SlideShare une entreprise Scribd logo
1  sur  46
Télécharger pour lire hors ligne
REVIEW
UNKNOWN CODE
WITH STATIC ANALYSIS
Praha, Czech Republic, October 2018
Agenda
Reviewing code
Static analysis for PHP
A session in which you are the hero
Review some PHP code
We don't know what it does
We have never heard about it
We don't run it
We don't know the authors
Can we have an opinion?
Review the code
Reading code is humanly possible : its an art
Unit test are not adapted for review
Dynamic analysis is not fit for review
We need to explore code
We can only rely on the current state
Speaker
Damien Seguy
Exakat CTO
Static analysis for PHP
Elephpant retirement home
Nemluvím česky...
Source code is structured
Source code is a structured dataset
We need tools to query it
This is static analysis
Migration PHP 7.2->7.3
IncompatibilitiesNewfeatures
Appinfo()
List PHP features
Focus on PHP's specifics
PHP Features
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Extensions
Application favorites
Many solutions to the same problem
Impact on PHP is minimal
Generate never-ending discussions
Rule : choose one, stick to it
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Review unknown code with static analysis   php ce 2018
Automated code review
Analyze code
Report PHP related problems
Review unknown code with static analysis   php ce 2018
Tactical mistakes in the code
PHP classic trap
Development left overs
Dead code
Code modernisation
Literal bugs
Clean code for PHP
Best practices
Security, performance, clean code
in-house, PSR, calisthenics, other inspirations
Code mantras, code kata
PHP Manual
Migration guides
Review unknown code with static analysis   php ce 2018
Exakat : 650 analysis
Analysis Freq. Here
function __destruct() { throw …} :
0,3 % 0
0,6 % 0
function foo($a, $a, $a) {} 2,0 % 0
substr($a, 2, 4) == 'abc' 6,9 % 0
!!(expression) 8,0 % 0
$a ? $b ? $c : $d : $e 11 % 0
No array_merge() in loops 43 % 8
include('file.php') 55 % 12
Use ::class operator 66 % 23
Which PHP version?
List of 

directives
Automated code review
Semantic read of the code
Reports interesting issues
Works with AST
Automated code review
PHP 5 / 7
Calisthenics
ClearPHP
Performance
 
 

Semantics and definitions
Removes spaces, comments, documentations
Removes delimiters
( ) { } [ ] " ' ` ; :
Good network to link definition with usage
AST diagram
<?php
    $x = source();
    
    if ($x < 10) {
        $y = $x + 1;
        $a = 3;
        $x = corrige($y);
    } else {
        $y = $x;
    }
Flow Control Graph
<?php
    $x = source();
    
    if ($x < 10) {
        $y = $x + 1;
        $a = 3;
        $x = corrige($y);
    } else {
        $y = $x;
    }
$x = source;
if ($x < 10)
$y = $x;
$y = $x + 1;
$x = corrige($y);
end
$a = 3;
start
Data Dependency Graph
<?php
    $x = source();
    
