pvs 7.1 iso_PVS-Studio 7.07：功能概述

pvs 7.1 iso

The purpose of this article is to give a general overview of the features of the PVS-Studio static analyzer. The simplest and most informative way to do this is to show the tool in action. We'll be sharing examples demonstrating the analysis process using the Visual Studio plugin, the algorithm of running the analyzer under Linux, and analysis log import into SonarQube.

本文的目的是概述PVS-Studio静态分析仪的功能。 实现此目的的最简单，最有用的方法是展示该工具的实际作用。 我们将共享示例，演示使用Visual Studio插件的分析过程，在Linux下运行分析器的算法以及将分析日志导入SonarQube的示例。

一般信息 (General information)

PVS-Studio is a static code analyzer for code written in C, C++, C#, and Java. PVS-Studio provides a wide range of code checks but is especially good at finding typos and copy-paste mistakes (examples: first, second, third, fourth). Static analysis is the perfect complement to code review, one of the oldest and most effective bug-detecting practices. There are issues that peer code review can't help much in finding (typos are among them). For example:

PVS-Studio是用于用C，C ++，C＃和Java编写的代码的静态代码分析器。 PVS-Studio提供了广泛的代码检查功能，但是尤其擅长查找打字错误和复制粘贴错误(例如： first ， second ， Third ， Fourth )。 静态分析是对代码审查的完美补充，这是最古老，最有效的错误检测实践之一。 在某些问题中，对等代码审查并不能帮助您找到很多问题(其中有打字错误)。 例如：

int trans_rest(transcoder_settings *trans)
{
  ....
  for(i=0; i<16; i++);
  {
    trans->eq.eq.preamp[i]   = 0.0;
    for(j=0; j<32; j++)
    {
      trans->eq.eq.boost[i][j] = 0.0;
    }
  }
}

If you haven't noticed the typo, look at the semicolon after the first for. Another example:

如果您没有注意到拼写错误，请在查找第一个分号后查看 。 另一个例子：

private class ObjectArrayComparer : IEqualityComparer<object[]>
{
  public bool Equals(object[] x, object[] y)
  {
    ....
    for (int i = 0; i < x.Length; i++)
    {
      if (!object.Equals(x[0], y[0])) 
      {
        return false;
      }
    }
    return true;
  }
  ....
}

This code will be comparing the same pair of elements all the time. It is to keep you from wasting time hunting errors like this that static analysis should be adopted. You can download PVS-Studio here and try it out on your own projects.

该代码将始终比较同一对元素。 为了避免浪费这种浪费时间的错误，应该采用静态分析。 您可以在此处下载PVS-Studio并在您自己的项目中试用。

Visual Studio插件 (Visual Studio plugin)

Among other formats, PVS-Studio comes as a plugin for Visual Studio 2010-2019. Before running the check, let's see what this plugin can do. Below I'm giving a brief overview of some of the menu commands that you may find confusing.

在其他格式中，PVS-Studio是Visual Studio 2010-2019的插件。 在运行检查之前，让我们看看该插件可以做什么。 下面，我简要概述了一些您可能会感到困惑的菜单命令。

Note the «Suppress Messages» command. It opens the window for managing suppressed warnings of the analyzer. This needs explanation. PVS-Studio allows you to suppress warnings, which makes it easier to start using the tool even in a particularly large project. Thanks to this option, you can quickly and easily integrate the analyzer into your development process.

注意《禁止消息》命令。 它将打开用于管理分析仪禁止显示的警告的窗口。 这需要解释。 PVS-Studio可以禁止显示警告，即使在特别大的项目中，也可以更轻松地开始使用该工具。 借助此选项，您可以快速轻松地将分析仪集成到开发过程中。

Integration is painless with fairly small projects. But if your project has a long history, you may be already hesitating and doubting because filtering lots of diagnostic messages would require finding a person to do that task, allocating a certain amount of time for that, and so on. I'll try to dispel these doubts.

对于相当小的项目，集成是轻而易举的。 但是，如果您的项目历史悠久，您可能已经在犹豫和怀疑，因为过滤大量诊断消息将需要找到一个人来执行该任务，为此分配一定的时间，依此类推。 我将尽力消除这些疑虑。

The ideal strategy in this case is as follows. You run the analyzer on your project and get a huge pile of warnings. You tell PVS-Studio to hide them using the warning-suppression mechanism. Since your project has been in development for a long time, you aren't likely to get many warnings about critical defects. Your team keeps working on the project and gets warnings only on freshly written or modified code. The warnings that you have suppressed in the beginning are now your technical debt, which you could be getting back to every now and then, gradually eliminating it. Learn more about the suppression mechanism.

