static-code-analysis

问题 I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out the declaration of the password field. private char[] passwordLength; Could anyone help me out here, what more can I look for resolving this? 回答1: Heap Inspection is about sensitive information stored in the machine memory unencrypted, so that if

问题 I installed the Cppcheck tool for static code analysis of my C++ project and got the feeling that it performs poorly. For example, can anyone tell me why Cppcheck is unable to find an array out-of-bounds error in the following code? void f(int c) { char *p = new char[10]; p[c] = 42; } void g() { f(100); } There's an online demo where this code can be conveniently checked using Cppcheck. All it comes up with is a memory leak at line 4, no signs of a potential buffer overflow. 回答1: Because it

问题 So I'm trying to run a bunch of rules which are defined in a RuleSet. The RuleSet file is actually generated using Sonarqube - I've selected absolutely all rules in there, including the FxCop, ReSharper and StyleCop rules. I'm kicking off FxCop like this: C:/FxCop/FxCopCmd.exe /file:C:\TestProject\bin\TestProject.dll /ruleset:=C:\TestProject\testproject.ruleset /out:C:\TestProject\fxcop-report.xml /outxsl:none /forceoutput /searchgac /aspnet It starts correctly, but I get the following

问题 Repeating Annotations as @Scheduled allow multiple annotations But it also allows duplicated values in different annotation which can cause unexpected results Simple example using Scheduled with duplicated fixedRate values: private static final long TIME = 1000 * 60 * 1L; // 1 minute private static final long TIME2 = 1000 * 60 * 1L; // 1 minute @Scheduled(fixedRate = TIME) @Scheduled(fixedRate = TIME2) public synchronized void refresh() { It will execute twice per minute the schedule task

问题 I have a question is there any way to generate one html file from few xml using cppcheck-htmlreport? Normally I doing that: /cppcheck-htmlreport --file /vobs/stn/dev/linux/cppcheck/xmlreport_v1.xml --title "xml1 test" --report-dir . Now I want to do something like this /cppcheck-htmlreport --file /vobs/stn/dev/linux/cppcheck/*.xml --title "xml1 test" --report-dir . But when I did that commend cppcheck convert only one xml file... Can anybody help me? I'm sorry for my weak english. 回答1: Did

问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed 5 years ago . I'm running jenkins in my ubuntu desktop. I need a static code analysis report before pushing my c++ code. I found that coverity is expensive. I'm looking for free analysis tool. Is there any alternatives to Coverity? 回答1: I recommend SONAR (or SonarQube as it is now called) , you can use it with multipule

问题 It is quite a common mistake to mix up the datetime.strptime() format string and date string arguments using: datetime.strptime("%B %d, %Y", "January 8, 2014") instead of the other way around: datetime.strptime("January 8, 2014", "%B %d, %Y") Of course, it would fail during the runtime: >>> datetime.strptime("%B %d, %Y", "January 8, 2014") Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/

问题 I need to get the static information of C++ program with CDT. No need to build the project, just to get the basic information(namespace, class, extends relation, method, call, field) and save them to database. Is there any code examples or opensource plugin? thx! I have tried a lot of methods but they do not work very well. someone says that codan is a choice, but it doesn't work on my environment... PS: CDT is necessary. I use Eclipse Indigo. 回答1: Eclipse CDT has already built-in tools for

问题 I need to get the static information of C++ program with CDT. No need to build the project, just to get the basic information(namespace, class, extends relation, method, call, field) and save them to database. Is there any code examples or opensource plugin? thx! I have tried a lot of methods but they do not work very well. someone says that codan is a choice, but it doesn't work on my environment... PS: CDT is necessary. I use Eclipse Indigo. 回答1: Eclipse CDT has already built-in tools for

问题 I have a Visual Studio 2015 professional (in Windows 7) and Visual Studio 2015 community (in Windows 10), both of have latest update 1 installed. And I have both of them opened the exactly same solution. Both tools also have Refactoring Essentials for Visual Studio plug-in installed. In professional edition I can clearly see live code analyzer actually works: You can see the wave lines under files, folders, projects and solution. When I hover mouse over then I can preview the issue before I