The author of this article ： Pan Jinchi —— CODING Product director Head of Tencent cloud R & D platform , Ten years of experience in R & D and energy efficiency construction CODING Code scanning product owner

 There is a young man smoking at the door of the office building , A passer-by passed by and said to him ：“ Do you know this thing is harmful to your health ？ Did you notice that warning on the cigarette case （Warning）？”
​
 The young man said ：“ Don't worry, , I'm a programmer .”
​
 Said the passer-by ：“ So what ？”
​
 The programmer replied ：“ We never care about  Warning, Only care about  Error.”

Start with a laugh , This is an article for those who rarely use it / Learn about code scanner users “ enlightenment ” reading . On the one hand, there are some technical barriers to code scanning , It's about morphology / Syntax analysis 、 Compile injection 、 Pattern recognition and security , It may be difficult to understand this ; On the other hand , At present, there are still many misunderstandings about code scanning products and their fields , Greatly affected the use experience of code scanning , What's more, we can put Lint/Style Equals the scan , It's funny .

CODING Code scanning since the open trial , It has accumulated to 5000+ The team provides scanning services , Help the development team find a large number of potential code defects in time 、 Security vulnerabilities and nonstandard code . Hope through this article , Take some common scenes for example , Explain the value and usage of code scanning easily , To help readers understand , Quick start , Let code scanning products help enterprise construction DevSecOps On the road , Make the most of .

What's the value of code scanning

Let go of the cliche The mass moves forward or Built in quality The concept of , From a practical point of view , Code scanning is often a team to DevOps The second step of transformation （ The first step is continuous integration / Assembly line ）. One is that the pipeline only runs compilation, packaging and deployment, which is still a little thin , Second, compared with unilateral 、 Interface automation and e2e automation , The cost of access code scanning is the lowest . With Jenkins For example , Just need to be in Jenkins Install in cluster SonarQube plug-in unit , And then Jenkinsfile Add a command to , Without the need for developers to step in , Complete code scanning access .

Besides , A little bit of code culture awareness of the development will also be in the local IDE Install plug-ins to do local checks , Once there is a problem with grammar or style, you can go directly to IDE It's marked with warnings and even automatically fixed .

The easier it is to get, the more easily it is to be ignored ,IDE Of auto inspect/format Or the silent execution of the pipeline , It is easy for R & D to dilute the perception and value of code scanning ： I have done Style check, Completed the code checking task 、 R & D launch cycle is too tight , I'll see the scan later 、 The problems found in the code scan are harmless 、 Code scanning tool / Links are optional . in fact , The major software / Internet companies spend millions on scanning software every year License（SonarQube、Coverity、Checkmarx etc. ）, And these companies are also the industry leaders with a valuation of more than 1 billion （16 year Sonar a 4500 Wanmei financial capital ,14 year Coverity With 3.75 Billion was acquired ）. Huge market value and humble sense of existence , Why does this happen ？ To find out the problem , First, let's see what problems code scanning can help us find .

0. Programming syntax problems

The reason why it's ranked No 0 term , It's because I don't think this problem even belongs to code scanning . There are a lot of IDE Syntax checking is integrated with plug-ins , Help development check... During R & D 、 Tips and even automatically fix syntax problems , Solved some code quality problems , But it's the job of the grammar parser , Little to do with code scanning .

1. Code specification issues

Many readers may see that “ I get it again ” The expression of , This is the most common perception of code scanning ： Check for comments 、 Is the indentation a space or Tab、 Whether the braces start on another line or follow the previous line wait . It's easy to get a debate in a team about such standards , At the same time, such problems do not hinder the correct operation of functional logic （ No concern Warning, Only care about Error）, So that's where a lot of people try to scan code .

However , Does code specification really matter ？

If there is no special reminder here , You can realize that the return values in dynamic languages are inconsistent , There may be some trouble behind ？

If there is no special reminder here , You can realize that participation here is a variable object , What problems might be introduced ？

If we continue to let go for、if、try Nesting of , How to read this part of the code later ？

After the model fields are subsequently changed , Remember that you need to change the same code in multiple places ？

Scanning code specification classes is to solve “ Poison the code ” It's the most effective way to . At the same time, for multi person cooperation projects , If you want to avoid “ When I write this code , Only God and I know what it means ; After a month , Only God knows ” Scene , It's also necessary to follow a unified code specification .

2. Functional defects

A lot of people have a fluke mentality ： “ This is probably the only version of my code , No more maintenance is needed in the future , So if you can run OK 了 ”. So let the code scan help confirm , Can your code really run ？

These null pointer problems , Are you sure you can test it out ？

The problem of array out of bounds , Through human flesh CR How difficult to find ？

Not to mention this memory leak , There are no tools to help locate human flesh , Managing memory still takes some effort .

From this point of view , Code scanning is equivalent to testing , It is an effective means to ensure the normal function of the application , It can also discover more in-depth technical problems more efficiently .