在这种情况下，理想的策略如下。 您在项目上运行分析器并收到大量警告。 您告诉PVS-Studio使用警告抑制机制隐藏它们。 由于您的项目已经开发了很长时间，因此您不太可能收到有关严重缺陷的许多警告。 您的团队将继续致力于该项目，并且仅在新编写或修改的代码上得到警告。 您一开始就压制的警告是您的技术债务，您可能不时回到这方面，逐渐消除它。 了解有关抑制机制的更多信息。

The next command I'd like to talk about is called «Display CWE Codes in Output Window». PVS-Studio is a static application security testing (SAST) tool, which means its warnings can be classified according to the Common Weakness Enumeration (CWE). See the following resources for more details on the use of the CWE classification in PVS-Studio, the idea behind the CWE itself, and so on:

我要讨论的下一个命令称为“在输出窗口中显示CWE代码”。 PVS-Studio是静态应用程序安全测试(SAST)工具，这意味着可以根据常见弱点枚举(CWE)对警告进行分类。 有关在PVS-Studio中使用CWE分类的详细信息，CWE本身的思想等，请参见以下资源。

• Classification of PVS-Studio warnings according to the Common Weakness Enumeration;

  根据常见弱点枚举对PVS-Studio警告进行分类 ；

• PVS-Studio: searching software weaknesses.

  PVS-Studio：搜索软件弱点 。

Now let's click the «Options» command.

现在，单击“选项”命令。

In the «Detectable Errors (C, C++)» subsection, you can specify which collections of diagnostics will be applied during the analysis. Here you can hide or turn off diagnostic messages that are for some reason irrelevant to your project. For instance, you aren't likely to be interested in the MISRA diagnostics unless you are an embedded software developer. That's why they are turned off by default. A user running PVS-Studio for the first time may be confused and frustrated by the huge number of MISRA warnings. But those who want to check their project specifically for compliance with MISRA requirements can turn on those diagnostics at any time.

在“可检测的错误(C，C ++)”小节中，您可以指定在分析期间将应用哪些诊断集合。 在这里，您可以隐藏或关闭与项目无关的诊断消息。 例如，除非您是嵌入式软件开发人员，否则您不太可能对MISRA诊断感兴趣。 这就是为什么默认情况下将它们关闭 。 首次运行PVS-Studio的用户可能会因大量的MISRA警告而感到困惑和沮丧。 但是，那些想专门检查其项目是否符合MISRA要求的人可以随时打开这些诊断程序。

In this window, you can specify paths/masks to selectively exclude files and folders from analysis. You can choose between path masks and filename masks. This option is used to exclude from analysis third-party libraries, automatically generated files, and so on. Once you've specified the exclusion masks, the messages associated with those files and folders will disappear from the PVS-Studio output window and stay inactive during the next checks. Thus, excluding files and folders from analysis using masks can help significantly reduce the overall analysis time.

在此窗口中，您可以指定路径/​​掩码以有选择地从分析中排除文件和文件夹。 您可以在路径掩码和文件名掩码之间进行选择。 此选项用于从分析中排除第三方库，自动生成的文件等。 指定排除掩码后，与这些文件和文件夹关联的消息将从PVS-Studio输出窗口中消失，并在下次检查期间保持不活动状态。 因此，将文件和文件夹从使用蒙版的分析中排除可以极大地减少总体分析时间。

More details here.

更多细节在这里 。

Similarly, you can filter the analyzer's output by text. Suppose some of the messages in your report refer to the my_super_function function, while you know for sure that all of them are false positives. Just add the word my_super_function to the filter field to filter off all the warnings containing it. Just in case, here's a link to the documentation section covering this topic.

同样，您可以按文本过滤分析仪的输出。 假设报表中的某些消息引用了my_super_function函数，但您可以肯定所有消息都是误报。 只需在过滤器字段中添加单词my_super_function即可过滤掉包含它的所有警告。 为了以防万一，这里是指向此主题的文档部分的链接。

Note. PVS-Studio provides other ways of marking false positives in code or macros as well. They are all covered in the "Suppression of false alarms" section of the documentation.

注意。 PVS-Studio还提供了其他在代码或宏中标记误报的方法。 它们都在文档的“ 抑制错误警报 ”部分中进行了介绍。

Now that we're finished with the settings overview, let's check a project. You may have noticed that I mentioned a few C++-related options but said nothing about options specific to C# and Java. It's just that C++-related options are greater in number, so we decided to specifically focus on them in this brief overview. To keep it interesting, though, I'm going to analyze a C# project instead of a C++ one using our Visual Studio plugin and show you what the analysis report looks like.

现在我们已经完成了设置概述，让我们检查一个项目。 您可能已经注意到，我提到了一些与C ++相关的选项，但对特定于C＃和Java的选项一无所知。 只是与C ++相关的选项数量更多，因此我们决定在此简要概述中特别关注它们。 但是，为了使它有趣，我将使用我们的Visual Studio插件分析C＃项目而不是C ++项目，并向您显示分析报告的外观。

Obviously, you'll have to go back to the settings after the first check to reduce the number of false positives. They are inevitable, but you can cut their rate to a desired minimum by tweaking the settings. For more details, see the article "Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives".

