, our product is a B2B solution and therefore this diagnostic is enabled by default.

我们知道，此诊断不适用于开源项目。 PVS-Studio团队致力于开发开源项目，帮助修复其中的错误，并提供免费的许可证选项。但是，我们的产品是B2B解决方案，因此默认情况下启用此诊断。

If your code is distributed under one of the copyleft licenses above, you can disable this diagnostic in the following ways (for C\C ++ it is V1042):

如果您的代码是根据上述一种Copyleft许可证分发的，则可以通过以下方式禁用此诊断(对于C \ C ++，它是V1042)：

If you're using the PVS-Studio plugin for Visual Studio, you can disable this diagnostic by going to Options > PVS-Studio > Detectable Errors > 1.General Analysis > V1042. After this, it won't be shown in the analyser report. The downside of this method is that the error will still be written in the analyser's log while saving it (or if the analysis was run from the command line). Therefore, when you open such a log on another machine or convert the analysis results to another format, the messages that were disabled in this way may reappear.
如果您将PVS-Studio插件用于Visual Studio，则可以通过转到选项> PVS-Studio>可检测的错误> 1.常规分析> V1042来禁用此诊断。此后，它将不会显示在分析器报告中。该方法的缺点是在保存错误时(或如果分析是从命令行运行的)错误仍将被写入分析器的日志中。因此，当您在另一台计算机上打开此类日志或将分析结果转换为另一种格式时，以这种方式禁用的消息可能会再次出现。
If you're not using the plugin and want to block the rule for the entire team, or remove it from the analyser's report, you can add the comment "//-V::1042" to the configuration file (.pvsconfig) or to one of the global header files. For developers, who use Visual C++, a nice option would be to add this comment in the «stdafx.h». file. This comment tells the analyser to disable the V1042 diagnostic. Documentation gives more detailed information about disabling diagnostics using the comments.
如果您不使用插件，但想阻止整个团队的规则，或者将其从分析器的报告中删除，则可以将注释“ //-V :: 1042”添加到配置文件(.pvsconfig)或到全局头文件之一。对于使用Visual C ++的开发人员，一个不错的选择是在“ stdafx.h”中添加此注释。文件。此注释告诉分析仪禁用V1042诊断。文档提供了有关使用注释禁用诊断的更多详细信息。
If you're using the Plog Converter utility to convert reports, you can disable the diagnostic using the "-d" key.
如果使用Plog Converter实用程序转换报告，则可以使用“ -d”键禁用诊断。

For C# V3144 is a corresponding number of a diagnostic, V6071 — for Java.

对于C＃，V3144是相应的诊断号V6071(对于Java)。

扩展危险许可证清单 (Extending the List of Dangerous Licenses)

In case if you know other types of «virus» licenses that PVS-Studio doesn't detect at this point, you're welcome to let us know through our feedback form. We'll add them in the next release.

如果您知道此时无法检测到PVS-Studio的其他类型的“病毒”许可证，欢迎您通过反馈表告知我们。我们将在下一个版本中添加它们。

新诊断 (New diagnostics)

C，C ++(常规) (C, C++ (General))

V1040. Possible typo in the spelling of a pre-defined macro name.
V1040 。预定义宏名称的拼写可能出现的错字。
V1041. Class member is initialized with dangling reference.
V1041 。类成员使用悬空引用进行初始化。
V1042. This file is marked with copyleft license, which requires you to open the derived source code.
V1042 。该文件标记有copyleft许可证，这需要您打开派生的源代码。
V1043. A global object variable is declared in the header. Multiple copies of it will be created in all translation units that include this header file.
V1043 。标头中声明了一个全局对象变量。将在所有包含此头文件的翻译单元中创建它的多个副本。

I'd like to give special attention to the diagnostic with the number V1040. We managed to find an interesting error in the library of the well-known CMake project even at the beta stage:

我想特别注意编号为V1040的诊断程序。即使在测试阶段，我们也设法在著名的CMake项目的库中找到了一个有趣的错误：

V1040 Possible typo in the spelling of a pre-defined macro name. The '__MINGW32_' macro is similar to '__MINGW32__'. winapi.h 4112 V1040预定义的宏名称的拼写可能有错字。 “ __MINGW32_”宏类似于“ __MINGW32__”。 winapi.h 4112

