研发安全、高质量代码的 5 款顶级 Python 工具
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/cb27f1f06bf9408c8ee9be1c8215818f~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=xSLeu7nCy9NbvhklsfPIBXEkd8w%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">为<span style="color: black;">加强</span>代码的质量、安全性和可<span style="color: black;">守护</span>性,软件工程师<span style="color: black;">每日</span>会用到无数工具。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我会列出<span style="color: black;">有些</span>自己最<span style="color: black;">爱好</span>的 python 工具,并从易用性(<span style="color: black;">是不是</span>易于安装、运行和自动化)、质量影响(能否阻止可预见的 bug)、可<span style="color: black;">守护</span>性影响(<span style="color: black;">是不是</span>让工作更<span style="color: black;">容易</span>)和安全性影响(能否<span style="color: black;">发掘</span>并阻止安全性问题)对它们进行打分,以供读者参考。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">并且,我还将介绍<span style="color: black;">怎样</span>将这些工具全<span style="color: black;">包括</span>进 CI pipeline,从而实现自动化和<span style="color: black;">有效</span>。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">1.Pipenv</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">它是为Python 设计的<span style="color: black;">研发</span>管理和依赖管理的工具,最早由 Requests 的作者 Kenneth Reitz 编写。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>你用 python 做过一段时间的<span style="color: black;">研发</span>,<span style="color: black;">那样</span>管理环境,你可能用过 virtualenv 或 venv ;依赖管理可能用过较<span style="color: black;">靠谱</span>的pip freeze > requirements.txt。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">大<span style="color: black;">都数</span><span style="color: black;">状况</span>下,这完全没问题。<span style="color: black;">然则</span>,我<span style="color: black;">发掘</span> pipenv 更方便,且很强大,加上它<span style="color: black;">经过</span>Pipfile和Pipfile.lock近乎去掉固定依赖的做法,很大程度上替代了requirements.txt,从而带来更<span style="color: black;">靠谱</span>的<span style="color: black;">安排</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">不外</span>,我对 pipenv 的<span style="color: black;">将来</span>有点担忧,<span style="color: black;">由于</span> Python 基金会已搁置对 pip 的改进。<span style="color: black;">况且</span>,pipenv 在 2019 年缺乏实质性<span style="color: black;">发展</span>。<span style="color: black;">然则</span>,我仍然认为,对大<span style="color: black;">都数</span> python 用户<span style="color: black;">来讲</span>,pipenv 是绝佳的工具。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官网下载<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">月下载量: 2111976</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备选<span style="color: black;">方法</span>: poetry 、 virtualenv 、 venv</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/d7340229b85444e397dd168dc2816ca7~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=VOuEvk3gzH1XqP0FSAjy%2FchGHXE%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">2.Ochrona</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>,我有点私心,<span style="color: black;">由于</span> Ochrona 是我积极<span style="color: black;">研发</span>并<span style="color: black;">期盼</span> 2020 年发布的工具。<span style="color: black;">不外</span>,我还会介绍这个工具的替代<span style="color: black;">方法</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Ochrona 是一款依赖分析和软件组<span style="color: black;">成份</span>析的工具,它<span style="color: black;">能够</span>用来<span style="color: black;">检测</span>你的开源依赖<span style="color: black;">是不是</span>存在已知漏洞。这个<span style="color: black;">行业</span>,另一款很流行的开源工具是 pyup.io 的 Safety 。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我认为,Ochrona 比 Safety 更好的<span style="color: black;">地区</span>在于:</p>无论是用于开源项目还是<span style="color: black;">商场</span>项目,它都<span style="color: black;">供给</span>免费<span style="color: black;">方法</span>,<span style="color: black;">况且</span>免费<span style="color: black;">方法</span>始终跟进最新的漏洞信息。磁盘和 IO <span style="color: black;">运用</span>非常少。<span style="color: black;">区别</span>于<span style="color: black;">必须</span>拉取<span style="color: black;">全部</span>漏洞数据库的本地工具,它是 SaaS 模式,只需调用一次公开的 API。它<span style="color: black;">供给</span>优秀的漏洞数据并且<span style="color: black;">每日</span>更新,并比其他工具<span style="color: black;">供给</span><span style="color: black;">更加多</span>的漏洞<span style="color: black;">仔细</span>信息,<span style="color: black;">包含</span>免<span style="color: black;">花费</span>户。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官网下载<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">月下载量: 尚未发布</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备选<span style="color: black;">方法</span>: safety 、 snyk (收费)</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/d5fdea342e4d42ab98fd955ca263696d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=0%2BT5lvripDJTImJdhPlBcw4BHZM%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">3.Bandit</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span><span style="color: black;">必要</span><span style="color: black;">举荐</span>一个可<span style="color: black;">加强</span> python 项目安全性的工具,那我<span style="color: black;">举荐</span> Bandit 。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">据说</span>,Bandit 出自 OpenStack,但<span style="color: black;">此刻</span>由 PyCQA <span style="color: black;">守护</span>。它是一款开源的 SAST(静态应用安全测试)工具,免费、可配置且快速。从某些方面来讲,它就像是关注安全<span style="color: black;">行业</span>的 linter。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Bandit 很适合用来<span style="color: black;">发掘</span>问题,<span style="color: black;">例如</span>不安全的配置、已知的不安全模块<span style="color: black;">运用</span><span style="color: black;">状况</span>等。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官网下载<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">月下载量: 575101</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备选<span style="color: black;">方法</span>: pyre 、 pyt 、 dodgy</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/9bdc63efaf5f4c808eb45217ad86983f~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=3RCpQObyc1VSyhO1PRR%2BtgNmcJg%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">4.Black</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Black 是一款独特的代码格式化工具。它能自动将你的代码更正为 Black 样式(一个 Pep-8 的超集)。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">传统的 linter <span style="color: black;">一般</span><span style="color: black;">必须</span>你把代码改为合规代码,而 Black <span style="color: black;">能够</span>节省不少时间。并且,Black 只需有限的配置,这<span style="color: black;">寓意</span>着你<span style="color: black;">倘若</span>用过 Black,其他任何项目你都会觉得眼熟。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官网下载<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">月下载量: 1891711</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备选<span style="color: black;">方法</span>:flake8、pylint</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p6-sign.toutiaoimg.com/pgc-image/9616ca7b67f5459085cfe23ac57b577c~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=A%2B5m1ExfnsLT4ulrmoI4Q4PiHRw%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">5.Mypy</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">它是python 一个可选的静态类型<span style="color: black;">检测</span>器。 PEP 484 引入 python 的类型提示,Mypy 则利用这些类型提示对项目进行静态类型<span style="color: black;">检测</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Python 依然有动态的 duck 类型,<span style="color: black;">不外</span>,添加静态类型<span style="color: black;">检测</span>能帮你减少测试和调试时间,更早<span style="color: black;">发掘</span>错误。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>,大<span style="color: black;">机构</span><span style="color: black;">亦</span>在跟进 python 的静态类型<span style="color: black;">检测</span>。在 Guido van Rossum 任职<span style="color: black;">时期</span>,Dropbox 用 Mypy <span style="color: black;">检测</span>了 400 多万行代码。其他的 python 用户,<span style="color: black;">例如</span> Instagram <span style="color: black;">亦</span><span style="color: black;">起始</span>做静态类型<span style="color: black;">检测</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官网下载<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">月下载量: 2487228</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">备选<span style="color: black;">方法</span>: pyre</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/b18d8d6c8d6f4984bfc872d9645724ec~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=QL8t%2FjjhsXE8PxpHlCc%2FG4EbJ3U%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">所有</span>集成到<span style="color: black;">一块</span></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这个例子种,我会用到 Travis-CI ,配置其他 CI 工具的过程与之类似<span style="color: black;">类似</span>,只是语法上会有差异。<span style="color: black;">这儿</span>,我用一个简单、不安全且有问题的 flask 应用<span style="color: black;">做为</span>例子。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">app.py文件如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">复制代码</p><span style="color: black;">from</span> flask <span style="color: black;">import</span> Flask app = Flask(__name__) @app.route(<span style="color: black;">/<name></span>) <span style="color: black;"><span style="color: black;">def</span> <span style="color: black;">hello_world</span><span style="color: black;">(name: str)</span> -> str:</span> <span style="color: black;">return</span> hello_name(name)<span style="color: black;"><span style="color: black;">def</span> <span style="color: black;">hello_name</span><span style="color: black;">(name: str)</span> -> int:</span> <span style="color: black;">return</span> <span style="color: black;">f"hello, <span style="color: black;">{name}</span>"</span> <span style="color: black;">if</span> __name__ == <span style="color: black;">__main__</span>: app.run(debug=<span style="color: black;">True</span>)<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Pipfile如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">复制代码</p><span style="color: black;">[]</span>name = <span style="color: black;">"pypi"</span>url = <span style="color: black;">"https://pypi.org/simple"</span>verify_ssl = <span style="color: black;">true</span>bandit =<span style="color: black;">"*"</span>v = {editable = <span style="color: black;">true</span>,version = <span style="color: black;">"*"</span>}black = <span style="color: black;">"*"</span>mypy = <span style="color: black;">"*"</span>ochrona = <span style="color: black;">"*"</span>flask = <span style="color: black;">"==0.12.2"</span>python_version = <span style="color: black;">"3.7"</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">最后在根目录下创建一个.travis.yml文件,内容如下:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">复制代码</p><span style="color: black;">language</span>: <span style="color: black;">pythonpython</span>: - <span style="color: black;">3.7in</span><span style="color: black;">stall</span>: - pip install -U pip - pip install pipenv - pipenv install <span style="color: black;">--devscript</span>: - bandit .<span style="color: black;">/* - black --check . - ochrona - mypy .</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>查看<span style="color: black;">这儿</span>的构建,你会<span style="color: black;">发掘</span><span style="color: black;">每一个</span>工具都标出错误或指出需修改的<span style="color: black;">地区</span>。<span style="color: black;">那样</span>,<span style="color: black;">咱们</span>来做<span style="color: black;">有些</span>修正,如这个 PR 所示,构建就<span style="color: black;">能够</span><span style="color: black;">经过</span>。</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/pgc-image/0e908ab7200344caa78756eac50e40a2~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=Elpf9moWKjO3PA1n7pzzS5W2Wj8%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">将 Flask 升级到一个<span style="color: black;">无</span>已知漏洞的版本</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/2dd6e0c6c6c24c8e8af442f791484ce3~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=2XfPctPCOlJW%2Bj0C7uGe34%2FftwY%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">修复类型注释,禁用调试模式,规范格式</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">虽然这个例子只<span style="color: black;">触及</span>一个 CI 平台,但其实和集成到其他大<span style="color: black;">都数</span>平台的<span style="color: black;">办法</span>都很<span style="color: black;">类似</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面是一个总的评分表:</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/76dcfb88b09f4d1ea43b7dd4ddea044d~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1723896875&x-signature=vGYclJWFIfYu6sxJnv7gFNh41sU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">关注我并转发此篇<span style="color: black;">文案</span>,私信我“领取资料”,<span style="color: black;">就可</span>免费<span style="color: black;">得到</span>InfoQ价值4999元迷你书!</strong></p>
你的见解真是独到,让我受益匪浅。 你的见解真是独到,让我受益匪浅。 外链论坛的成功举办,是与各位领导、同仁们的关怀和支持分不开的。在此,我谨代表公司向关心和支持论坛的各界人士表示最衷心的感谢!
页:
[1]