Static analysis tools checks PHP code without running them. Fully automated, they bring expertise to review the code, enforce good practices when programming, keep code ready for the next PHP version. PHP 7 has developed tremendously our capacity to audit code. Thanks to AST and return types, it is possible to go deeper and prevent more bugs. During this session, we'll review the current state of static analysis tools, learn what they can find for us, and how to integrate it in the development cycle: security bugs, migration incompatibilities, and directives recommendations. Simply said, better PHP coding.

1. Static analysis
saved my
code tonight
Zendcon 2017,
Las Vegas, NE, USA
October 2017

2. Agenda
What is static analysis
Under the hood of a static analyzer
What analyzers can do for you

3. Speaker
Damien Seguy
Exakat CTO
Static analysis for PHP
Retiring house for elephpants

4. Is my code any good ?

5. The extra step
Execution
Opcode
Coding convention
Text file

6. An extra side step
Execution
Text file
Opcode Static analysis

7. An extra step
Execution
Opcode Static analysis
Text file

8. Switch statements may only
contain one default clause
<?php
switch($x) {
case '1' :
break;
default :
break;
default :
break;
case '2' :
break;
}

9. Switch statements may only
contain one default clause
switch($x) {
case 1 :
break;
case 0+1 :
break;
case '1' :
break;
case true :
break;
case 1.0 :
break;
case $y :
break;
}

10. Static analysis
PHP 5 / 7
Calisthenics
ClearPHP
Performance
 
 


11. PHP tokens
Comments, Doc, whitespace
Delimiters : ' " () {} [] `
2/3 of the tokens are removed
[248] => Array
(
[0] => 382
[1] =>
[2] => 167
)
[249] => Array
(
[0] => 319
[1] => define
[2] => 167
)
[250] => (
[251] => Array
(
[0] => 323
[1] => 'EXT'
[2] => 167
)
[252] => ,
[253] => Array
(
[0] => 382
[1] =>
[2] => 167
)
<?php
//....
define('EXT', '.php');

12. AST
<?php
$x = source();
if ($x < 10) {
$y = $x + 1;
$x = corrige($y);
} else {
$y = $x;
}

13. Flow control
<?php
$x = source();
if ($x < 10) {
$y = $x + 1;
$x = corrige($y);
} else {
$y = $x;
}
$x = source;
if ($x < 10)
$y = $x;
$y = $x + 1;
$x = corrige($y);
end
$a = 3;
start

14. Data dependency graph
<?php
$x = source();
if ($x < 10) {
$y = $x + 1;
$x = corrige($y);
} else {
$y = $x;
}
$x = source;
if ($x < 10) $y = $x;$y = $x + 1;
$x = corrige($y);
fin();
Depends onDepends on
Depends
on notDepends on
Depends on
$a = 3;
Depends on

15. Thousands of analysis
Analysis Freq.
function foo($a, $a, $a) {} 2.0%
!!(expression) 2.0%
substr($a, 2, 4) == 'abc' 9.0%
$a ? $b ? $c : $d : $e 11%
foreach($a as &$b) {} 15%
$var + 0 31%
if (strpos($a, $b)) {} 46%
include('file.php') 74%

16. PHP as a database
Source code is a highly organized dataset
We need a way to query it
There are over 84 static analysis tools for PHP
https://github.com/exakat/php-static-analysis-tools

17. Harnessing legacy code
Get a legacy code base to maintain
Assess the code and clean it
Set up a dev team
Update systems

18. Harnessing legacy code
Start with tests
unit, functional, assertions
Take a look and document everything

19. Find Bugs
Find bugs
PHP, logical, frameworks
Create a new coding reference
Choose a rule, fix the issues, clean around, repeat

