PowerShell Script Analyzer (PSSA)
Eintrag zuletzt aktualisiert am: 19.03.2020
PowerShell Script Analyzer (PSSA) ist ein Werkzeug, das eine statische Programmcodeanalyse für PowerShell-Skripte und ganze PowerShell-Module durchführt. Der PowerShell Script Analyzer enthält eine Reihe von Regeln, die geprüft werden mit dem Ziel, die Einhaltung von Programmierrichtlinien von Microsoft zu überprüfen. Ergebnis der Prüfung sind Warnungen und Fehlermeldungen einschließlich Verbesserungsvorschlägen.
PSScriptAnalyzer ist selbst e
in PowerShell-Modul; es kann über die PowerShell-Gallery [
https://www.powershellgallery.com/packages/PSScriptAnalyzer/] oder direkt über das Github-Repository bezogen werden, in dem Microsoft es entwickelt [
https://github.com/PowerShell/PSScriptAnalyzer].
Die folgende Liste zeigt die derzeit realisierten Regeln:
PSAvoidUsing
CmdletAliases Avoid Using
Cmdlet Aliases Warning An alias is an alternate name or nickname for a cmdlet or for a command element, such as a function, script, file, or executable file. But when writing scripts that will potentially need to be maintained over time, either by the original author or another Windows PowerShell scripter, please consider using full cmdlet name instead of alias. Aliases can introduce these problems, readability, understandability and availability.
PSAvoidDefaultValueSwitchParameter Switch Parameters Should Not Default To True Warning Switch parameter should not default to true.
PSAvoidUsingEmptyCatchBlock Avoid Using Empty Catch Block Warning Empty catch blocks are considered poor design decisions because if an error occurs in the try block, this error is simply swallowed and not acted upon. While this does not inherently lead to bad things. It can and this should be avoided if possible. To fix a violation of this rule, using Write-Error or throw statements in catch blocks.
PSAvoidGlobalVars No Global
Variables Warning Checks that global variables are not used. Global variables are strongly discouraged as they can cause errors across different systems.
PSAvoidInvokingEmptyMembers Avoid Invoking Empty Members Warning Invoking non-constant members would cause potential bugs. Please double check the syntax to make sure members invoked are non-constant.
PSAvoidUsingPositionalParameters Avoid Using Positional Parameters Warning Readability and clarity should be the goal of any script we expect to maintain over time. When calling a command that takes parameters, where possible consider using name parameters as opposed to positional parameters. To fix a violation of this rule, please use named parameters instead of positional parameters when calling a command.
PSReserved
CmdletChar Reserved
Cmdlet Chars Warning Checks for reserved characters in cmdlet names. These characters usually cause a parsing error. Otherwise they will generally cause runtime errors.
PSReservedParams Reserved Parameters Warning Checks for reserved parameters in function definitions. If these parameters are defined by the user, an error generally occurs.
PSAvoidShouldContinueWithoutForce Avoid Using ShouldContinue Without Boolean Force Parameter Warning Functions that use ShouldContinue should have a boolean force parameter to allow user to bypass it.
PSAvoidUsingDeprecated
ManifestFields Avoid Using Deprecated
Manifest Fields Warning "ModuleToProcess" is obsolete in the latest PowerShell version. Please update with the latest field "RootModule" in manifest files to avoid PowerShell version inconsistency.
PSProvideDefaultParameterValue Default Parameter Values Warning Parameters must have a default value. To fix a violation of this rule, please specify a default value for all parameters
PSAvoidUninitialized
Variable Initializing non-global variables Warning Non-global variables must be initialized. To fix a violation of this rule, please initialize non-global variables.
PSAvoidUsingUserNameAndPassWordParams Avoid Using Username and Password Parameters Error Functions should only take in a credential parameter of type PSCredential instead of username and password parameters.
PSAvoidUsingComputerNameHardcoded Avoid Using ComputerName Hardcoded Error The ComputerName parameter of a cmdlet should not be hardcoded as this will expose sensitive information about the system.
PSAvoidUsingConvertToSecure
StringWithPlainText Avoid Using SecureString With Plain Text Error Using ConvertTo-SecureString with plain text will expose secure information.
PSAvoidUsingInternal
URLs Avoid Using Internal
URLs Information Using Internal
URLs in the scripts may cause security problems.
PSAvoidUsingInvokeExpression Avoid Using Invoke-Expression Warning The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. It can be extraordinarily powerful so it is not that you want to never use it but you need to be very careful about using it. In particular, you are probably on safe ground if the data only comes from the program itself. If you include any data provided from the user - you need to protect yourself from Code Injection. To fix a violation of this rule, please remove Invoke-Expression from script and find other options instead.
PSAvoidUsingPlainTextForPassword Avoid Using Plain Text For Password Parameter Warning Password parameters that take in plaintext will expose passwords and compromise the security of your system.
PSAvoidUsing
WMICmdlet Avoid Using Get-
WMIObject, Remove-
WMIObject, Invoke-WmiMethod, Register-WmiEvent, Set-WmiInstance Warning Depricated. Starting in
Windows PowerShell 3.0, these cmdlets have been superseded by
CIM cmdlets.
PSAvoidUsingWriteHost Avoid Using Write-Host Warning Write-Host or Console.Write should not be used because it may not work in some hosts or there may even be no hosts at all. Use Write-Output instead.
PSUseOutputTypeCorrectly Use OutputType Correctly Information The return types of a cmdlet should be declared using the OutputType attribute.
PSMissingModule
ManifestField Module
Manifest Fields Warning Some fields of the module manifest (such as ModuleVersion) are required.
PSPossibleIncorrectComparisonWithNull Null Comparison Warning Checks that $null is on the left side of any equaltiy comparisons (eq, ne, ceq, cne, ieq, ine). When there is an array on the left side of a null equality comparison, PowerShell will check for a $null IN the array rather than if the array is null. If the two sides of the comaprision are switched this is fixed. Therefore, $null should always be on the left side of equality comparisons just in case.
PSProvideCommentHelp Basic Comment Help Information Checks that all cmdlets have a help comment. This rule only checks existence. It does not check the content of the comment.
PSUseApprovedVerbs
Cmdlet Verbs Warning Checks that all defined cmdlets use approved verbs. This is in line with PowerShell's best practices.
PSUse
CmdletCorrectly Use
Cmdlet Correctly Warning
Cmdlet should be called with the mandatory parameters.
PSUseDeclaredVarsMoreThanAssigments Extra
Variables Warning Checks that variables are used in more than just their assignment. Generally this is a red flag that a variable is not needed. This rule does not check if the assignment and usage are in the same function.
PSUsePSCredentialType PSCredential Warning Checks that cmdlets that have a Credential parameter accept PSCredential. This comes from the PowerShell teams best practices.
PSShouldProcess Should Process Warning Checks that if the SupportsShouldProcess is present, the function calls ShouldProcess/ShouldContinue and vice versa. Scripts with one or the other but not both will generally run into an error or unexpected behavior.
PSUseShouldProcessForStateChangingFunctions Use ShouldProcess For State Changing Functions Warning Functions that have verbs like New, Start, Stop, Set, Reset, Restart that change system state should support 'ShouldProcess'.
PSUseSingularNouns
Cmdlet Singular Noun Warning
Cmdlet should use singular instead of plural nouns.
PSD
SCDscTestsPresent Dsc tests are present Information Every
DSC resource module should contain folder "Tests" with tests for every resource. Test scripts should have resource name they are testing in the file name.
PSD
SCDscExamplesPresent
DSC examples are present Information Every
DSC resource module should contain folder "Examples" with sample configurations for every resource. Sample configurations should have resource name they are demonstrating in the title.
PS
DSCUseVerboseMessageIn
DSCResource Use verbose message in
DSC resource Information It is a best practice to emit informative, verbose messages in
DSC resource functions. This helps in debugging issues when a
DSC configuration is executed.
PS
DSCUseIdenticalMandatoryParametersFor
DSC Use identical mandatory parameters for
DSC Get/Test/Set TargetResource functions Error The Get/Test/Set TargetResource functions of
DSC resource must have the same mandatory parameters.
PS
DSCUseIdenticalParametersFor
DSC Use Identical Parameters For
DSC Test and Set Functions Error The Test and Set-TargetResource functions of
DSC Resource must have the same parameters.
PS
DSCStandard
DSCFunctionsInResource Use Standard Get/Set/Test TargetResource functions in
DSC Resource Error
DSC Resource must implement Get, Set and Test-TargetResource functions.
DSC Class must implement Get, Set and Test functions.
PS
DSCReturnCorrectTypesFor
DSCFunctions Return Correct Types For
DSC Functions Information Set function in
DSC class and Set-TargetResource in
DSC resource must not return anything. Get function in
DSC class must return an instance of the
DSC class and Get-TargetResource function in
DSC resource must return a hashtable. Test function in
DSC class and Get-TargetResource function in
DSC resource must return a boolean.
Das PSScriptAnalyzer-Modul stellt zwei
Commandlets bereit:
Get-ScriptAnalyzerRule [-CustomizedRulePath <string[]>] [-Name <string[]>] [<CommonParameters>] [-Severity <string[]>]: Auflisten der Regeln
Invoke-ScriptAnalyzer [-Path] <string> [-CustomizedRulePath <string[]>] [-ExcludeRule <string[]>] [-IncludeRule <string[]>] [-Severity <string[]>] [-Recurse] [<CommonParameters>]: Ausführen der Prüfung unter Ein- bzw. Ausschluss von Regeln
Beispiele:
Anzeige aller PowerShell Analyzer-Regeln in einer grafischen Tabelle
Get-ScriptAnalyzerRule | out-gridview
Speichern aller PowerShell Analyzer-Regeln in einer von Excel lesbaren
CSV-Datei:
Get-ScriptAnalyzerRule | export-csv c:\temp\rules.csv -Delimiter ";"
Ausführen der Analyse für ein Skript
Invoke-ScriptAnalyzer T:\meinskript.ps1
Ausführen der Analyse für ein Modul
Invoke-ScriptAnalyzer T:\meineModule\pscx