显然，您必须在第一次检查后返回到设置，以减少误报的次数。 它们是不可避免的，但是您可以通过调整设置将它们的速率降低到所需的最小值。 有关更多详细信息，请参见文章“ 以EFL核心库为例，PVS-Studio分析仪的特性，误报的10-15％ ”。

Click «Analyze Solution with PVS-Studio».

单击«使用PVS-Studio分析解决方案»。

A window with a progress bar will appear.

将出现一个带有进度条的窗口。

Once the check is over, you can study the report.

检查结束后，您可以研究报告。

By the way, you can filter warnings in this window as well. For example, you can hide the first warning on the list by selecting it and clicking «Mark selected messages as False Alarms». Again, all the details are available in the documentation section "Suppression of false alarms".

顺便说一句，您也可以在此窗口中过滤警告。 例如，您可以通过选择列表中的第一个警告并单击“将所选消息标记为错误警报”来隐藏该警告。 同样，所有详细信息都可在文档部分“ 抑制错误警报 ”中找到。

的Linux (Linux)

We have checked a C# project. Now let's check a C++ program but do that in Linux instead. By the way, PVS-Studio can check projects in any of the supported languages (C, C++, C#, Java) on Windows, Linux, and macOS.

我们已经检查了一个C＃项目。 现在让我们检查一个C ++程序，但是在Linux中执行。 顺便说一句，PVS-Studio可以在Windows，Linux和macOS上以任何受支持的语言(C，C ++，C＃，Java)检查项目。

First we clone the repository.

首先，我们克隆存储库。

Then we run the build configuration script.

然后，我们运行构建配置脚本。

Next, we run PVS-Studio in tracing mode and build the project. To do that, you need the strace utility installed on your computer. In your own project, you can use any other build command with any necessary options in place of make.

接下来，我们以跟踪模式运行PVS-Studio并构建项目。 为此，您需要在计算机上安装strace实用程序。 在您自己的项目中，您可以将任何其他带有必需选项的构建命令与make一起使用。

Now we analyze the project files using the results obtained at the previous step. The -a option is used to specify which warnings you want to be included in the report.

现在，我们使用上一步获得的结果来分析项目文件。 -a选项用于指定要包含在报告中的警告。

Convert the log into an html file and enjoy the nicely-formatted report.

将日志转换为html文件，并享受格式精美的报告。

That was a description of just one of the possible ways of checking a project in Linux, and quite a formal one, without going much into detail. One of the other approaches is to add an analyzer call command to the makefile. To learn more about checking projects in Linux, see the following resources:

那只是对Linux中检查项目的一种可能方法的描述，而对于这是一种正式的方法，而没有进行过多的描述。 其他方法之一是向分析文件添加分析器调用命令。 要了解有关在Linux中检查项目的更多信息，请参见以下资源：

• Getting Started with the PVS-Studio Static Analyzer for C++ Development under Linux;

  在Linux下进行C ++开发的PVS-Studio静态分析器入门 ；

• How to run PVS-Studio on Linux and macOS.

  如何在Linux和macOS上运行PVS-Studio 。

声纳 (SonarQube)

SonarQube is an open-source platform for continuous analysis and measurement of code quality that supports many programming languages and provides reports on such metrics as code duplicates, coding style compliance, test coverage, code complexity, potential bugs, and so on.

SonarQube是一个用于持续分析和衡量代码质量的开源平台，它支持许多编程语言，并提供有关代码重复，编码风格合规性，测试覆盖率，代码复杂性，潜在错误等指标的报告。

PVS-Studio includes a plugin for importing analysis results into SonarQube, so let's try this option.

PVS-Studio包括一个用于将分析结果导入SonarQube的插件，因此让我们尝试一下此选项。

First we need to get the analysis report and the configuration file sonar-project.properties.

首先，我们需要获取分析报告和配置文件sonar-project.properties。

Then we need a command to run the scanner.

然后，我们需要一个命令来运行扫描仪。

And here's the result :)

结果如下：)

You can also create (or modify) a configuration file. For instance, in the screenshot above, we have activated the option of adding MISRA identification tags to the warnings. That's right, MISRA diagnostics are disabled in this plugin too. If you need to check your code for MISRA compliance, just add «active» to your configuration file to turn this option on.

您也可以创建(或修改)配置文件。 例如，在上面的屏幕截图中，我们激活了将MISRA识别标签添加到警告中的选项。 没错，该插件也禁用了MISRA诊断。 如果您需要检查代码是否符合MISRA，只需在配置文件中添加“活动”以启用此选项。

The Measures tab contains a variety of code metrics and graphs.

