简体   繁体   English

用于增量静态分析代码的工具?

[英]Tool for incremental static analysis of code?

Are there any, free, tools which allow incremental static analysis of code (for SVN and preferably Git)? 是否有任何免费的工具允许对代码进行增量静态分析(对于SVN,最好是Git)? Currently we are using Sonar (2.12 I think?) but the problem is the time it needs to analyse all the code in our project which is 40-60minutes. 目前我们正在使用Sonar(2.12我认为?)但问题是需要分析我们项目中所有代码的时间是40-60分钟。 And we need to multiply it since we have several branches working on different subprojects. 我们需要增加它,因为我们有几个分支在不同的子项目上工作。

That is why I am looking for a tool that could analyse the code from only the latest commit (which, to my knowledge Sonar does not support) or only the code that has been modified in the last X hours/days/whatever. 这就是为什么我正在寻找一种工具,可以只从最新的提交(据我所知的Sonar不支持)或仅在过去X小时/天/之内修改的代码分析代码。

I have found the Cutoff Plugin for Sonar, which supposedly does what I want (checks only the code from the file that have been modified after a certain date) but: 我已经找到了Sonar的Cutoff插件,据说可以做我想要的(只检查文件中某个日期后修改过的代码),但是:

  1. I still need to check if it works 我仍然需要检查它是否有效
  2. check if it supports dynamic date changes (so it would only take into consideration the code from ie the last day and not that I would have to change the exclude date manually daily). 检查它是否支持动态日期更改(因此它只会考虑来自最后一天的代码而不是我必须每天手动更改排除日期)。
  3. it doesn't seem to be well supported (last change in 2010 and it still is in version 0.1) 它似乎没有得到很好的支持(2010年的最后一次更改,它仍然是版本0.1)

It would be perfect if it only checked the code from the last commit, but I haven't seen that anywhere. 如果它只检查上次提交的代码,那将是完美的,但我还没有看到任何地方。

Also as a side question: is running the analysis after every commit (ie using the hudson sonar plugin) a good thing or should it be avoided? 另外作为一个附带问题:在每次提交(即使用哈德森声纳插件)之后运行分析是好事还是应该避免? At my last team we had sonar run like that and we'd get an instant email if we "broke it" (added a major/critical to the code). 在我的上一个团队,我们有声纳这样运行,如果我们“破坏它”我们会得到一个即时电子邮件(添加了代码的主要/关键)。 This was very convenient as we knew who was at fault (based on the info from the commit). 这非常方便,因为我们知道谁有错(基于提交的信息)。 Or should we instead analyse it less frequently (lets say once a week)? 或者我们应该更少地分析它(让我们说每周一次)? In that case I would have to check if Sonar would be able to say who committed the problematic code. 在那种情况下,我将不得不检查Sonar是否能够说出谁犯了有问题的代码。

There's very few, especially since the are many tools/rules rely on walking the possible stacks to limit the number of false positives. 很少,特别是因为许多工具/规则依赖于走可能的堆栈以限制误报的数量。 So a change in one assembly would require re-evaluation of the calling assemblies as well, it's not as simple as it looks from the outside. 因此,一个组件的更改也需要重新评估调用组件,它不像从外部看起来那么简单。

To speed up the static analysis consider investing in a memory disk or an SSD to store the sources and binaries. 要加速静态分析,请考虑投资内存磁盘或SSD来存储源和二进制文件。 Use a multi-core machine, have plenty of memory and run the x64 version of these tools whenever possible. 使用多核机器,有足够的内存并尽可能运行这些工具的x64版本。 Many of these tools are first I/O and then CPU limited. 其中许多工具首先是I / O,然后是CPU限制。 Most improvements can be found by reducing the latency and throughput of the system and the amount of swapping required (by having enough memory) to further reduce I/O. 通过减少系统的延迟和吞吐量以及所需的交换量(通过具有足够的内存)来进一步减少I / O,可以找到大多数改进。

You can also use a buddy build/validate shelve set build on a build server to offload the build time to a different machine which can be shared among developers. 您还可以在构建服务器上使用伙伴构建/验证搁置集构建,以将构建时间卸载到可在开发人员之间共享的其他计算机上。

I realize I'm late to the party, but there is another tool that might be relevant for you: Teamscale 我意识到我迟到了,但还有另一种可能与你相关的工具: Teamscale

Teamscale connects to your repository (eg Git or SVN) and analyzes your code incrementally, right after each commit. Teamscale连接到您的存储库(例如Git或SVN)并在每​​次提交后立即逐步分析您的代码。 With that, you get feedback about new/fixed code problems almost immediately after your commit. 有了这个,您几乎可以在提交后立即获得有关新/固定代码问题的反馈。 You can also see the full history of your code, blacklist false positives, and much more. 您还可以查看代码的完整历史记录,黑名单误报等等。 (Full disclosure: I'm a Teamscale developer) (完全披露:我是Teamscale开发人员)

There are also such tools for static analysis as: 静态分析也有这样的工具:

  1. PMD PMD
  2. Checkstyle Checkstyle的
  3. FindBugs FindBugs的

High chances that you will find it useful alternative for the Sonar. 很有可能你会发现它是声纳的有用替代品。

You didn't mention whether you use Continuous Integration tool or not. 您没有提到是否使用持续集成工具。 Probably you will need it up and running in order to run inspections using any of these tools. 可能您需要它并运行才能使用这些工具运行检查。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM