Level Up Your Development Workflow with Static Analysis

Transcript

1. LEVEL UP YOUR DEVELOPMENT WORKFLOW WITH STATIC ANALYSIS @dblandin

2. What is static analysis?

3. Dynamic analysis tests and evaluates the behavior of software during

   execution. Static analysis evaluates software as it is written or defined. STATIC VS DYNAMIC ANALYSIS Reek brakeman

4. EXAMPLE OF DYNAMIC ANALYSIS class User < ActiveRecord::Base # ...

   def approve(approved_by,send_mail=true) self.is_approved = true if approved_by.is_a?(Fixnum) self.approved_by_id = approved_by else self.approved_by = approved_by end self.approved_at = Time.now if save and send_mail Jobs.enqueue(:user_email, type: :signup_after_approval, user_id: id, email_token: email_tokens.first.token ) # ... end end end describe ".approve" do before do user.approve(admin) end it "enqueues a 'signup after approval' email" do Jobs.expects(:enqueue).with( :user_email, has_entries(type: :signup_after_approval) ) end it "marks the user as approved" do expect(user).to be_approved end it "has the admin as the approved by" do expect(user.approved_by).to eq(admin) end it "has a value for approved_at" do expect(user.approved_at).to be_present end end discourse/discourse - app/models/user.rb

5. class User < ActiveRecord::Base # ... def approve(apprved_by,send_mail=true) self.is_approved =

   true if approved_by.is_a?(Fixnum) self.approved_by_id = approved_by else self.approved_by = approved_by end self.approved_at = Time.now if save and send_mail Jobs.enqueue(:user_email, type: :signup_after_approval, user_id: id, email_token: email_tokens.first.token ) # ... end end end EXAMPLE OF STATIC ANALYSIS Use `&&` instead of `and`. [rubocop] Method has too many lines. [14/10] [rubocop] Inconsistent indentation detected. [rubocop] Surrounding space missing in default value assignment. [rubocop] Space missing after comma. [rubocop] Align `)` with `(`. [rubocop] Align the parameters of a method call if they span more than one line. [rubocop] discourse/discourse - app/models/user.rb Unused method argument - `apprved_by` [rubocop]

6. Static analysis is any analysis you perform on software without

   actually running it. - @ericlippert

7. Why use static analysis?

8. Why use static analysis? ▸ Enforce team and community code

   style guidelines ▸ Detect security vulnerabilities in your code and dependencies ▸ Detect complexity, duplication, and other code smells

9. ENFORCE TEAM AND COMMUNITY CODE STYLE GUIDELINES

10. None

11. ENFORCE TEAM AND COMMUNITY CODE STYLE GUIDELINES

12. ENFORCE TEAM AND COMMUNITY CODE STYLE GUIDELINES

13. ENFORCE TEAM AND COMMUNITY CODE STYLE GUIDELINES

14. ENFORCE TEAM AND COMMUNITY CODE STYLE GUIDELINES ▸ Maintain a

    styleguide within your organization ▸ Setup a process for updating your styleguide ▸ Use static analysis tools to auto enforce styleguide violations ▸ Share default configuration for static analysis tools pep8 SCSS Lint Static analysis tools that check for style violations:

15. DETECT SECURITY VULNERABILITIES brakeman bundler-audit node security project Scans your

    Ruby on Rails code for vulnerabilities Scans your project for vulnerable dependencies

16. DETECT SECURITY VULNERABILITIES BRAKEMAN

17. DETECT SECURITY VULNERABILITIES NODE SECURITY PROJECT { "name": "demo", "version":

    "1.0.0", "dependencies": { "marked": { "version": "0.3.3" } } }

18. DETECT SECURITY VULNERABILITIES BUNDLER AUDIT GEM remote: https://rubygems.org/ specs: actionmailer

    (4.2.4) actionpack (= 4.2.4) actionview (= 4.2.4) activejob (= 4.2.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) actionpack (4.2.4) actionview (= 4.2.4) activesupport (= 4.2.4) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) actionview (4.2.4) activesupport (= 4.2.4) builder (~> 3.1)

19. DETECT SECURITY VULNERABILITIES ▸ Use Brakeman to detect vulnerabilities in

    Rails code ▸ Use bundler-audit and NSP to detect vulnerable dependencies Static analysis tools that check for security vulnerabilities: brakeman bundler-audit node security project

20. Smells are indicators of where your code might be hard

    to read, maintain or evolve, rather than things that are specifically wrong. - reek project DETECT COMPLEXITY, DUPLICATION, AND OTHER CODE SMELLS

21. DETECT COMPLEXITY, DUPLICATION, AND OTHER CODE SMELLS

22. Static analysis tools that check for complexity and/or code smells:

    PHP Mess Detector Radon Reek ShellCheck HLint ▸ Detect complexity and duplication ▸ Detect language or framework-specific smells DETECT COMPLEXITY, DUPLICATION, AND OTHER CODE SMELLS

23. HONORABLE MENTIONS ▸ Use static analysis when you're learning a

    new language/framework ▸ Use static analysis for Markdown or prose

24. When do I run static analysis?

25. When do I run static analysis? ▸ On the command

    line ▸ Within your editor ▸ During or alongside CI

26. ON THE COMMAND LINE

27. WITHIN YOUR EDITOR

28. WITHIN YOUR EDITOR

29. ALONGSIDE CI

30. ALONGSIDE CI

31. ALONGSIDE CI

32. How do I write my own static analysis?

33. ESLINT RULE EXAMPLE /** * @fileoverview Rule to flag use

    of ternary operators. * @author Ian Christian Myers */ "use strict"; //------------------------------------------------------------------------------ // Rule Definition //------------------------------------------------------------------------------ module.exports = function(context) { return { "ConditionalExpression": function(node) { context.report(node, "Ternary operator used."); } }; }; module.exports.schema = [];

34. RUBOCOP RULE EXAMPLE module RuboCop module Cop module Style #

    This cop checks for the use of the send method. class Send < Cop MSG = 'Prefer `Object#__send__` or `Object#public_send` to ' \ '`send`.'.freeze def on_send(node) _receiver, method_name, *args = *node return unless method_name == :send && !args.empty? add_offense(node, :selector) end end end end end

35. CODE CLIMATE SPEC { "categories": [ "Security" ], "check_name": "Insecure

    Dependency", "content": { "body": "**Advisory**: CVE-2015-7581\n\n**URL**: https://groups.google.com/forum/#! topic/rubyonrails-security/dthJ5wL69JE\n\n**Solution**: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14" }, "description": "Object leak vulnerability for wildcard controller routes in Action Pack", "fingerprint": "06ae795b91e09069846af543d755b9e1", "location": { "lines": { "begin": 18, "end": 18 }, "path": "Gemfile.lock" }, "remediation_points": 50000, "severity": "normal", "type": "Issue" }

36. LEVEL UP YOUR DEVELOPMENT WORKFLOW WITH STATIC ANALYSIS ▸ Enforce

    team and community code style guidelines ▸ Detect security vulnerabilities in your code and dependencies ▸ Detect complexity, duplication, and other code smells ▸ Run static analysis locally or during CI ▸ Write your own tool extensions or Code Climate engines

37. LEVEL UP YOUR DEVELOPMENT WORKFLOW WITH STATIC ANALYSIS @dblandin Thank

    you!