CN117610023A - Software static analysis system integrated with DevOps - Google Patents
Software static analysis system integrated with DevOps Download PDFInfo
- Publication number
- CN117610023A CN117610023A CN202311762482.XA CN202311762482A CN117610023A CN 117610023 A CN117610023 A CN 117610023A CN 202311762482 A CN202311762482 A CN 202311762482A CN 117610023 A CN117610023 A CN 117610023A
- Authority
- CN
- China
- Prior art keywords
- analysis
- code
- traversing
- syntax tree
- abstract syntax
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 61
- 230000003068 static effect Effects 0.000 title claims abstract description 35
- 238000000034 method Methods 0.000 claims abstract description 10
- 230000008439 repair process Effects 0.000 claims abstract description 6
- 238000001514 detection method Methods 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims abstract description 5
- 230000000007 visual effect Effects 0.000 claims abstract description 4
- 238000000605 extraction Methods 0.000 claims description 8
- 230000006870 function Effects 0.000 claims description 7
- 230000008676 import Effects 0.000 claims description 4
- 238000004422 calculation algorithm Methods 0.000 claims description 2
- 238000013499 data model Methods 0.000 claims description 2
- 238000013461 design Methods 0.000 claims description 2
- 230000014509 gene expression Effects 0.000 claims description 2
- 238000013515 script Methods 0.000 claims description 2
- 230000007547 defect Effects 0.000 description 9
- 238000007726 management method Methods 0.000 description 8
- 238000012552 review Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 238000010276 construction Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003339 best practice Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a software static analysis system integrated with DevOps, which is characterized in that the implementation process of the software static analysis system comprises the following steps: task establishment; rule configuration; executing tasks; code analysis; AST analysis; report generation. The invention discloses a software static analysis system capable of configuring rules, which can automatically analyze codes and detect potential errors and vulnerabilities according to preset rules. The method and the device can automatically, efficiently and accurately detect potential errors and vulnerabilities in the codes; the detection of multiple error types is supported, and the requirements of different users can be met; the user is allowed to customize rules according to the needs, so that the flexibility and adaptability of the system are improved; the method is integrated into a DevOps platform, can be automatically executed at regular time, and automatically monitors the quality of software codes; and the system is integrated with a project management platform to provide a visual report so that a user can quickly know and repair the problems in the code.
Description
Technical Field
The invention relates to a software static analysis system, belonging to the technical field of computer technology and static analysis.
Background
With the increasing number of software application scenarios, the complexity of software programs is also increasing, and software quality assurance and security hole detection are becoming more and more important. Traditional static code analysis methods are usually based on fixed rules for static analysis of codes or rely on manual code examination, and are not only inflexible, inefficient, but also prone to error.
Currently, the means for performing quality checks of software code mainly include:
1. manual code inspection: this is the most basic and common way for a developer to manually examine the code. This approach relies on the experience and expertise of the developer by examining the code line by line and looking for potential errors and problems.
2. Code Review (Code Review): code review is a form of code review by team cooperation, typically by development team members reviewing each other's code. Code review may be performed through meetings, mail, or online collaboration tools. It may help discover code logic errors, performance problems, security vulnerabilities, etc.
3. Static code analysis (Static Code Analysis): static code analysis is a way to statically analyze code using automated tools. These tools may scan the source code file to detect potential problems such as syntax errors, potential memory leaks, unused variables, etc. The static code analysis tool may also provide suggestions according to predefined coding specifications or best practices.
These approaches have mainly the following problems:
1. inefficiency, error-prone: manual code or team code review takes a lot of time and effort, especially in the case of large code library sizes and high code complexity. Because the thinking of people always has error areas, the people can hardly find own errors, and therefore, the accuracy of manual code inspection is often not guaranteed.
2. Lack of consistency: different developers may have different coding styles and habits, which may lead to inconsistent conclusions in code inspection or even contradiction.
3. It is difficult to check the non-functional requirement: manual code inspection tends to be more focused on grammar and logic errors of the code, while inspection in terms of some non-functional requirements, such as performance, maintainability, scalability, etc., tends to be inadequate.
