Code Scanning | A weapon to control code quality

Author of this article: Pan Jinchi-CODING Product Director
Head of Tencent Cloud R&D platform, ten years of R&D energy efficiency construction experience
Coding code scanning product person in charge

有位小伙子在办公大楼门口抽烟，一位路人经过他的身边对他说：“你知不知道这个东西会危害你的健康？你有没有注意到香烟盒上的那个警告（Warning）？”

小伙子说：“没事儿，我是一个程序员。”

路人说：“这又怎样？”

程序员回答道：“我们从来不关心 Warning，只关心 Error。”

Starting with a smile, this is an "enlightenment" reading for users who rarely use/understand code scanning tools. On the one hand, because there are certain technical barriers to code scanning, related to lexical/grammatical analysis, compilation injection, pattern recognition and security and other related fields, it may be difficult to understand the content of this aspect; on the other hand, because the current public is concerned about code scanning There are still many misunderstandings in the product and its field, which greatly affects the experience of code scanning. What is more, Lint/Style is directly equated with scanning, which makes people laugh.

CODING code scanning has provided scanning services for 5000+ teams since its opening trial, helping the development team discover a large number of hidden code defects, security vulnerabilities and irregular codes . I hope that through this article, taking some common scenarios as examples, explain the value and usage of code scanning in an easy-to-understand manner, help readers understand deeply, get started quickly, and let code scanning products play the greatest role in helping enterprises build DevSecOps. value.

What is the value of code scanning

Putting aside the old- quality forward or quality built-in concept, from a practical perspective, code scanning is often the second step of a team’s transformation to DevOps (the first step is continuous integration/pipeline ) . One is because the assembly line only runs to compile, package and deploy, or it is slightly thin. Second, compared to single-sided, interface automation and e2e automation, the cost of access code scanning is the lowest. Taking Jenkins as an example, you only need to install the SonarQube plug-in in the Jenkins cluster for operation and maintenance, and then add a line of commands to the Jenkinsfile to complete the code scan access without the intervention of developers.

In addition, developers with a slight sense of code culture will also install plug-ins in the local IDE for local inspection. Once there are grammatical or style problems, they can directly mark warnings on the IDE or even automatically repair them.

Things that are easier to get are often the easiest to be overlooked. IDE's auto inspect/format or silent execution of the pipeline makes it easy for R&D to dilute the perception and value of code scanning: I did a style check and completed the code inspection tasks , cycle is too tight, and the scanning problem will look at the 160f15fb5c9244 and code scans. The problems found in the code scanning are harmless. The and code scanning tools/links may be . In fact, major software/Internet vendors spend millions every year to purchase various scanning software licenses (SonarQube, Coverity, Checkmarx, etc.) , and these companies are also industry leaders with a valuation of more than 1 billion (16 years). Sonar received 45 million US dollars in financing, and Coverity was acquired for 375 million in 2014). The huge market value and humble sense of existence, why does this happen? To figure out this problem, first look at what problems the code scanning can help us find.

0. Programming syntax issues

The reason why it is listed as item 0 is because I think this problem does not even belong to the scope of code scanning. At present, many IDEs and plug-ins integrate grammatical checking-related functions to help developers check, prompt and even automatically fix grammatical problems during the development process, and solve some code quality problems, but this is the responsibility of the grammar parser. It has little to do with code scanning.

1. Code specification issues

Many readers see this may show the "I understand again" expression, this is the most common perception left by the current code scan: Check whether there are comments , indentation space or Tab , large Do the parentheses start a new line or follow the previous line and so on. Inspection standards such as this can easily lead to controversy in the team. At the same time, because this type of problem does not prevent the correct operation of the functional logic (don't care about Warning, only care about Error), so many people's attempts to scan the code are here.

However, are code specifications really irrelevant?

If there is no special reminder here, can you realize that the return value in the dynamic language is inconsistent, what may be troublesome later?

If there is no special reminder here, can you realize that the entry here is a mutable object, what problems may be introduced?

If you continue to allow the nesting of for, if, and try, how to read this part of the code afterwards?

After changing the model fields later, can you remember that you need to modify multiple places of the same code?

The scanning of code specifications is to solve the most effective means of "poisoning in the code". At the same time, for multi-person cooperation projects, if you want to avoid the scenario of "When I write this code, only God and I know what it means; a month later, only God knows", it is also very necessary to follow a unified code specification.

2. Functional defects

Many people have a fluke: "My code may only be in this version, and there is no need to maintain it in the future, so it will be OK if it can run." Then let the code scan to help confirm, can your code really run?

Are you sure you can test these null pointer problems?

How difficult is it to find out the problem of array cross-border through human flesh CR?

Not to mention this kind of memory leak problem, there is no tool to help human flesh locate, and it takes some effort to manage memory.

From this point of view, code scanning is equivalent to testing, which is an effective means to ensure the normal function of the application, and it can also uncover more in-depth technical problems more efficiently.

3. Security flaws

Some readers may also think "My function is very simple, and the test passed in a few clicks, there is no other problem". It is necessary to know that in addition to satisfying users in terms of functions, an application also needs to be . 160f15fb5c9507 Marriott's leaked user data and suffered heavy fines Similar cases are vividly remembered. How sure are we to ensure that it is not the next target?

Source: InfoQ Wanjia

An important entry point for dragging libraries is SQL injection, and this type of problem can be easily found with code scanning tools.

Remote command execution is also a common method to conquer the target machine. Many commonly used open source components have been exposed to similar problems. Are you sure that your security awareness is better than Apache?

There are also multiple attack methods such as CSRF, XSS, XXE, and deserialization. If every front-line programmer needs to know these well and carefully avoid them, the cost of control will rise sharply. Quickly find and locate risks through code scanning, which can escort digital assets at the lowest cost. static code analysis (SAST) is also one of the most basic and lowest threshold detection methods in DevSevOps.

4. Public relations risks

"Don't be funny, how can you talk about PR issues when talking about code quality", don't laugh, let's read a piece of news: vivo's lifting camera: rogue software detector or IQ appraiser?

Source:

Simply put, when an Android application obtains camera parameters, the function called may trigger the camera to rise, but in fact, visitors will not delve into the technical implementation details here. Turning on the camera, I just wanted to take photos of users secretly. This was an out-and-out public relations crisis at the time. It also caused a lot of trouble and affected all parties. rumors of surgery, 160f15fb5c965e Tencent also organized a set of sensitive API scanning solutions, using code scanning tools to scan sensitive interfaces in the project, reminding developers to check and confirm themselves, to prevent greater risks.

How to use code scanning

Through the above, you may gradually realize the value that code scanning brings to the team: to ensure code quality and safety in a low-threshold and non-intrusive way, then download SonarQube, Spotbugs, Checkstyle and other tools, and simply configure them locally. Or the Jenkins assembly line is running. But since code scanning is more biased towards local offline tools, why does CODING provide code scanning on the online platform?

Local scanning, rules and remote synchronization

Even if it is a local scan, we don't want the local rules to be different from the remote rules, which will cause the local scan to be rejected after being submitted. The most reasonable way to solve this problem is IaC, that is, scanning schemes and filtering conditions are saved in the form of local configuration files.

But not all tool rule configurations can be managed locally, such as filtering conditions, comparison branches, and other configuration items that are strongly related to application scenarios. There are two ways of responding to such demands:

1. The user completes a unified configuration (including tool rules, filter conditions, comparison branches, etc.) on the platform side, and generates a configuration ID after the configuration is completed. The local scan is no longer based on the local configuration file, but based on the remote configuration ID.

codedog_client localscan --config 001

2. The localization of platform configuration means that the scanning platform defines a complete rule format. Not only does it follow this configuration when scanning locally, it can also parse the file configuration to generate a visual display when displaying on the platform, so as to achieve a unified IaC configuration.

Refine to people and turn problems into responsibilities

Local scanning can find problems, but it is difficult to find who introduced the problem and when it was introduced. Therefore, whether these problems should be corrected or who should correct them, there is the possibility of entanglement and excuse. On the platform, based on the code submission records, trace back to the timing of code changes, find the person responsible for the problem, and track the problem with the person responsible as a view. It can even be turned into a bug special project for follow-up . Whoever pollutes will control it. This is very reasonable.

In addition, the platform can also automatically close the currently fixed code problems based on the results of the next scan, saving manual operations.

Code base quality tracking

The question on the platform archive there is a benefit that can be code quality trends clearly know a warehouse, for example, at some point introduce new problems lead to an overall deterioration in quality, or lift at some point in time The historical load quality has been improved by . The visual quality fluctuation trend chart can also help team managers to more intuitively judge whether it is necessary to sound the alarm for the team's code quality.

Quality access control, those who let the past come can be traced

Just doing local scanning, there will still be "big-minded" developers who directly push to the remote end without fixing the problem. At this time, the quality access control function provided on the platform side can be used to intercept. Quality access control can define the number of questions that the current warehouse can allow. When the number of questions is exceeded, the submission or merge request will be intercepted.

Usually, historical projects will scan out hundreds or thousands of remaining problems at one time when accessing the scan, and the team is unlikely to set aside time for a one-time cure, leading to "dismiss as soon as you get started." For this kind of scenario, our suggestion is to as the number of new issues to ensure that no new code quality issues will be introduced when the code is merged. While controlling the increment, we will gradually clean up the inventory issues (business requirements Which file will be changed, the code quality problem of this file will be fixed), in this way, the code quality will be slowly brought back to the right track.

to sum up

To some extent, we recognize that the larger the team, the more code scanning tools are needed to help the team improve the standards and efficiency of facing norms and complex issues. aimed at SMB and individual developers, and code scanning is still the lowest access cost quality improvement tool . I hope that the above cases and scenarios can help readers quickly locate the stuck points in the project and smoothly solve them, pay attention to each line of code iteration, and inherit the excellent code culture.

click to experience code scanning tool to improve team efficiency