Pay attention to the public number: java paradise
The abilities of programmers are now uneven, some of whom are from a major class; and some are born halfway through. How to improve the quality of the code is very important to the robustness (stability) of the system.
0x01: Write standardized code
When writing code, make certain specifications for package names, class names, and class attributes. It can achieve the effect of being well-known. For details, please refer to "Alibaba Java Development Manual"
链接: https://pan.baidu.com/s/1ANvBu1hidnvRCZILDGXuQA
密码: ugq8Some common patterns
Project jar naming: system-module. For example, cms-user
Package naming: name according to module, controller, service, dao mode. For example, the controller layer com.user.controller, the service layer com.user.service, and the persistence layer com.user.dao.
Tool package: com.common.utils
Class name: Controller class UserController, service class UserService, persistent class UserDao
The generator function class can be named XXXGenterator
The class of the loader function can be named XXXLoader
For specific other rules, refer to the "Alibaba Java Development Manual", which is very standardized.
0x02: Static scanning
Although the code written according to the agreed specification has reached the unified specification, it does not standardize the style of code writing. For example, instead of using the log framework to print logs according to the specification, System.out is used; instead of closing the input stream/output stream according to the specification. For this kind of code quality problem, you need to use some static code scanning tools to scan and then repair. For example, using sonar static code scanning, sonar consists of two parts, namely SonarQube platform and SonarScanner scanner.
SonarQube: WEB interface management platform
Display quality data of all project codes
Configure quality rules, manage items, configure notifications, configure SCM, etc.
SonarScanner: code scanning tool
Specially used to scan and analyze project code. Support 20+ languages
After the code scan and analysis are completed, the scan results will be stored in the database, and the scan data can be seen on the sonarQube platform.
The relationship between SonarQube and SonarScanner
The above just accepted a static code scanning scheme. Large companies with money will also buy Fortify, which is a large-scale commercial software for code scanning.
0x03: Dynamic scan (security scan)
静态扫描就是不运行程序,通过扫描源代码的方式检查漏洞;动态扫描则是在运行程序下,通过接口***的方式检查漏洞。在这种方案下,可以检查到 SQL 注入、XSS 脚本***、越权、目录列表等漏洞。这块常见的解决方案是 IBM 公司的AppScan 安全扫描工具(IBM Security App Scan Standard)。
AppScan 是 IBM 的一款 web 安全扫描工具,可以利用爬虫技术进行网站安全***测试,根据网站入口自动对网页链接进行安全扫描,扫描之后会提供扫描报告和修复建议等。AppScan 有自己的用例库,版本越新用例库越全(用例库越全面,对漏洞的检测较全面,被测试系统的安全性则越高)working principle:
Explore the results of the entire web page
Through analysis, use the scanning rule library to make a *** attempt on the modified HTTP Request
Analyze Response to verify whether there are security vulnerabilities
链接:https://pan.baidu.com/s/19TAHl8lYGmE0O753ULyzYA
密码:yvleIf you want to try AppScan, you can refer to the above blog
https://blog.csdn.net/u010013191/article/details/80733170