4. The tool is not flexible enough and the integration level is not high: most of tools carry out static analysis of codes based on fixed rules, and the tools need to manually execute scanning tasks, are difficult to adapt to more scenes and are not flexible. Most tools are run independently and are not integrated or not highly integrated with the project DevOps tool and the project management tool.
Disclosure of Invention
The purpose of the invention is that: a static analysis system is provided that is capable of automatically, efficiently, flexibly, and accurately detecting potential errors and vulnerabilities in code.
In order to achieve the above object, the present invention provides a software static analysis system incorporated into a DevOps, wherein the implementation process of the software static analysis system includes the following steps:
step 1, task establishment: firstly, establishing a code static analysis task on a DevOps platform, and setting task component parameters, a triggering mode and code address information;
step 2, rule configuration: the user configures the analysis rules according to the requirements, and when the analysis rules are configured, the rule configuration can be performed through a graphical interface or a text editing mode, so that complex scripts or programs are not required to be written;
step 3, task execution: the DevOps platform invokes a static analysis tool through the plug-in to execute a scanning task, and scans codes under a target path according to configured analysis rules;
step 4, code analysis: the system analyzes the source code to be analyzed to generate an abstract syntax tree AST, wherein each node represents a part of the source code, various information in the code can be obtained by traversing the abstract syntax tree AST, and the identification to be performed comprises the following aspects:
node type identification: in traversing an AST, different portions of source code may be identified by examining the type of node. For example, all function definition nodes (FunctionDef), conditional statement nodes (If), loop nodes (For), etc. may be identified.
Constant extraction: in some cases, it may be necessary to extract constants in the code. For example if all hard coded numbers or strings need to be found. All nodes with a particular value can be looked up by traversing an AST.
Variable and parameter extraction: all variables and function parameters can also be extracted by traversing AST. This can be achieved by looking up all Name and Arg nodes.
Function and class definition extraction: by traversing an AST, all function and class definitions can be found. This can be achieved by looking up all FunctionDef and ClassDef nodes.
And (3) extracting an operator: if a particular operator or expression needs to be found, it can be found during the traversal of the AST. For example, all addition operators (+) or all comparison operators (>, <, =, etc.) may be looked up.
Control flow extraction: if a particular control flow structure (e.g., if-else statement or For loop) needs to be found, it is possible to extract them by looking up the corresponding nodes (e.g., if and For).
And (3) extracting the imported information: the import information of the module is obtained, for example, by traversing the AST to find all import statements.
In traversing the abstract syntax tree AST, a depth-first traversal or breadth-first traversal algorithm is used; when traversing each node, executing corresponding operation according to the need;
step 5, AST analysis: traversing and analyzing the abstract syntax tree AST by utilizing rules configured in a rule configuration module to find out potential errors and vulnerabilities; the analysis module adopts a data-driven design method, and can generate different data models according to different rules, so as to support the detection of various error types;
step 6, report generation: the analysis result is presented to the user in the form of a visual report, and the user can quickly know the problems in the code through the report and repair the problems.
Preferably, in step 2, the analysis rule includes an error type, an error level, and an error filter.
Preferably, in step 4, when generating the abstract syntax tree AST: the system first performs lexical analysis, in which the source code is decomposed into sequences called labels tokens, which include variable names, keywords, and operators; after the lexical analysis is completed, the grammar analysis is performed, the tokens are combined into a structure called grammar unit using a set of rules defined by a programming language, and then an abstract grammar tree AST is generated.
Preferably, in step 6, the report includes the error type, the error level, the error location, and the corresponding repair suggestion.
The invention discloses a software static analysis system capable of configuring rules, which can automatically analyze codes and detect potential errors and vulnerabilities according to preset rules. Compared with the prior art, the invention has the following beneficial effects:
1) Potential errors and vulnerabilities in the code can be automatically, efficiently and accurately detected; 2) The detection of multiple error types is supported, and the requirements of different users can be met; 3) The user is allowed to customize rules according to the needs, so that the flexibility and adaptability of the system are improved; 4) The method is integrated into a DevOps platform, can be automatically executed at regular time, and automatically monitors the quality of software codes; 5) And the system is integrated with a project management platform to provide a visual report so that a user can quickly know and repair the problems in the code.