/* from winternl.h */
#if !defined(__UNICODE_STRING_DEFINED) && defined(__MINGW32_)
#define __UNICODE_STRING_DEFINED
#endif

There's a typo made in the name __MINGW32_. At the end, one underline character is missing. If you search the code with this name, you can see that the version with two underline characters on both sides is used in the project:

__MINGW32_名称有错字。最后，缺少一个下划线字符。如果使用此名称搜索代码，则可以看到在项目中使用了两侧带有两个下划线字符的版本：

You can check out all found errors in the CMake project in the article: "CMake: the Case when the Project's Quality is Unforgivable".

您可以在以下文章中检查CMake项目中所有发现的错误：“ CMake：项目质量不可原谅的情况 ”。

C，C ++(MISRA) (C, C++ (MISRA))

V2551. MISRA. Variable should be declared in a scope that minimizes its visibility.
V2551 。 MISRA。变量应在使其可见度最小的范围内声明。
V2552. MISRA. Expressions with enum underlying type should have values corresponding to the enumerators of the enumeration.
V2552 。 MISRA。具有枚举基础类型的表达式的值应对应于枚举的枚举器。
V2553. MISRA. Unary minus operator should not be applied to an expression of the unsigned type.
V2553 。 MISRA。一元减运算符不应应用于无符号类型的表达式。
V2554. MISRA. Expression containing increment (++) or decrement (--) should not have other side effects.
V2554 。 MISRA。包含增量(++)或减量(-)的表达式不应有其他副作用。
V2555. MISRA. Incorrect shifting expression.
V2555 。 MISRA。移位表达式不正确。
V2556. MISRA. Use of a pointer to FILE when the associated stream has already been closed.
V2556 。 MISRA。当关联的流已经关闭时，使用指向FILE的指针。
V2557. MISRA. Operand of sizeof() operator should not have other side effects.
V2557 。 MISRA。 sizeof()运算符的操作数不应有其他副作用。

C＃ (C#)

V3140. Property accessors use different backing fields.
V3140 。属性访问器使用不同的后备字段。
V3141. Expression under 'throw' is a potential null, which can lead to NullReferenceException.
V3141 。 “ throw”下的表达式可能为空，这可能导致NullReferenceException。
V3142. Unreachable code detected. It is possible that an error is present.
V3142 。检测到无法访问的代码。可能存在错误。
V3143. The 'value' parameter is rewritten inside a property setter, and is not used after that.
V3143 。 “值”参数在属性设置器中重写，此后不再使用。
V3144. This file is marked with copyleft license, which requires you to open the derived source code.
V3144 。该文件标记有copyleft许可证，这需要您打开派生的源代码。
V3145. Unsafe dereference of a WeakReference target. The object could have been garbage collected before the 'Target' property was accessed.
V3145。不安全地取消引用WeakReference目标。在访问“目标”属性之前，该对象可能已被垃圾回收。

As for the C# analyser, we added evaluation of read\written values from property getters and setters, as well as from async methods.

对于C＃分析器，我们添加了对来自属性getter和setter以及异步方法的读写值的评估。

We're currently working on improvement of monitoring fields' values and properties of objects as they are passed to methods, as well as monitoring the contents of turples. These improvements will be available in the next analyser release.

当前，我们正在努力改进对将字段传递给方法的对象的值和属性的监视，以及监视turple的内容。这些改进将在下一版分析仪中提供。

Java (Java)

V6068. Suspicious use of BigDecimal class.
V6068 。可疑使用BigDecimal类。
V6069. Unsigned right shift assignment of negative 'byte' / 'short' value.
V6069 。负“字节” /“短”值的无符号右移分配。
V6070. Unsafe synchronization on an object.
V6070 。在对象上进行不安全的同步。
V6071. This file is marked with copyleft license, which requires you to open the derived source code.
V6071 。该文件标记有copyleft许可证，这需要您打开派生的源代码。

SonarQube 7.9 LTS (SonarQube 7.9 LTS)

期待已久的发布 (Long-awaited Release)

It has been almost 2 years since the last release of the LTS-version of SonarQube 6.7. The new version was eagerly awaited starting with the SQ 7.x and when LTS was released, users began to actively switch to it, which caused various problems. Soon SQ 7.9.1 LTS came out with minor fixes and third-party plugin developers also made patches.