“度量”选项卡包含各种代码度量和图形。

You can also use the PVS-Studio section to plot graphs. For more information about integrating PVS-Studio analysis results into SonarQube, see this documentation section.

您也可以使用PVS-Studio部分绘制图形。 有关将PVS-Studio分析结果集成到SonarQube中的更多信息，请参阅本文档部分 。

PVS-Studio Java (PVS-Studio Java)

We have looked at the settings for C++ projects and analyzed a C# project but ignored Java so far. Let's get this fixed and talk about the PVS-Studio Java analyzer. There are many ways to integrate it with your project. Depending on your build system, you can use the Maven plugin or Gradle plugin. You can also use the analyzer core executable directly. Either way allows you to easily work with SonarQube or CI (Jenkins). If you have these plugins enabled, Java projects will be checked during the build process, so you will get a PVS-Studio log along with the built application.

我们已经查看了C ++项目的设置并分析了C＃项目，但到目前为止，它都忽略了Java。 让我们解决此问题，然后谈论PVS-Studio Java分析器。 有很多方法可以将其与您的项目集成。 根据您的构建系统，可以使用Maven插件或Gradle插件。 您也可以直接使用分析仪核心可执行文件。 无论哪种方式，您都可以轻松地使用SonarQube或CI(Jenkins)。 如果启用了这些插件，则将在构建过程中检查Java项目，因此您将获得PVS-Studio日志以及已构建的应用程序。

The PVS-Studio Java analyzer can also be used as a plugin for IntelliJ IDEA. In this case, the parsing is done by the IDE itself, while the plugin provides a nice GUI for managing the analyzer.

PVS-Studio Java分析仪也可以用作IntelliJ IDEA的插件。 在这种情况下，解析是由IDE本身完成的，而该插件为管理分析器提供了一个不错的GUI。

This topic is covered in detail in the "How to Run PVS-Studio Java" section.

“ 如何运行PVS-Studio Java ”部分中详细介绍了该主题。

The Java analyzer also supports warning suppression for fast and painless integration with large projects.

Java分析器还支持警告抑制，以实现与大型项目的快速，轻松集成。

This is how it is done in IntelliJ IDEA.

这是在IntelliJ IDEA中完成的方式。

This window displays the analysis report.

该窗口显示分析报告。

Right-clicking a selected message opens the context menu. There, we can select the command, as shown in the picture, to hide the message from the output window.

右键单击选定的消息可打开上下文菜单。 如图所示，我们可以在此处选择命令以从输出窗口隐藏消息。

You can also suppress all the warnings at once.

您也可以一次取消所有警告。

In Gradle, this is done by running the following command:

在Gradle中，这是通过运行以下命令来完成的：

./gradlew pvsSuppress "-Ppvsstudio.report=/path/to/report.json"
  "-Ppvsstudio.output=/path/to/suppress_base.json"

In Maven, this is done by running the following command:

在Maven中，这是通过运行以下命令来完成的：

mvn pvsstudio:pvsSuppress "-Dpvsstudio.report=/path/to/report.json"
  "-Dpvsstudio.output=/path/to/suppress_base.json"

More about warning suppression here.

有关警告抑制的更多信息，请参见此处 。

回顾 (To recap)

The purpose of this article was to give an overview of PVS-Studio's features and to show how easily it can be used through the Visual Studio plugin and in Linux. Integration with SonarQube provides continuous code quality analysis and management, which is just one of the many abilities described in the documentation.

本文的目的是概述PVS-Studio的功能，并展示如何通过Visual Studio插件和在Linux中轻松使用它。 与SonarQube的集成提供了连续的代码质量分析和管理，这只是文档中描述的众多功能之一。

With the analyzer integrated into your CI system, you can catch bugs immediately after building the project, which makes bug search and fixing much cheaper. The articles below show some examples of integrating PVS-Studio with the most popular cloud services:

通过将分析器集成到CI系统中，您可以在构建项目后立即捕获错误，这使得错误搜索和修复便宜得多。 以下文章显示了将PVS-Studio与最受欢迎的云服务集成的一些示例：

• PVS-Studio in the Clouds: Travis CI

  云中的PVS-Studio：Travis CI

• PVS-Studio in the Clouds: Azure DevOps

  云中的PVS-Studio：Azure DevOps

• PVS-Studio in the Clouds: CircleCI

  云中的PVS-Studio：CircleCI

• PVS-Studio in the Clouds: GitLab CI/CD

  云中的PVS-Studio：GitLab CI / CD

• Running PVS-Studio in TeamCity

  在TeamCity中运行PVS-Studio

翻译自: https://habr.com/en/company/pvs-studio/blog/502112/

pvs 7.1 iso