20. Lists of issues
------ ---------------------------------------------------------------------------------------
Line src/Database.php
------ ---------------------------------------------------------------------------------------
33 Return typehint of method CorcelDatabase::connect() has invalid type CorcelIlluminat
35 Instantiated class IlluminateDatabaseCapsuleManager not found.
37 Call to method addConnection() on an unknown class IlluminateDatabaseCapsuleManager
38 Call to method bootEloquent() on an unknown class IlluminateDatabaseCapsuleManager.
40 Method CorcelDatabase::connect() should return CorcelIlluminateDatabaseCapsuleMan
----------------------------------------------------------------------------------------------
------ ---------------------------------------------------------------------------
Line src/Password/PasswordService.php
------ ---------------------------------------------------------------------------
11 Access to an undefined property CorcelPasswordPasswordService::$hasher.
11 Instantiated class HautelookPhpassPasswordHash not found.
28 Access to an undefined property CorcelPasswordPasswordService::$hasher.
58 Access to an undefined property CorcelPasswordPasswordService::$hasher.
------ ---------------------------------------------------------------------------

21. PHP 7.2 compatibility

22. Measure
Get metrics
Cyclomatic complexity, dependencies,
Inventory of features used

23. Metrics, break down by file

24. Appinfo()
Like phpinfo()
for PHP features

25. Update PHP code
Choose a set of analysis that matters
Fix them all
Add some more

26. Right in the IDE

27. Automated update

28. Working with more dev
Add more workforce to your project
Keep your code quality equal
Stop including code of lesser quality

29. Joining the team
3 rules 7 rules 15 rules
Full coding
reference
1
month
2
months
3
months

30. Full coding
reference
Third party quality review
10 rules Dev
Code
Report
Repository
Code
Report

31. Document your code
Help others understand that code
Compilation requirements, php.ini important directives

32. # install 2 extra extensions
#pecl install apc (https://pecl.php.net/package/apc)
#pecl install mysql (https://pecl.php.net/package/mysql)
./configure
--with-apxs2
--enable-apc
--enable-apc-debug
--with-bz2=DIR
--with-curl=DIR
--disable-dom
--enable-exif
--disable-fileinfo
--disable-filter
--disable-hash
—disable-json
--disable-libxml
--enable-mbstring
--with-libmbfl=DIR
--enable-mbstr-enc-trans
--disable-mbregex
--with-mcrypt=[DIR]
--with-mysql
--with-mysqli
--with-gd
--with-jpeg-dir=DIR
--with-png-dir=DIR
--with-xpm-dir=DIR
--with-vpx-dir=DIR
--with-freetype-dir=DIR
--enable-gd-native-ttf
--disable-pdo
PHP compile

33. [file]
; Unless you need to access remote files, it is better to be safe and forbid this
; feature
allow_url_fopen = Off
; Determines the size of the realpath cache to be used by PHP. The default value
; of "16k" is usually too low for modern application that open many files
; (autoload, fopen, filet_get_contents...). It is recommended to make this value
; up to 128 to 256k, and reduce it by testing with realpath_cache_get().
realpath_cache_size = 128k
; Duration of time (in seconds) for which to cache realpath information for a
; given file or directory. If the application's code doesn't change too often, you
; may set this directive to 3600 (one hour) or even more.
realpath_cache_ttl = 3600
; More information about file :
;http://php.net/manual/en/filesystem.configuration.php
[File Upload]
; This is the maximum uploaded size. It is recommended to keep this value as low
; as possible.
upload_max_filesize = 2M
; This is the maximum number of uploaded files in a single request.
max_file_uploads = 1
; Upload directory where PHP stores the temporary files. It is recommended to set
; this value, and separate it from other temporary directories.
upload_tmp_dir = /tmp/php_upload
; This is the maximum amount of data that PHP will accept in a POST request. It
; has to be higher or equal to upload_max_filesize. For security reasons, it
php.ini suggestions

34. UML diagram

35. Help your own users
Beyond documentation
Automate code review
Help users learn, promote best practices
Drive your users directly where it is important

37. Enrich your code today
Capitalize a lot of experience
Provides someone else
point of view
Without anyone judging
Prepare for the future
Code fixing as relaxation

38. Tools used as illustration
https://github.com/exakat/php-static-analysis-tools
Exakat
Larashift
PHP Inspection
PHP Metrics
PHPStan

39. ZEND CON
https://joind.in/talk/c47dd
@exakat
http://www.exakat.io/