1. 静态扫描流程
1.1 版本发布流程
大致分为5个阶段,静态代码扫描的工作在第3步进行,如图:
版本发布流程图
1.2 典型案例分析
[空指针]空指针引用
[内存泄露]Stream资源关闭
[性能]使用indexOf(字符)
[兼容]系统API兼容性隐患
[越界]数组下标越界隐患
[异常] 使用除法或求余没有判断分母长度隐患
[SQL]注入风险
[应用安全] AndroidMannifest.xml文件中allowBackup设置为true时会导致数据泄露
更多的错误检查示例请查看各检查工具的检查规则说明文档。
1.2.1 [空指针]空指针引用
错误位置:4
public class StringUtil {
public static final String queryParams(String param) {
String ret = "";
if (param != null || param.length() > 2) {
ret = param.substring(1, param.length() - 1);
}
return ret;
}
存在空指针引用,会导致空指针异常。解决方案:
public class StringUtil {
public static final String queryParams(String param) {
String ret = "";
if (param != null && param.length() > 2) {
ret = param.substring(1, param.length() - 1);
}
return ret;
}
1.2.2 [内存泄露]Stream资源关闭
错误位置:17
private static void write2logfile(String msg) {
try {
File sdCardDir = android.os.Environment
.getExternalStorageDirectory();
File logfile = new File(sdCardDir.getAbsolutePath()
+ File.separator + logfileName);
if (!logfile.exists()) {
logfile.createNewFile();
}
msg += "\n";
FileOutputStream outputStream = new FileOutputStream(logfile, true);
outputStream.write(msg.getBytes());
outputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
资源对象在被关闭或者Return之前可能出现异常,导致无法正常关闭或Return。比如连续关闭多个资源对象时没有进行异常捕获,或者资源对象在Return之前进行了未捕获异常的操作。解决方案:
private static void write2logfile(String msg) {
try {
File sdCardDir = android.os.Environment
.getExternalStorageDirectory();
File logfile = new File(sdCardDir.getAbsolutePath()
+ File.separator + logfileName);
if (!logfile.exists()) {
logfile.createNewFile();
}
msg += "\n";
FileOutputStream outputStream = new FileOutputStream(logfile, true);
outputStream.write(msg.getBytes());
} catch (IOException e) {
e.printStackTrace();
} finally{ <