background
More than one in the last year toB The business company , The Department mainly deals with the informatization of bidding business in the construction industry , Hope to achieve with the help of software “ The sun 、 Reduced Edition 、 Efficiency improvement ” Purpose , When I first started, I was about 30 Multiple customers , Up to now, it has exceeded 100 home , The momentum is rapid , It also exposed a very serious problem :“ Poor quality , More online feedback .”
Everyone is tired of dealing with online feedback every day , Slow demand response , The delivery speed can not keep up with the market rhythm , If this goes on for a long time, it will be a blow to the team morale and intensify the contradiction between R & D and business , In view of this, we analyzed online feedback one by one 、 Mark , The final conclusion is :“ Most of the feedback is due to the logic conflict caused by some personalized needs of customers , Too many switches are filled with code, and sometimes one can lose the other , There are also some low-level problems at the coding level , Null pointer 、 Cross type equals etc. ”, The product manager and R & D Manager shall control the demand problems , Don't answer confused demands , For low-level coding problems, I will take the lead to issue some optimization schemes .
Current status of R & D process
“ Development -》 test -》 go online -》 Online environment retest ”, A very simple process , At the beginning, the business volume was small 、 There was really no problem when the team was young , Quick response , But now the size of the staff 30+ Our team still uses this simple process , It is already inappropriate , Some means must be added to ensure the development quality , Let some low-level mistakes be strangled in the cradle , The first is to improve the existing R & D process , Add some necessary self checking and code review, After the initial improvement, it is :“ Pull private branch -》 Development -》 Self testing -》 Submit Pull Request Confluence -》 Colleagues in the group code review-》 test -》 go online -》 Online environment retest ”, In the initial stage, I did receive some income , Some low-level questions passed “ Human flesh ” You can really find a lot , But when everyone is in a hurry, they are completely unreliable , Why do you know .
Upper tool
Quote my previous company CTO A word of :“ It is impossible to depend on people , It's best to rely on machines that follow the rules .“
People are lazy , The spirit of relying on management system to improve R & D quality should be encouraged but not advocated , Finding the right tools is our solution , Combine tools and management systems , Next is the focus of this article SpotBugs, A static code scanning tool .
Static code scanning concept
Static source code scanning is one of the software application security solutions that have been mentioned more in recent years . It refers to in software engineering , After the programmer writes the source code , No compiler compilation required , And directly use some scanning tools to scan it , Find out some semantic defects in the code 、 Solutions to security vulnerabilities . Static scanning technology has evolved from 90 In the 's , The analysis technology of coding rule matching, which is developed from compilation technology, is developing towards the direction of program simulation full path execution , thus , This simulation execution has more relative execution paths than dynamic execution , It can find many defects that are difficult to find by dynamic testing .
Static code scan advantage
The advantage of this scheme is that , No need to compile 、 There is no need to build an operating environment , You can scan the source code written by the programmer . It can save a lot of manpower and time cost , Improve development efficiency , And it can find many security vulnerabilities that cannot be found by manpower , Review the programmer's code from the perspective of hackers , Greatly reduce the safety risk in the project , Improve software quality .
Static code scan shortcoming
Traditional static analysis , Traditional static analysis is based on syntax parsing or compiler , Analyzing code defects in these ways is based on the rule patterns that the code matches (patterns) To evaluate the code , As long as the patterns match or are similar . It is necessary to distinguish the true from the false manually , The main problems :
– False positive( False positives )
– False negative( Omission of )
The above content comes from Baidu Encyclopedia
Case study
Case a Null pointer
This is really a very low-level problem , It is not necessarily a matter of ability , It's easy to get out if you don't pay attention ,|| It's written in &&, Add one less ! And so on. .
List<Map<String, Object>> resultMap = getBasedao().queryList(sql, paramMap);
if (resultMap == null && resultMap.isEmpty()) {
}
Repair method 1:
if (resultMap == null || resultMap.isEmpty())
Repair method 2:
if (CollectionUtils.isEmpty(resultMap ))
It is recommended to use the judgment method of tool class , Leave the repetitive tasks to the tool class , Reduce the possibility of mistakes , And the code is more descriptive ,isEmpty,isNotEmpty wait .
Case 2 The return value is ignored
String querySql = "select * from biz_table where id=xxx";
Map<String, Object> query = getBasedao().query(querySql);
if (query == null) {
querySql.replace("biz_table ","biz_table _history");
query = getBasedao().query(querySql);
}
Repair method :
Receive return value ,querySql = querySql.replace
Case three equals Two unrelated objects
This is definitely a matter of ability ,“ reinforced ” and “ concrete ” How can equals Well ,Class Is not the same .
List<Map<String, Object>> maps = getBasedao().queryList(sql, map);
if(CollectionUtils.isEmpty(maps)) {
return null;
}
if(maps.get(0).equals("")) {
return null;
}
Case four keySet Way to traverse the Map Than entrySet Inefficient way
public static String getXmlDataV3(Map<String,Object> params) {
StringBuffer buf = new StringBuffer();
buf.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>");
buf.append("<root>");
buf.append("<request>");
for (String key:params.keySet()) {
buf.append("<"+key+">"+params.get(key)+"</"+key+">");
}
buf.append("</request>");
buf.append("</root>");
return buf.toString();
}
Repair method
Use it directly entrySet Traverse , Reduce unnecessary reads
for(Map.Entry<String,Object> me : params.entrySet()){
buf.append("<"+me.getKey()+">"+me.getValue()+"</"+me.getKey()+">");
}
I don't know how much feedback these problems will cause if they leak out ?
Case review
Through these seven cases, you can initially experience the power of static code scanning , Help find some simple but error prone problems before release , Strangle mistakes in the cradle , The cost of bringing errors to the production environment is enormous , It was a 2 Minute to solve the null pointer problem , In the end, it may ferment into a customer complaint letter , The colleagues on the whole chain have to fill the hole together .
SpotBugs install
Directly in idea Plug in market installation , After installation, you need to restart .
SpotBugs Introduce
https://spotbugs.readthedocs.io/en/latest/introduction.html
SpotBugs Use
1. Scan the entire project
1.1 Select a module , such as demo-web
1.2 Right click SpotBugs→Analyze Module Files Not including Test Sources( This is just an example , Which scanning strategy to use depends on your actual situation ), As shown in the figure below :
1.3 wait for
1.4 View scan results
1.5 View details
Focus on Correctness( correctness ), Logic error , A null pointer or something .
2. Scan a class
For newly written code , We strongly recommend that you scan , Many problems can be found
2.1 Select a specific class
2.2 Right click SpotBugs→Analyze Selected File
The next steps are the same as before , I won't go on and on .
3. View by level bug
SpotBugs take bug It is divided into different dimensions , such as “ correctness 、 performance 、 Bad taste ” This is a bug Dimension of type , Another dimension is bug Grade ,SpotBugs take bug Divided into four levels , Namely :
scariest The most terrible
scary terrible
troubling It's disturbing
of concern It's worrisome
Click... In the lower left corner of the scanning result Group by Bug Rank, Will be presented in a hierarchy , It's really a cool feature , The tool has helped us group , And distinguish by color , What you see scariest and scary You can click in to modify the wave immediately
SpotBugs and Pull Request combination
We optimized the initial R & D process , Added self test 、Pull Request、Code Review Such steps , In the short term, we did receive some benefits , But these processes begin to cope with the inertia of people over time and the time constraints , In view of this, we introduced tools to help us find some low-level problems , Embedded in Create Pull Request In the process , Merge code must provide SpotBugs The scanning result of , Inclusion is not allowed scariest and scary The question of rank , In this way, we will combine tools and management means to ensure R & D quality .
Recommended reading
FindBugs - Wikipedia
https://github.com/spotbugs/spotbugs
https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html
At the end
Good tools , No worries after work .
![In 2020, the demand for strain sensors in China will reach 9.006 million, and the market scale will reach 2.292 billion yuan [figure]](/img/a8/dd5f79262fe6196dd44ba416a4baac.jpg)