    if ($x < 10) {
        $y = $x + 1;
        $a = 3;
        $x = corrige($y);
    } else {
        $y = $x;
    }
$x = source;
if ($x < 10) $y = $x;$y = $x + 1;
$x = corrige($y);
fin();
Depends onDepends on
Depends
on notDepends on
Depends on
$a = 3;
Depends on
Various AST
PHP7mar : nikic/php5-ast
PHAN : ext/ast (PHP 7 only)
PHPStan : based on reflection
Exakat : AST in a graph database
SonarQube : Java-build AST
PHPstorm : internal IDE AST
PHAN
PhanUndeclaredMethod Call to undeclared method
SyliusBundleChannelBundleTestsDependencyInjectionCompilerCompositeReques
tResolverPassTest::assertContainerBuilderHasServiceDefinitionWithMethodCall
(Did you mean expr-
>assertContainerBuilderNotHasServiceDefinitionWithMethodCall())
Total : 30566 results / 65 types
9459 issues
PhanParamTooMany Call with 4 arg(s) to
SyliusBundleMoneyBundleFormDataTransformerSyliusMoneyTransformer::__const
ruct() which only takes 0 arg(s) defined at projects/sylius/code/src/Sylius/
Bundle/MoneyBundle/Form/DataTransformer/SyliusMoneyTransformer.php:18
24 issues
PhanUnreferencedUseNormal Possibly zero references to use statement for
classlike/namespace OrderInterface
(SyliusComponentCoreModelOrderInterface)
171 issues
PhanParamTooFew : 36 issues
PHP 7 helps static analysis
Type hint, return type hint, scalar typehint
Usage of PHPDOC
Consistent behavior of PHP operators
Dynamic code is very difficult to analyze
PHP LINT
php -l <fichier.php>
Paralell executions
jakub-onderka/php-paralell-lint
Various versions of PHP : 7.0, 7.1, 7.2, 7.3, 5.6, 5.5
PHP LINT - 5.5->7.3
Not a single error
2725 compiled files
PHP 7.2.11 | 10 parallel jobs
............................................................ 60/2725 (2 %)
............................................................ 120/2725 (4 %)
............................................................ 180/2725 (6 %)
............................................................ 240/2725 (8 %)
............................................................ 300/2725 (11 %)
............................................................ 360/2725 (13 %)
............................................................ 420/2725 (15 %)
............................................................ 480/2725 (17 %)
............................................................ 540/2725 (19 %)
............................................................ 600/2725 (22 %)
............................................................ 660/2725 (24 %)
............................................................ 720/2725 (26 %)
............................................................ 780/2725 (28 %)
............................................................ 840/2725 (30 %)
............................................................ 900/2725 (33 %)
............................................................ 960/2725 (35 %)
............................................................ 1020/2725 (37 %)
............................................................ 1080/2725 (39 %)
............................................................ 1140/2725 (41 %)
............................................................ 1200/2725 (44 %)
............................................................ 1260/2725 (46 %)
............................................................ 1320/2725 (48 %)
............................................................ 1380/2725 (50 %)
............................................................ 1440/2725 (52 %)
............................................................ 1500/2725 (55 %)
............................................................ 1560/2725 (57 %)
............................................................ 1620/2725 (59 %)
............................................................ 1680/2725 (61 %)
............................................................ 1740/2725 (63 %)
............................................................ 1800/2725 (66 %)
............................................................ 1860/2725 (68 %)
............................................................ 1920/2725 (70 %)
............................................................ 1980/2725 (72 %)
............................................................ 2040/2725 (74 %)
............................................................ 2100/2725 (77 %)
............................................................ 2160/2725 (79 %)
............................................................ 2220/2725 (81 %)
............................................................ 2280/2725 (83 %)
............................................................ 2340/2725 (85 %)
............................................................ 2400/2725 (88 %)
............................................................ 2460/2725 (90 %)
............................................................ 2520/2725 (92 %)
............................................................ 2580/2725 (94 %)
............................................................ 2640/2725 (96 %)
............................................................ 2700/2725 (99 %)
......................... 2725/2725 (100 %)
Checked 2725 files in 16.9 seconds
No syntax error found
0
1,25
2,5
3,75
5
5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
0
1
2
3
4
5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
0
0,75
1,5
2,25
3
5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
0
1,75
3,5
5,25
7
5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3
5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3
5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3
What does this app do?
Inventories of the application
Names for classes, methods, traits, variables,
interfaces…
List of literal in the code
Integers, real, arrays, strings
Errors messages
Classes
TaxRateSpec 2
Taxon 2
TaxonSpec 2
TextAttributeType 2
TextareaAttributeType 2
TranslatableEntityLocaleAssigner 2
TranslatableEntityLocaleAssignerSpec 2
TwigBulkActionGridRenderer 2
TwigBulkActionGridRendererSpec 2
TwigGridRenderer 2
TwigGridRendererSpec 2
UserRepository 2
ZoneContext 2
AddressType 3
CartContext 3
CurrencyContext 3
DataSource 3
Driver 3
ExpressionBuilder 3
ProductContext 3
ProductReviewContext 3
ThemeContext 3
UserContext 3
ChannelContext 4
CustomerContext 4
LocaleContext 4
ShowPage 5
ConfigurationTest 6
IndexPage 18
CreatePage 24
UpdatePage 24
Configuration 28
Variables
$class 3
$configuration 3
$constraint 3
$context 3
$customers 3
$data 3
$datetime 3
$factory 3
$fixture 3
$form 3
$image 3
$images 3
$item 3
$listener 3
$metadata 3
$method 3
$objects 3
$options 3
$optionvalues 3
$parameters 3
$payments 3
$productassociations 3
$products 3
$producttaxon 3
$provinces 3
$repository 3
$resource 3
$resources 3
$result 3
$results 3
$shipments 3
$taxons 3
$value 3
$values 3
$zone 3
$arguments 6
$expressions 10
3791 variables
Also : 