自上次发布SonarQube 6.7的LTS版本以来已经快两年了。从SQ 7.x开始急切地等待新版本，当LTS发行时，用户开始积极切换到新版本，这引起了许多问题。很快，SQ 7.9.1 LTS进行了较小的修复，第三方插件开发人员也进行了修补。

Fortunately, the PVS-Studio plugin had only one problem, related to switching to Java 11, which was quickly fixed and our clients immediately switched to a workable version.

幸运的是，PVS-Studio插件只有一个问题，与切换到Java 11有关，该问题很快得到解决，我们的客户立即切换到了可行的版本。

We're also kept compatibility with old SonarQube versions and the list of supported versions now looks as follows:

我们还保持了与SonarQube旧版本的兼容性，并且受支持的版本列表现在如下所示：

SonarQube 6.7 LTS及更高版本 (SonarQube 6.7 LTS and later)

新设置页面 (New Settings Page)

Previously, one could configure the analyser only through the configuration file sonar-project.properties. There are no complaints about this method. It's very convenient and is used 99% of time, but we've made an additional settings page in

以前，只能通过配置文件sonar-project.properties配置分析器 。没有关于这种方法的抱怨。这非常方便，并且99％的时间都在使用，但是我们在

管理>配置> PVS-Studio (Administration > Configuration > PVS-Studio )

on SonarQube's server side, as it can be a preferably used for some scenarios.

在SonarQube的服务器端，因为它在某些情况下可能是首选。

The settings page looks like this:

设置页面如下所示：

When setting configurations in two ways, the ones specified in the file sonar-project.properties are of highest priority.

以两种方式设置配置时，文件sonar-project.properties中指定的配置具有最高优先级。

IntelliJ IDEA的插件 (Plugin for IntelliJ IDEA)

Releases of new IntelliJ IDEA and PVS-Studio versions differ in dates. Recently we've had a situation when IntelliJ IDEA 192.* was released but the PVS-Studio plugin couldn't be installed in it. In this release, we've added support for the latest IntelliJ IDEA versions, as well as refinements to avoid similar problems in the future.

新的IntelliJ IDEA和PVS-Studio版本的发布日期不同。最近，我们遇到了IntelliJ IDEA 192. *发布但无法安装PVS-Studio插件的情况。在此版本中，我们增加了对最新IntelliJ IDEA版本的支持，并进行了改进，以避免将来出现类似问题。

詹金斯插件 (Plugins for Jenkins)

PVS-Studio插件 (PVS-Studio Plugin)

PVS-Studio Plugin is meant for publishing reports of the PVS-Studio analyser results in the Jenkins continuous integration system in the HTML format. Previously, this plugin was only available to Windows users because it called the report converter automatically and did it only for Windows. In PVS-Studio 7.04, the plugin supports only HTML-reports that have to be generated in a single step, but this measure made the plugin cross-platform.

PVS-Studio插件用于以HTML格式在Jenkins持续集成系统中发布PVS-Studio分析仪结果的报告。以前，此插件仅对Windows用户可用，因为它会自动调用报表转换器，并且仅在Windows上才使用。在PVS-Studio 7.04中，该插件仅支持必须在单个步骤中生成HTML报告，但是此措施使该插件跨平台。

警告NG插件 (Warnings NG Plugin)

For Jenkins, there is a useful plugin Warnings Next Generation Plugin for viewing analysis results from various tools. We've recently added PVS-Studio support in it. The ability to load the PVS-Studio analysis results using this plugin became available in the

对于Jenkins，有一个有用的插件Warnings Next Generation插件，可用于查看各种工具的分析结果。我们最近在其中添加了PVS-Studio支持。使用此插件可以加载PVS-Studio分析结果的功能已在

6.0.0 (6.0.0)

, its release accidently coincided with the PVS-Studio 7.04 release:

，其发行版本与PVS-Studio 7.04发行版本不谋而合：

其他改进 (Other Improvements)

PVS-Studio_Cmd (PVS-Studio_Cmd)

PVS-Studio_Cmd.exe now has a special operational mode — credentials. This mode enables you to create a settings file and enter license information without using a GUI interface (for example, Visual Studio plugin or C and C++ Compiler Monitoring UI utility). This mode is especially relevant when used on a build server (where GUI utilities may be absent), in containers, when integrating with cloud solutions. PVS-Studio_Cmd.exe现在具有特殊的操作模式-凭据。此模式使您可以创建设置文件并输入许可证信息，而无需使用GUI界面(例如，Visual Studio插件或C和C ++编译器监视UI实用程序)。当在与云解决方案集成的构建服务器(可能缺少GUI实用程序)，容器中的容器上使用时，此模式特别重要。

虚幻引擎项目分析 (Analysis of Unreal Engine Projects)

We added the option AutoloadUnrealEngineLog in the PVS-Studio plugin for Visual Studio which enables you to automatically upload the analyser report in the PVS-Studio output window after the analysis. Without this option, the log must be uploaded manually through the plugin menu.

我们在Visual Studio的PVS-Studio插件中添加了选项AutoloadUnrealEngineLog ，使您可以在分析后自动将分析器报告上载到PVS-Studio输出窗口中。如果没有此选项，则必须通过插件菜单手动上传日志。

Also the documentation section "Analysis of Unreal Engine projects" describes changes of standard build scripts that allow you to build and analyse in one action. Without scripts modifications (when adding the flag -StaticAnalyzer=PVSStudio to launch arguments) the project is only analysed, not built.

此外，文档部分“ 虚幻引擎项目的分析 ”还描述了标准构建脚本的更改，这些更改使您可以在一个动作中进行构建和分析。如果不修改脚本(在添加标志-StaticAnalyzer = PVSStudio来启动参数时)，则仅分析项目，而不构建项目。

CLMonitor (CLMonitor)

For the CLMonitor utility, we've added the ability to monitor compiler runs for a specific process. This will let you monitor compiler runs, related only to a specific project, even during parallel builds of several projects. To work in this mode, the flags --parentProcessID %PID% (CLMonitor monitors processes child-related to the specified one) and --attach (CLMonitor monitors processes child-related to a current console) are used.

对于CLMonitor实用程序，我们添加了监视特定进程的编译器运行的功能。这使您可以监视仅与特定项目相关的编译器运行，即使在并行构建多个项目期间也是如此。要在此模式下工作，将使用标志--parentProcessID％PID％ (CLMonitor监视与指定的子进程相关的进程)和--attach (CLMonitor监视与当前控制台的子进程相关的进程)。

pvs-studio-analyzer (pvs-studio-analyzer)

The --ignore-ccache flag is added in the pvs-studio-analyzer utility, which is meant for checking projects in Linux and macOS:

在pvs-studio-analyzer实用程序中添加了--ignore-ccache标志，该标志用于检查Linux和macOS中的项目：

pvs-studio-analyzer analyze ... --ignore-ccache ...

If the ccache utility is used in a project build, PVS-Studio is operating in the incremental analysis mode. To check the entire project without resetting the cache of the ccache utility, choose this flag.

如果在项目构建中使用了ccache实用程序，则PVS-Studio将以增量分析模式运行。要检查整个项目而不重置ccache实用程序的缓存，请选择此标志。

其他连结 (Additional links)

Subscribe to be informed about our new publications:

订阅以了解我们的新出版物：

Twitter: @Code_Analysis
推特： @Code_Analysis
Youtube: PVS-Studio
YouTube： PVS-Studio
Facebook: @StaticCodeAnalyzer
脸书： @StaticCodeAnalyzer
Instagram: @pvsstudio
Instagram： @pvsstudio
Telegram: PVS-Studio
电报： PVS-Studio
RSS: viva64-blog-en
RSS： viva64-blog-en

PVS-Studio:

PVS-Studio：

翻译自: https://habr.com/en/company/pvs-studio/blog/466195/

pvs 7.1 iso

cullen2012

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
pvs 7.1 iso_PVS-Studio 7.04

pvs 7.1 isoSummer is not only a holiday season, but also time of fruitful work. Sunny days are so inspiring that there's enough energy both for late walks and large code commits. The second summer P...
复制链接

扫一扫