Therefore, the invention has important significance for improving the quality and the safety of the software.
Drawings
FIG. 1 is a system block diagram;
FIG. 2 is a schematic diagram of a system operational flow;
FIG. 3 is a schematic diagram of exemplary key steps.
Detailed Description
The invention will be further illustrated with reference to specific examples. It is to be understood that these examples are illustrative of the present invention and are not intended to limit the scope of the present invention. Further, it is understood that various changes and modifications may be made by those skilled in the art after reading the teachings of the present invention, and such equivalents are intended to fall within the scope of the claims appended hereto.
In the following implementation example, jenkins is used as a DevOps task building scheduling tool, and Klocwork is used as a code static analysis scanning tool, the implementation of the software static analysis system integrated into DevOps disclosed in this embodiment includes the following steps:
1. and establishing a pipeline task on the project management platform, and configuring information such as construction parameters to be executed, a pipeline triggering mode, a development library code address of the project, scanning rules and the like. The partial rule configuration is shown in the following table:
2. a developer submits codes to a project development code library, and for a task which is set to trigger construction when the codes are submitted, jenkins can monitor code submitting events according to an SVN/Git hook program, so that a pipeline task is triggered; for a timed execution type task, the Jenkins arrival point will automatically trigger the build task.
3. After Jenkins triggers the construction task, the plug-in module for SVN/Git can acquire the source code of the item from the development library and store the source code under the directory path.
4. Jenkins invokes a Klocwork start code static analysis task through the plug-in, performs static analysis on codes under the target path according to configured rules, and executes the processes of code analysis, AST analysis and the like.
5. After static analysis is completed, the project management platform acquires scanned defect (issue) information and report information through a Web Api interface provided by Klocwork, maps the defects (issue) of the static analysis and the defects (bug) of the project management platform, stores the mapping information into a defect management module database, and stores test report data into a test management module. The static analysis defect (issue) information comprises defect identification, rule identification, defect name, severity level, code file name, code line number, scanning identification, state and other information.
6. The defect information of the Klocwork static analysis is a last submitter that contains a file name and a line number, and the project management platform distributes the defect to a corresponding developer according to a last submitter that acquires a file from a submitter log of SVN/Git.
7. For a construction task to be continuously deployed, jenkins will call a compiling tool corresponding to a development language to compile and package source codes, and a remote deployment plug-in public over SSH is used for automatic deployment.
Claims (4)
1. The software static analysis system integrated with the DevOps is characterized in that the implementation process of the software static analysis system comprises the following steps:
step 1, task establishment: firstly, establishing a code static analysis task on a DevOps platform, and setting task component parameters, a triggering mode and code address information;
step 2, rule configuration: the user configures the analysis rules according to the requirements, and when the analysis rules are configured, the rule configuration can be performed through a graphical interface or a text editing mode, so that complex scripts or programs are not required to be written;
step 3, task execution: the DevOps platform invokes a static analysis tool through the plug-in to execute a scanning task, and scans codes under a target path according to configured analysis rules;
step 4, code analysis: the system analyzes the source code to be analyzed to generate an abstract syntax tree AST, wherein each node represents a part of the source code, various information in the code can be obtained by traversing the abstract syntax tree AST, and the identification to be performed comprises the following aspects:
1) Node type identification: identifying different parts in the source code by checking the type of the node in traversing the abstract syntax tree AST;
2) Constant extraction: extracting constants in codes, and searching all nodes with specific values in the process of traversing the abstract syntax tree AST;
3) Variable and parameter extraction: extracting all variables and function parameters through an abstract syntax tree AST, and searching all Name and Arg nodes;
4) Function and class definition extraction: by traversing the abstract syntax tree AST, finding all functions and class definitions, and by searching all FunctionDef and ClassDef nodes;
5) And (3) extracting an operator: find specific operators or expressions, find them in the course of traversing the abstract syntax tree AST;
6) Control flow extraction: searching for specific control flow structures, extracting corresponding nodes by searching them;
7) And (3) extracting the imported information: all import sentences are found by traversing the abstract syntax tree AST, so that the import information of the module is obtained;
in traversing the abstract syntax tree AST, a depth-first traversal or breadth-first traversal algorithm is used; when traversing each node, executing corresponding operation according to the need;
step 5, AST analysis: traversing and analyzing the abstract syntax tree AST by utilizing rules configured in a rule configuration module to find out potential errors and vulnerabilities; the analysis module adopts a data-driven design method, and can generate different data models according to different rules, so as to support the detection of various error types;
step 6, report generation: the analysis result is presented to the user in the form of a visual report, and the user can quickly know the problems in the code through the report and repair the problems.