59 used-once variables
List of PHP analyzers
Exakat
PHPStan
Phan
Phploc
PHPmetrics
https://github.com/exakat/
php-static-analysis-tools
Large application
Symfony framework
No databases
Very low level of issues
Tend to use very modern PHP features
Backward compatibilities
Deal with sales : customers, sales
https://sylius.com
Danke schön
http://exakat.io/ - @exakat

Contenu connexe

Similaire à Review unknown code with static analysis php ce 2018

Automated code audits
Automated code auditsAutomated code audits
Automated code auditsDamien Seguy
 
Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis  Zend con 2017Review unknown code with static analysis  Zend con 2017
Review unknown code with static analysis Zend con 2017Damien Seguy
 
Metrics-Driven Engineering
Metrics-Driven EngineeringMetrics-Driven Engineering
Metrics-Driven EngineeringMike Brittain
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
Review unknown code with static analysis
Review unknown code with static analysisReview unknown code with static analysis
Review unknown code with static analysisDamien Seguy
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Predictive Analytics with Airflow and PySpark
Predictive Analytics with Airflow and PySparkPredictive Analytics with Airflow and PySpark
Predictive Analytics with Airflow and PySparkRussell Jurney
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0Russell Jurney
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...dantleech
 
Making the most of 2.2
Making the most of 2.2Making the most of 2.2
Making the most of 2.2markstory
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly LanguageMotaz Saad
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupHadoop User Group
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0Russell Jurney
 
Agile Data Science 2.0 - Big Data Science Meetup
Agile Data Science 2.0 - Big Data Science MeetupAgile Data Science 2.0 - Big Data Science Meetup
Agile Data Science 2.0 - Big Data Science MeetupRussell Jurney
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0Russell Jurney
 

Similaire à Review unknown code with static analysis php ce 2018 (20)

Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis  Zend con 2017Review unknown code with static analysis  Zend con 2017
Review unknown code with static analysis Zend con 2017
 
Metrics-Driven Engineering
Metrics-Driven EngineeringMetrics-Driven Engineering
Metrics-Driven Engineering
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Review unknown code with static analysis
Review unknown code with static analysisReview unknown code with static analysis
Review unknown code with static analysis
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Lca05
Lca05Lca05
Lca05
 
Predictive Analytics with Airflow and PySpark
Predictive Analytics with Airflow and PySparkPredictive Analytics with Airflow and PySpark
Predictive Analytics with Airflow and PySpark
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0
 
Siddhi CEP 2nd sideshow presentation
Siddhi CEP 2nd sideshow presentationSiddhi CEP 2nd sideshow presentation
Siddhi CEP 2nd sideshow presentation
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
 
Agile Data Science
Agile Data ScienceAgile Data Science
Agile Data Science
 
PHP code examples
PHP code examplesPHP code examples
PHP code examples
 
Lambdas puzzler - Peter Lawrey
Lambdas puzzler - Peter LawreyLambdas puzzler - Peter Lawrey
Lambdas puzzler - Peter Lawrey
 
Making the most of 2.2
Making the most of 2.2Making the most of 2.2
Making the most of 2.2
 
Introduction to Assembly Language
Introduction to Assembly LanguageIntroduction to Assembly Language
Introduction to Assembly Language
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user group
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0
 
Agile Data Science 2.0 - Big Data Science Meetup
Agile Data Science 2.0 - Big Data Science MeetupAgile Data Science 2.0 - Big Data Science Meetup
Agile Data Science 2.0 - Big Data Science Meetup
 
Agile Data Science 2.0
Agile Data Science 2.0Agile Data Science 2.0
Agile Data Science 2.0
 

Plus de Damien Seguy

Strong typing @ php leeds
Strong typing  @ php leedsStrong typing  @ php leeds
Strong typing @ php leedsDamien Seguy
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationDamien Seguy
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeDamien Seguy
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applicationsDamien Seguy
 
Top 10 pieges php afup limoges
Top 10 pieges php   afup limogesTop 10 pieges php   afup limoges
Top 10 pieges php afup limogesDamien Seguy
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Damien Seguy
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Damien Seguy
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confooDamien Seguy
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Damien Seguy
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbiaDamien Seguy
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic trapsDamien Seguy
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappesDamien Seguy
 
Code review workshop
Code review workshopCode review workshop
Code review workshopDamien Seguy
 
Understanding static analysis php amsterdam 2018
Understanding static analysis   php amsterdam 2018Understanding static analysis   php amsterdam 2018
Understanding static analysis php amsterdam 2018Damien Seguy
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3Damien Seguy
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC  (AFUP Toulouse)Php 7.3 et ses RFC  (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Damien Seguy
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCDamien Seguy
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy peopleDamien Seguy
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonightDamien Seguy
 
Machine learning in php las vegas
Machine learning in php   las vegasMachine learning in php   las vegas
Machine learning in php las vegasDamien Seguy
 

Plus de Damien Seguy (20)

Strong typing @ php leeds
Strong typing  @ php leedsStrong typing  @ php leeds
Strong typing @ php leeds
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le code
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applications
 
Top 10 pieges php afup limoges
Top 10 pieges php   afup limogesTop 10 pieges php   afup limoges
Top 10 pieges php afup limoges
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic traps
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappes
 
Code review workshop
Code review workshopCode review workshop
Code review workshop
 
Understanding static analysis php amsterdam 2018
Understanding static analysis   php amsterdam 2018Understanding static analysis   php amsterdam 2018
Understanding static analysis php amsterdam 2018
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC  (AFUP Toulouse)Php 7.3 et ses RFC  (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFC
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy people
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
 
Machine learning in php las vegas
Machine learning in php   las vegasMachine learning in php   las vegas
Machine learning in php las vegas
 

Dernier

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 

Dernier (20)

activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 

Review unknown code with static analysis php ce 2018

  • 1. REVIEW UNKNOWN CODE WITH STATIC ANALYSIS Praha, Czech Republic, October 2018
  • 2. Agenda Reviewing code Static analysis for PHP A session in which you are the hero
  • 3. Review some PHP code We don't know what it does We have never heard about it We don't run it We don't know the authors Can we have an opinion?
  • 4. Review the code Reading code is humanly possible : its an art Unit test are not adapted for review Dynamic analysis is not fit for review We need to explore code We can only rely on the current state
  • 5. Speaker Damien Seguy Exakat CTO Static analysis for PHP Elephpant retirement home Nemluvím česky...
  • 6. Source code is structured Source code is a structured dataset We need tools to query it This is static analysis
  • 8. Appinfo() List PHP features Focus on PHP's specifics
  • 15. Application favorites Many solutions to the same problem Impact on PHP is minimal Generate never-ending discussions Rule : choose one, stick to it
  • 20. Automated code review Analyze code Report PHP related problems
  • 22. Tactical mistakes in the code PHP classic trap Development left overs Dead code Code modernisation Literal bugs
  • 23. Clean code for PHP Best practices Security, performance, clean code in-house, PSR, calisthenics, other inspirations Code mantras, code kata PHP Manual Migration guides
  • 25. Exakat : 650 analysis Analysis Freq. Here function __destruct() { throw …} : 0,3 % 0 0,6 % 0 function foo($a, $a, $a) {} 2,0 % 0 substr($a, 2, 4) == 'abc' 6,9 % 0 !!(expression) 8,0 % 0 $a ? $b ? $c : $d : $e 11 % 0 No array_merge() in loops 43 % 8 include('file.php') 55 % 12 Use ::class operator 66 % 23
  • 26. Which PHP version? List of 
 directives
  • 27. Automated code review Semantic read of the code Reports interesting issues Works with AST
  • 28. Automated code review PHP 5 / 7 Calisthenics ClearPHP Performance     
  • 29. Semantics and definitions Removes spaces, comments, documentations Removes delimiters ( ) { } [ ] " ' ` ; : Good network to link definition with usage
  • 32. Data Dependency Graph <?php     $x = source();          if ($x < 10) {         $y = $x + 1;         $a = 3;         $x = corrige($y);     } else {         $y = $x;     } $x = source; if ($x < 10) $y = $x;$y = $x + 1; $x = corrige($y); fin(); Depends onDepends on Depends on notDepends on Depends on $a = 3; Depends on
  • 33. Various AST PHP7mar : nikic/php5-ast PHAN : ext/ast (PHP 7 only) PHPStan : based on reflection Exakat : AST in a graph database SonarQube : Java-build AST PHPstorm : internal IDE AST
  • 34. PHAN PhanUndeclaredMethod Call to undeclared method SyliusBundleChannelBundleTestsDependencyInjectionCompilerCompositeReques tResolverPassTest::assertContainerBuilderHasServiceDefinitionWithMethodCall (Did you mean expr- >assertContainerBuilderNotHasServiceDefinitionWithMethodCall()) Total : 30566 results / 65 types 9459 issues PhanParamTooMany Call with 4 arg(s) to SyliusBundleMoneyBundleFormDataTransformerSyliusMoneyTransformer::__const ruct() which only takes 0 arg(s) defined at projects/sylius/code/src/Sylius/ Bundle/MoneyBundle/Form/DataTransformer/SyliusMoneyTransformer.php:18 24 issues PhanUnreferencedUseNormal Possibly zero references to use statement for classlike/namespace OrderInterface (SyliusComponentCoreModelOrderInterface) 171 issues PhanParamTooFew : 36 issues
  • 35. PHP 7 helps static analysis Type hint, return type hint, scalar typehint Usage of PHPDOC Consistent behavior of PHP operators Dynamic code is very difficult to analyze
  • 36. PHP LINT php -l <fichier.php> Paralell executions jakub-onderka/php-paralell-lint Various versions of PHP : 7.0, 7.1, 7.2, 7.3, 5.6, 5.5
  • 37. PHP LINT - 5.5->7.3 Not a single error 2725 compiled files PHP 7.2.11 | 10 parallel jobs ............................................................ 60/2725 (2 %) ............................................................ 120/2725 (4 %) ............................................................ 180/2725 (6 %) ............................................................ 240/2725 (8 %) ............................................................ 300/2725 (11 %) ............................................................ 360/2725 (13 %) ............................................................ 420/2725 (15 %) ............................................................ 480/2725 (17 %) ............................................................ 540/2725 (19 %) ............................................................ 600/2725 (22 %) ............................................................ 660/2725 (24 %) ............................................................ 720/2725 (26 %) ............................................................ 780/2725 (28 %) ............................................................ 840/2725 (30 %) ............................................................ 900/2725 (33 %) ............................................................ 960/2725 (35 %) ............................................................ 1020/2725 (37 %) ............................................................ 1080/2725 (39 %) ............................................................ 1140/2725 (41 %) ............................................................ 1200/2725 (44 %) ............................................................ 1260/2725 (46 %) ............................................................ 1320/2725 (48 %) ............................................................ 1380/2725 (50 %) ............................................................ 1440/2725 (52 %) ............................................................ 1500/2725 (55 %) ............................................................ 1560/2725 (57 %) ............................................................ 1620/2725 (59 %) ............................................................ 1680/2725 (61 %) ............................................................ 1740/2725 (63 %) ............................................................ 1800/2725 (66 %) ............................................................ 1860/2725 (68 %) ............................................................ 1920/2725 (70 %) ............................................................ 1980/2725 (72 %) ............................................................ 2040/2725 (74 %) ............................................................ 2100/2725 (77 %) ............................................................ 2160/2725 (79 %) ............................................................ 2220/2725 (81 %) ............................................................ 2280/2725 (83 %) ............................................................ 2340/2725 (85 %) ............................................................ 2400/2725 (88 %) ............................................................ 2460/2725 (90 %) ............................................................ 2520/2725 (92 %) ............................................................ 2580/2725 (94 %) ............................................................ 2640/2725 (96 %) ............................................................ 2700/2725 (99 %) ......................... 2725/2725 (100 %) Checked 2725 files in 16.9 seconds No syntax error found
  • 38. 0 1,25 2,5 3,75 5 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1 2 3 4 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 0,75 1,5 2,25 3 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1,75 3,5 5,25 7 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3 5.3 5.4 5.5 5.6 7.0 7.1 7.2 7.3
  • 39. What does this app do? Inventories of the application Names for classes, methods, traits, variables, interfaces… List of literal in the code Integers, real, arrays, strings
  • 41. Classes TaxRateSpec 2 Taxon 2 TaxonSpec 2 TextAttributeType 2 TextareaAttributeType 2 TranslatableEntityLocaleAssigner 2 TranslatableEntityLocaleAssignerSpec 2 TwigBulkActionGridRenderer 2 TwigBulkActionGridRendererSpec 2 TwigGridRenderer 2 TwigGridRendererSpec 2 UserRepository 2 ZoneContext 2 AddressType 3 CartContext 3 CurrencyContext 3 DataSource 3 Driver 3 ExpressionBuilder 3 ProductContext 3 ProductReviewContext 3 ThemeContext 3 UserContext 3 ChannelContext 4 CustomerContext 4 LocaleContext 4 ShowPage 5 ConfigurationTest 6 IndexPage 18 CreatePage 24 UpdatePage 24 Configuration 28
  • 42. Variables $class 3 $configuration 3 $constraint 3 $context 3 $customers 3 $data 3 $datetime 3 $factory 3 $fixture 3 $form 3 $image 3 $images 3 $item 3 $listener 3 $metadata 3 $method 3 $objects 3 $options 3 $optionvalues 3 $parameters 3 $payments 3 $productassociations 3 $products 3 $producttaxon 3 $provinces 3 $repository 3 $resource 3 $resources 3 $result 3 $results 3 $shipments 3 $taxons 3 $value 3 $values 3 $zone 3 $arguments 6 $expressions 10 3791 variables Also : 
 59 used-once variables
  • 43. List of PHP analyzers Exakat PHPStan Phan Phploc PHPmetrics https://github.com/exakat/ php-static-analysis-tools
  • 44. Large application Symfony framework No databases Very low level of issues Tend to use very modern PHP features Backward compatibilities Deal with sales : customers, sales