3. Safety defects

Some readers may think that “ My function is simple , The test passed in a few minutes , Nothing else ”. You should know that an application should satisfy the users in addition to its function , We also need to keep an eye on the covetous black products , Marriott suffers heavy penalties for leaking user data Similar cases come to mind , How sure are we that it's not the next goal ？

One of the most important entry points of drag library is SQL Inject , This kind of problem can be easily found by code scanning tool .

Remote command execution is also a common means to attack the target machine , Many common open source components have been exposed to similar problems , Are you sure your safety awareness is better than Apache Any more ？

also CSRF、XSS、XXE、 Multiple attack means such as deserialization , If every front-line programmer needs to be familiar with these, be careful to avoid them , The cost of control will go up in a straight line . Quickly find and locate risks through code scanning , It can escort digital assets at the lowest cost . Static code analysis （SAST） It's also DevSevOps It's the most basic in the world 、 One of the lowest threshold detection methods .

4. PR risk

“ Don't tease me. , How can we talk about public relations problems when we talk about code quality ”, Don't laugh yet , Let's look at a piece of news ： vivo My lift camera ： Rogue software detector or IQ Tester ？

Simply speaking ,Android When the app gets camera parameters , The function called may trigger the camera to rise , But in fact, the spectators will not delve into the details of the technical implementation here . Turned on the camera , I just want to take pictures of users , It was a real PR crisis at the time , It also caused a lot of trouble , It affected all sides . At the same time of refuting popular science rumors , Tencent has also organized a set of sensitive API Scanning plan , Scan sensitive interfaces in the project through code scanning tools , Remind developers to check and confirm , To prevent a greater risk .

How code scanning should be used

Through the above, , You may gradually realize the value of code scanning for the team ： Ensure code quality and security in a low threshold and non intrusive way , So download it SonarQube、Spotbugs、Checkstyle Tools such as , After simple configuration, it can be installed locally or Jenkins It's running on the assembly line . But since code scanning is more local and offline ,CODING Why provide code scanning on the online platform ？

Local scan , Rules synchronize with the remote

Even local scanning , We don't want local rules to be different from remote rules , This results in the local scan being rejected after being submitted . The most reasonable way to solve this problem is IaC, That is, the scanning scheme and filtering conditions are saved in the form of local configuration file .

However, not all the rules configuration of tools can be managed locally , For example, filter conditions 、 Compare branch and other configuration items that are strongly related to application scenarios . In response to such demands , There are two ways to deal with it ：

1. The user completes the unified configuration on the platform side （ Including tool Rules 、 Filter conditions 、 Compare branches, etc ）, After the configuration is completed, generate the configuration ID. The local scan is no longer based on the local profile , It's based on remote configuration ID.

codedog_client localscan --config 001

2. Localization of platform configuration , That is, the scanning platform defines a complete rule format . This configuration is not only followed when scanning locally , It can also parse file configuration and generate visual display during platform display , So as to achieve a unified IaC To configure .

It's down to people , Turn problems into responsibilities

Local scanning can find problems , However, it is difficult to find the introducers and timing of this problem , So these questions need to be changed 、 Who will change it , There is the possibility of entanglement and prevarication . and The platform can be based on code submission records , Go back to the timing of the code change , The person responsible for finding the problem , So as to track the problem with the view of responsible person , It can even turn into Bug Special follow-up . Who pollutes and who governs , That's reasonable .

Besides , The platform can also be based on the results of the next scan , Automatically close current fixed code problems , Save labor .

Code base quality tracking

There's another benefit of putting problems on the platform for archiving , It can be very Clearly know the code quality trend of a warehouse , For example, the introduction of new problems at a certain point in time leads to the deterioration of the overall quality , Or remove the historical load at a certain time point and improve the quality . The visual trend chart of quality fluctuation can also help the team managers to judge more intuitively , Whether we need to ring the alarm for the code quality of the team at present .

Quality access control , Let bygones be bygones

Just doing a local scan , There will still be “ Big heart ” Developers who don't fix problems directly push To the far end , At this time, we can intercept through the quality access control function provided by the platform side . Quality access control can define the number of problems allowed by the current warehouse , When the number of problems is exceeded , This submission or merge request will be blocked .

Usually , When a historical project is scanned, hundreds of legacy problems will be scanned at one time , And the team is unlikely to set aside time for a one-off cure , Lead to “ As soon as I got started, I was dissuaded ”. Our advice for this kind of scenario is , Set up MR The quality control of is the number of new problems , Ensure that no new code quality issues are introduced when the code is integrated , While controlling the increment, we should gradually clean up the stock problem （ Which file will the business requirements be changed to , Just fix the code quality of this file ）, In this way, you slowly get code quality back on track .

summary

To some extent, we agree that the larger the team, the more code scanning tools are needed , To help the team improve standards and efficiency in dealing with normative and complex problems . in the light of SMB And personal developers , Code scanning is still the lowest cost quality improvement tool . Hope that through the above cases and scenarios , It can help readers quickly locate the card points in the project and solve them smoothly , Focus on iterations per line of code , Inherit excellent code culture .

Click experience Code scanning tool to improve team efficiency