2. The software static analysis system integrated into DevOps according to claim 1, wherein in step 2, the analysis rules include error type, error level, error filter.
3. The static analysis system of claim 1, wherein in step 4, when generating the abstract syntax tree AST: the system first performs lexical analysis, in which the source code is decomposed into sequences called labels tokens, which include variable names, keywords, and operators; after the lexical analysis is completed, the grammar analysis is performed, the tokens are combined into a structure called grammar unit using a set of rules defined by a programming language, and then an abstract grammar tree AST is generated.
4. The software static analysis system integrated into DevOps of claim 1, wherein in step 6, the report includes the error type, the error level, the error location, and the corresponding repair suggestion.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311762482.XA CN117610023A (en) | 2023-12-19 | 2023-12-19 | Software static analysis system integrated with DevOps |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311762482.XA CN117610023A (en) | 2023-12-19 | 2023-12-19 | Software static analysis system integrated with DevOps |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117610023A true CN117610023A (en) | 2024-02-27 |
Family
ID=89944421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311762482.XA Pending CN117610023A (en) | 2023-12-19 | 2023-12-19 | Software static analysis system integrated with DevOps |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117610023A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119337108A (en) * | 2024-12-24 | 2025-01-21 | 科大讯飞股份有限公司 | Error analysis method, system, electronic device and storage medium |
-
2023
- 2023-12-19 CN CN202311762482.XA patent/CN117610023A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119337108A (en) * | 2024-12-24 | 2025-01-21 | 科大讯飞股份有限公司 | Error analysis method, system, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108614707B (en) | Static code checking method, device, storage medium and computer equipment | |
| CN111382070B (en) | Compatibility testing method and device, storage medium and computer equipment | |
| CN105094783B (en) | method and device for testing stability of android application | |
| AU2010350247B2 (en) | Code inspection executing system for performing a code inspection of ABAP source codes | |
| US9632754B2 (en) | Auto generation and linkage of source code to test cases | |
| CN110399300A (en) | A Python software fuzzing method based on dynamic type perception | |
| AU2018202153B2 (en) | System and method for tool chain data capture through parser for empirical data analysis | |
| Angerer et al. | Configuration-aware change impact analysis (t) | |
| Linsbauer et al. | Recovering feature-to-code mappings in mixed-variability software systems | |
| CN103914379A (en) | Automatic fault injection and fault detecting method and system | |
| CN114116471A (en) | Automatic code scanning method, system, electronic equipment and storage medium | |
| CN117610023A (en) | Software static analysis system integrated with DevOps | |
| CN117909984A (en) | Real-time operating system driver vulnerability mining system and method based on similarity analysis | |
| CN113064811A (en) | Workflow-based automatic testing method and device and electronic equipment | |
| JP2010140408A (en) | Source code converting device | |
| CN110990282B (en) | An Automated Unit Testing Method | |
| CN110362463A (en) | A kind of method and apparatus selected test case automatically and carry out regression test | |
| CN115454702A (en) | Log fault analysis method and device, storage medium and electronic equipment | |
| JP2010140407A (en) | Source code inspection device | |
| CN110321130B (en) | Non-repeatable compiling and positioning method based on system call log | |
| CN113051582B (en) | Computer software technology development and debugging system | |
| Smirnov et al. | Revizor: a data-driven approach to automate frequent code changes based on graph matching | |
| Staron et al. | Classifying obstructive and nonobstructive code clones of type I using simplified classification scheme: a case study | |
| Bicevskis et al. | Data quality model-based testing of information systems | |
| CN119597657A (en) | Source code change analysis method, system and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |