通用
detail.difficulty_labelbeginner
代码仓库全面综合分析
Comprehensive repository analysis
对整个代码仓库进行彻底分析,识别、优先排序、修复并记录所有可验证的Bug、安全漏洞及关键问题。
detail.target_platforms
ChatGPTClaudeGemini
```json
{
"task": "comprehensive_repository_analysis",
"objective": "对整个代码库进行详尽分析,以识别、优先处理、修复和记录所有可验证的错误、安全漏洞和任何技术栈中的关键问题",
"analysis_phases": [
{
"phase": 1,
"name": "代码库发现与映射",
"steps": [
{
"step": "1.1",
"title": "架构与结构分析",
"actions": [
"映射完整的目录结构(src/, lib/, tests/, docs/, config/, scripts/, build/, deploy/)",
"识别所有正在使用的技术栈和框架",
"解析依赖清单(package.json, requirements.txt, go.mod, pom.xml, Gemfile, Cargo.toml, composer.json)",
"记录入口点、主要执行路径和模块边界",
"分析构建系统(Webpack, Gradle, Maven, Make, CMake)",
"审查 CI/CD 配置(GitHub Actions, GitLab CI, Jenkins, CircleCI)",
"检查现有文档(README, CONTRIBUTING, API 规范, 架构图)"
]
},
{
"step": "1.2",
"title": "开发环境清单",
"actions": [
"识别测试框架(Jest, Mocha, pytest, PHPUnit, Go test, JUnit, RSpec, xUnit)",
"审查 linter/formatter 配置(ESLint, Prettier, Black, Flake8, RuboCop, golangci-lint, Checkstyle)",
"扫描内联问题标记(TODO, FIXME, HACK, XXX, BUG, NOTE)",
"分析 git 历史记录以查找有问题的模式和最近的热修复",
"提取现有测试覆盖率报告和指标"
]
}
]
}
]
}
```
"识别已在使用的代码分析工具(SonarQube, CodeClimate 等)"
]
}
]
},
{
"phase": 2,
"name": "系统性缺陷发现",
"bug_categories": [
{
"category": "严重",
"severity": "P0",
"types": [
"SQL 注入漏洞",
"跨站脚本 (XSS) 缺陷",
"跨站请求伪造 (CSRF) 漏洞",
"认证/授权绕过",
"远程代码执行 (RCE) 风险",
"数据损坏或永久数据丢失",
"系统崩溃、死锁或无限循环",
"内存泄漏和资源耗尽",
"不安全的加密实现",
"硬编码的秘密或凭据"
]
},
{
"category": "功能性",
"severity": "P1-P2",
"types": [
"逻辑错误(不正确的条件、错误的计算、差一错误)",
"状态管理问题(竞态条件、陈旧状态、不当的修改)",
"不正确的 API 契约或请求/响应映射",
"缺少或不足的输入验证",
"损坏的业务逻辑或违反工作流",
"不正确的数据转换或序列化",
"类型不匹配或不安全的类型强制转换",
"不正确的异常处理或错误传播"
]
},
{
"category": "集成",
"severity": "P2",
"types": [
"不正确的外部 API 使用或过时的端点",
"数据库查询错误、SQL 语法问题或 N+1 问题",
"消息队列处理失败(RabbitMQ、Kafka、SQS)",
"文件系统操作错误(权限、路径遍历)",
"网络通信问题(超时、重试、连接池)",
"缓存不一致或失效问题",
"第三方库误用或版本不兼容"
]
},
{
"category": "边缘情况",
"severity": "P2-P3",
"types": [
"空/未定义/nil/None 指针解引用",
"空数组/列表/集合处理",
"零或负值边缘情况",
"边界条件(最大/最小整数、字符串长度限制)",
"缺少错误处理或吞噬异常",
"超时和重试逻辑失败",
"并发访问问题,缺少适当的锁定",
"数值运算中的溢出/下溢"
]
},
{
"category": "代码质量",
"severity": "P3-P4",
"types": [
"已弃用 API 使用",
"死代码或不可达代码路径",
"循环依赖",
"性能瓶颈(低效算法、冗余操作)",
"缺少或不正确的类型注解",
"不一致的错误处理模式",
"资源泄漏(文件句柄、数据库连接、网络套接字)",
"不当的日志记录(敏感数据暴露、上下文不足)"
]
}
],
"discovery_methods": [
"使用特定语言工具进行静态代码分析",
"针对常见反模式和代码异味进行模式匹配",
"依赖漏洞扫描(npm audit, pip-audit, bundle-audit, cargo audit)",
"控制流和数据流分析",
"死代码检测",
"根据最佳实践进行配置验证",
"文档与实现交叉验证",
"以安全为中心的代码审查"
]
},
{
"phase": 3,
"name": "Bug 文档与优先级排序",
"bug_report_schema": {
"bug_id": "顺序标识符(BUG-001, BUG-002, 等)",
"severity": {
"type": "枚举",
"values": [
"严重",
"高",
"中",
"低"
],
"description": "Bug 严重程度级别"
},
"category": {
"type": "枚举",
"values": [
"安全",
"功能",
"性能",
"集成",
"代码质量"
],
"description": "Bug 分类"
},
"location": {
"files": [
"受影响文件路径数组,包含行号"
],
"component": "模块/服务/功能名称",
"function": "特定函数或方法名称"
},
"description": {
"current_behavior": "当前存在的问题或错误",
"expected_behavior": "预期应发生的情况",
"root_cause": "问题发生的技术解释"
},
"impact_assessment": {
"user_impact": "对最终用户的影响(数据丢失、安全暴露、用户体验下降)",
"system_impact": "对系统的影响(性能、稳定性、可扩展性)",
"business_impact": "对业务的影响(合规性、收入、声誉、法律)"
},
"reproduction": {
"steps": [
"重现步骤说明"
],
"test_data": "所需的样本数据或条件",
"actual_result": "重现时发生的情况",
"expected_result": "应该发生的情况"
},
"verification": {
"code_snippet": "展示该错误的示例代码",
"test_case": "会因该错误而失败的测试用例",
"logs_or_metrics": "来自日志或监控的证据"
},
"dependencies": {
"related_bugs": [
"相关 BUG-ID 数组"
],
"blocking_issues": [
"必须首先修复的错误数组"
],
"blocked_by": [
"阻碍修复的外部因素"
]
},
"metadata": {
"discovered_date": "ISO 8601 时间戳",
"discovered_by": "使用的工具或方法",
"cve_id": "如果适用,CVE 标识符",
"cwe_id": "如果适用,CWE 标识符"
}
},
"prioritization_matrix": {
"criteria": [
{
"factor": "severity",
"weight": 0.4,
"scale": "CRITICAL=100, HIGH=70, MEDIUM=40, LOW=10"
},
{
"factor": "user_impact",
"weight": 0.3,
"scale": "所有用户=100, 许多=70, 一些=40, 少数=10"
},
{
"factor": "fix_complexity",
"weight": 0.15,
"scale": "简单=100, 中等=60, 复杂=20"
},
{
"factor": "regression_risk",
"weight": 0.15,
"scale": "低=100, 中等=60, 高=20"
}
],
"formula": "priority_score = Σ(factor_value × weight)"
}
},
{
"phase": 4,
"name": "修复实现",
"fix_workflow": [
{
"step": 1,
"action": "创建独立的修复分支",
"naming": "fix/BUG-{id}-{short-description}"
},
{
"step": 2,
"action": "首先编写失败测试",
"rationale": "测试驱动开发确保修复是可验证的"
},
{
"step": 3,
"action": "实现最小、集中的修复",
"principle": "正确解决问题的最小改动"
},
{
"step": 4,
"action": "验证测试现在通过",
"validation": "运行特定测试和相关测试套件"
},
{
"step": 5,
"action": "运行完整的回归测试套件",
"validation": "确保没有现有功能被破坏"
},
{
"step": 6,
"action": "更新文档",
"scope": "API 文档、内联注释、更新日志"
}
],
"fix_principles": [
"MINIMAL_CHANGE: 进行最小的改动以正确修复问题",
"NO_SCOPE_CREEP: 避免无关的重构或功能添加",
"BACKWARDS_COMPATIBLE: 除非 bug 本身是破坏性的,否则保留现有的 API 契约",
"FOLLOW_CONVENTIONS: 遵循项目现有的代码风格和模式",
"DEFENSIVE_PROGRAMMING: 添加防护措施以防止未来出现类似 bug",
"EXPLICIT_OVER_IMPLICIT: 通过代码结构和注释使意图明确",
"FAIL_FAST: 及早验证输入并以清晰的错误消息失败"
],
"code_review_checklist": [
"修复解决了根本原因,而不仅仅是症状",
"所有边缘情况都已妥善处理",
"错误消息清晰、可操作,且不暴露敏感信息",
"性能影响可接受(没有 O(n²) 而 O(n) 足以满足需求的情况)",
"安全隐患已彻底考虑",
"没有新的编译器警告或 linting 错误",
"更改已通过测试覆盖",
"文档已更新且准确",
"破坏性更改已明确标记并说明理由",
"依赖项是最新的且安全的"
]
},
{
"phase": 5,
"name": "测试与验证",
"test_requirements": {
"mandatory_tests_per_fix": [
{
"type": "单元测试",
"description": "针对特定 bug 修复的独立测试",
"coverage": "必须覆盖被破坏的确切代码路径"
},
{
"type": "集成测试",
"description": "如果 bug 涉及多个组件,则进行测试",
"coverage": "受影响系统的端到端流程"
},
{
"type": "回归测试",
"description": "确保修复不会破坏现有功能",
"coverage": "所有相关功能和代码路径"
},
{
"type": "边缘情况测试",
"description": "覆盖边界条件和角落情况",
"coverage": "空值、空输入、限制、错误条件"
}
]
},
"test_structure_template": {
"description": "与语言无关的测试结构",
"template": [
"describe('BUG-{ID}: {description}', () => {",
" test('重现原始 bug', () => {",
" // 此测试证明 bug 确实存在",
" // 修复前应失败,修复后应通过",
" });",
"",
" test('验证修复解决了问题', () => {",
" // 此测试证明修复后的正确行为",
" });",
"",
" test('处理边缘情况:{case}', () => {",
" // 相关场景的额外覆盖",
" });",
"});"
]
},
"validation_steps": [
{
"step": "运行完整的测试套件",
"commands": {
"javascript": "npm test",
"python": "pytest",
"go": "go test ./...",
"java": "mvn test",
"ruby": "bundle exec rspec",
"rust": "cargo test",
"php": "phpunit"
}
},
{
"step": "测量代码覆盖率",
"tools": [
"Istanbul/NYC",
"Coverage.py",
"JaCoCo",
"SimpleCov",
"Tarpaulin"
]
},
{
"step": "运行静态分析",
"tools": [
"ESLint",
"Pylint",
"golangci-lint",
"SpotBugs",
"Clippy"
]
},
{
"step": "性能基准测试",
"condition": "如果修复影响热路径或关键操作"
},
{
"step": "安全扫描",
"tools": [
"Snyk",
"OWASP Dependency-Check",
"Trivy",
"Bandit"
]
}
]
},
{
"phase": 6,
"name": "文档与报告",
"fix_documentation_requirements": [
"更新内联代码注释,解释修复及其必要性",
"如果行为发生变化,请修订 API 文档",
"更新 CHANGELOG.md,添加错误修复条目",
"创建或更新故障排除指南",
"记录任何针对已推迟/未修复问题的变通方法",
"如果修复需要用户操作,请添加迁移说明"
],
"executive_summary_template": {
"title": "错误修复报告 - {repository_name}",
"metadata": {
"date": "ISO 8601 日期",
"analyzer": "工具/人员名称",
"repository": "完整仓库路径",
"commit_hash": "Git 提交 SHA",
"duration": "分析持续时间(小时)"
},
"overview": {
"total_bugs_found": "整数",
"total_bugs_fixed": "整数",
"bugs_deferred": "整数",
"test_coverage_before": "百分比",
"test_coverage_after": "百分比",
"files_analyzed": "整数",
"lines_of_code": "整数"
},
"critical_findings": [
"发现的前 3-5 个最关键的错误及其修复方法"
],
"fix_summary_by_category": {
"security": "计数",
"functional": "计数",
"performance": "计数",
"integration": "计数",
"code_quality": "计数"
},
"detailed_fix_table": {
"columns": [
"BUG-ID",
"文件",
"行",
"类别",
"严重性",
"描述",
"状态",
"已添加测试"
],
"format": "Markdown 表格或 CSV"
},
"risk_assessment": {
"remaining_high_priority": [
"未修复的关键问题列表"
],
"recommended_next_steps": [
"优先行动项"
],
"technical_debt": [
"已识别技术债务的总结"
],
"breaking_changes": [
"任何向后不兼容的修复"
]
},
"testing_results": {
"test_command": "运行测试所使用的确切命令",
"tests_passed": "Y个中的X个通过",
"tests_failed": "数量及原因",
"tests_added": "数量",
"coverage_delta": "+X% 或 -X%"
}
},
"deliverables_checklist": [
"所有 bug 均以标准化格式记录",
"修复范围最小化",
"测试套件已更新并通过",
"文档已更新(代码、API、用户指南)",
"代码审查已完成并批准",
"性能影响已评估且可接受",
"针对安全相关修复进行了安全审查",
"部署说明和回滚计划已准备就绪",
"更新了面向用户的变更日志",
"关键修复已通知利益相关者"
]
},
{
"phase": 7,
"name": "持续改进",
"pattern_analysis": {
"objectives": [
"识别代码库中重复出现的 bug 模式",
"检测导致 bug 的架构问题",
"发现测试策略中的空白",
"突出显示存在技术债务的领域"
],
"outputs": [
"常见 bug 模式报告",
"预防措施建议",
"工具改进建议",
"架构重构提案"
]
},
"monitoring_recommendations": {
"metrics_to_track": [
"bug 发现率随时间变化",
"按严重程度划分的解决时间",
"回归率(重新引入的 bug)",
"测试覆盖率百分比",
"易出错区域的代码变动",
"依赖项漏洞数量"
],
"alerting_rules": [
"依赖项中的关键安全漏洞",
"测试套件失败",
"代码覆盖率低于阈值",
"关键操作的性能下降"
],
"logging_improvements": [
"在缺失处添加结构化日志",
"包含请求跟踪的关联ID",
"记录安全相关事件",
"确保错误日志包含堆栈跟踪和上下文"
]
}
}
],
"constraints_and_best_practices": [
"绝不为了简单或方便而牺牲安全性",
"维护所有更改的完整审计跟踪",
"如果修复更改了公共API,请遵循语义版本控制",
"测试外部服务时尊重速率限制",
"对高风险或逐步推出的修复使用功能标志",
"记录分析过程中做出的所有假设",
"为每个修复考虑回滚策略",
"尽可能选择向后兼容的修复",
"避免在没有理由的情况下引入新的依赖项",
"在适用时在多个环境中进行测试"
],
"output_formats": [
{
"format": "markdown",
"purpose": "人类可读的文档和报告",
"filename_pattern": "bug_report_{date}.md"
},
{
"format": "json",
"purpose": "机器可读,用于自动化处理",
"filename_pattern": "bug_data_{date}.json",
"schema": "遵循阶段3中定义的bug_report_schema"
},
{
"format": "csv",
"purpose": "导入到错误跟踪系统(Jira、GitHub Issues)",
"filename_pattern": "bugs_{date}.csv",
"columns": [
"BUG-ID",
"严重性",
"类别",
"文件",
"行",
"描述",
"状态"
]
},
{
"format": "yaml",
"purpose": "便于配置的格式,用于 CI/CD 集成",
"filename_pattern": "bug_config_{date}.yaml"
}
],
"special_considerations": {
"monorepos": "单独分析每个包/工作区,并进行跨包依赖跟踪",
"microservices": "考虑服务间契约、API 兼容性和分布式追踪",
"legacy_code": "平衡修复风险与收益;优先处理高影响、低风险的修复",
"third_party_dependencies": "向上游报告漏洞;如果无人维护,考虑替代方案",
"high_traffic_systems": "考虑修复的部署策略(蓝绿部署、金丝雀部署)",
"regulated_industries": "确保符合合规性要求(HIPAA、PCI-DSS、SOC2、GDPR)",
"open_source_projects": "遵循贡献指南;在进行重大更改前与维护者沟通"
},
"success_criteria": {
"quantitative": [
"所有 CRITICAL 和 HIGH 严重性错误已解决",
"测试覆盖率至少增加 X%",
"依赖项中零安全漏洞",
"所有测试通过",
"代码质量指标改善(圈复杂度、可维护性指数)"
],
"qualitative": [
"代码库更易于维护",
"文档清晰全面",
"团队可以自信地部署修复",
"未来有防止错误的机制",
"开发速度提高"
]
}
}