Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

The Three Pillars of Static Analysis in PHP
Dec 12, 2016 @ 13:06:03

In this post over on Medium.com Ond?ej Mirtes looks at what he calls the "Three Pillars of Static Analysis in PHP" - three kinds of testing you can do to catch errors "at rest" in your codebase.

My credo is that everything that can be automated should be automated. Computers are really good at repeating tedious tasks and they don’t usually make mistakes while us squishy humans are defined by making mistakes everywhere we go.

[...] In the following article, I’d like to introduce three tools that will help you to find errors and inconsistencies in your codebase. If your build integrating these tools finishes successfully, you can be pretty sure your application is in a good shape.

His list of three tools covers checking for:

He covers some of the things the last option verifies and links to another introductory article about the tool to help you get started.

tagged: static analysis pillars lint codesniffer phpstan code

Link: https://medium.com/@ondrejmirtes/three-pillars-of-static-analysis-in-php-f3f5d7bfd61b#.etoa1rfkq

PHPStan: Find Bugs In Your Code Without Writing Tests!
Dec 05, 2016 @ 13:25:38

In this post on Medium.com Ond?ej Mirtes introduces a tool that can be use to statically analyze your PHP application and locate bugs without the need for tests - PHPStan.

Keeping up with modern PHP practices leads to codebases where we can be sure about types of a lot of data, converging with statically typed languages, although the dynamic nature is still present. Modern PHP codebases are similar to the ones in languages people make much less fun of. Object-oriented code, dependency injection and usage of established design patterns are truly common nowadays.

Which led me to the idea of a static analysis tool for PHP that would substitute the role of the compiler from other languages. I’ve spent a lot of time working on it and I’ve been employing its various development versions checking our codebase for more than a year.

It’s called PHPStan, it’s open-source and free to use.

The post goes on to talk about some of the checks that PHPStan performs (with more information available in the project's README). He also talks about the performance of the tool, how to extend it and configuring it for "strictness". He ends the post by pointing out that, despite the title of the article, he still encourages writing tests, just making sure they're "meaningful ones" that test more than just syntax.

tagged: phpstan static analysis tool tests evaluation

Link: https://medium.com/@ondrejmirtes/phpstan-2939cd0ad0e3#.23491arlh

Master Zend Framework:
Preparing Legacy Applications for PHP 7 with Phan
Sep 08, 2016 @ 12:07:42

The Master Zend Framework site has posted a new tutorial for those making the move in their legacy applications up to the world of PHP 7. In it Matthew Setter shows how to use phan, a static analysis tool, to locate issues that could cause breakage in the upgrade.

Unless you’ve been living under a rock these last 12 - 18 months, you will have heard about PHP 7; the latest version of PHP. Not only is it fast, by some reports it’s up to twice as fast as PHP 5.6, and far less memory hungry.

[...] Unfortunately, your application’s source code may not be 100% compatible with version 7. Upgrading may well leave you with a broken application and a set of unhappy customers. So before you go breaking your site in the interests of speed and being one of the cool kids, find out if your code’s compatible. How? By using a static code analyser, one which gives you all the changes you need to make on your code, so that you can upgrade with confidence.

He then shows how to install the Phan tool via Composer and execute it against your codebase. The result of his commands are a file that contains the issues found during the scan. If there are some "false positives" you'd like to ignore he also shows you how to create a config.php file with these and other values set to make it all more reusable.

tagged: php7 upgrade phan detect static analysis code tutorial

Link: http://www.masterzendframework.com/preparing-for-php7-with-phan/

SitePoint PHP Blog:
Static analysis with PHPSA: PHP Smart Analyzer
Sep 08, 2016 @ 09:25:33

On the SitePoint PHP blog there's a post from Claudio Ribeiro introducing you to a new static analysis tool to help improve the quality of your code - PHP Static Analyzer, or "PHPSA" for short.

One requirement that never changes whether you are working on your projects alone or in a team, on small projects or big, is Code Quality. The bigger the project and the team, the harder it gets to maintain it.

A good way of slowing this increase in difficulty down is to use static analysis tools. Static analysis is the process of analyzing software without actually executing the program – a sort of automatic code review. Static analysis tools will detect common errors, enforce coding standards, and even clean up code blocks. The days of php -l filename are not over, but we now have a number of great tools that go the extra mile in helping us create and maintain high quality code.

They start with an example of using the tried and true "php -l" to lint an example PHP file but note that the yes/no answer it provides doesn't help give much feedback on the quality of the code, just its syntax. Enter PHPSA, a Composer-installable tool that does much more than lint checking. It also provides information about things like missing docblocks, function alias use and undefined property usage. they show an example of it in use on the command line, the results it provides and the changes made to the example class to fix the issues it found.

tagged: phpsa smart analyzer static analysis tool tutorial example

Link: https://www.sitepoint.com/static-analysis-with-phpsa-php-smart-analyzer/

Analysis of PHP7
Apr 29, 2016 @ 12:15:56

On the Viva64.com site they've posted the results of their own evaluation of PHP 7 in terms of both the source of the language itself and the libraries it makes use of.

Sometimes checking a project one more time can be quite amusing. It helps to see which errors were fixed, and which ones got into the code since the time it was last checked. My colleague has already written an article about PHP analysis. As there was a new version released, I decided to check the source code of the interpreter once again, and I wasn't disappointed - the project had a lot of interesting fragments to look at.

They start with a brief look at PHP 7 including when it was released, some of the features/functionality included and the tool they used to do the analysis. They talk about some of the difficulties in the analysis process and how the widespread user of macros tripped it up a bit. They includes some code examples from PHP's source and the warnings that their PVS-Studio returned. The post ends with a brief look at the third-party libraries PHP uses and the responsibility the project takes in including them.

tagged: php7 analysis language source scanner pvsstudio results

Link: http://www.viva64.com/en/b/0392/#ID0EWECK

Rob Allen:
Running Phan against Slim 3
Dec 10, 2015 @ 09:51:20

Rob Allen has a quick post sharing the results of a test run of the Phan static analysis tool on the current state of the Slim 3 framework codebase (with v3.0 just being released).

Having installed Phan, I decided to use it against the upcoming Slim 3 codebase.

Phan needs a list of files to scan, and the place I started was with Lorna's article on Generating a file list for Phan.

He walks through the steps for creating this list of files (removing developer dependencies) and the results from the Phan execution. While a good amount of the errors related more to dependencies and missing class/interface definitions, there were some typing errors found based on the difference between the docblock and how the code handled the variable.

tagged: phan static analysis tool slim3 framework results

Link: https://akrabat.com/running-phan-against-slim-3

Rob Allen:
Installing Phan on OS X
Dec 03, 2015 @ 09:27:37

Rob Allen has posted a quick tip to his site showing how to get Phan installed on an OS X system. Phan is a static analysis tool written for PHP 7 and makes use of the new functionality that exposes the AST for the underlying language.

I use Homebrew for my local PHP installation on OS X and am currently running PHP 7.0.0 RC8.

Phan is a static analyser for PHP 7 which was written by Rasmus and then rewritten by Andrew Morrison. As it benefits from PHP 7's abstract syntax tree it can find all kinds of subtle errors, so I wanted to install it locally to have a play with it.

He shows how to get the tool installed via Composer (with a custom repository definition) and links to the ast extension you'll need installed to let the tool work. A quick exit to your php.ini file is then all it takes to complete the installation and let you install and run the tool from the command line.

tagged: phan static analysis tool php7 install configure osx

Link: http://akrabat.com/installing-phan-on-os-x/

Lorna Mitchell:
Generating a File List for Phan
Nov 27, 2015 @ 10:38:33

Lorna Mitchell has shared a tip she's found helpful when using the phan static analysis tool for finding only PHP files via a simple grep.

Phan is the PHP Analyzer for PHP 7 code. I've been using it, partly out of curiosity, and partly to look at what the implications of upgrading my various projects will be. [...] I generated my filelist.txt files with a little help from grep - by looking for all files with opening PHP tags in, and putting that list of filenames into a file.

The phan tool is still pretty young but it provides a good example of how to use the new php-ast handling to parse and analyze PHP code.

tagged: phan file list generate quick tip grep static analysis tool

Link: http://www.lornajane.net/posts/2015/generating-a-file-list-for-phan

SitePoint PHP Blog:
Writing PHP Git Hooks with Static Review
Sep 01, 2015 @ 11:16:01

On the SitePoint PHP blog Matthew Setter introduces the use of git hooks to help with automatic static analysis of your application's code, integrating it directly into your current workflow. He shows how to use this library to make creating and installing them as easy as a single command (and they're written in PHP).

If you’ve been using Git for more than a short length of time, you’ll hopefully have heard of Git hooks. [...] There are hooks for pre- and post-commit, pre- and post-update, pre-push, pre-rebase, and so on. The sample hooks are written in Bash, one of the Linux shell languages. But they can be written in almost any language you’re comfortable or proficient with. [...] Thanks to Static Review, by Samuel Parkinson, you can now write Git hooks with native PHP, optionally building on the existing core classes. In today’s post, I’m going to give you a tour of what’s on offer, finishing up by writing a custom class to check for any lingering calls to var_dump().

He walks you through the installation of the library and helps you create a simple working example that ensures you've correctly set up your (Composer) dependencies. He explains a bit about what's involved in the StaticReview package and the three "introspection" objects initialized for each run. He ends the post by walking you through the creation of a custom, more real-world check that evaluates your code (via a simple grep) to ensure no var_dump statements were left in.

tagged: static review git hook analysis tutorial

Link: http://www.sitepoint.com/writing-php-git-hooks-with-static-review/

Community News:
Launching Today: The Code Climate Platform
Jun 22, 2015 @ 09:57:56

Code Climate, the popular static code analysis service, has made an announcement that will definitely help make checking your PHP application for quality and security issues easier - the release of the Code Climate Platform. This platform provides, among other things, a command line tool that you can use to run their analysis rules on your own systems.

Today, we’re thrilled to launch the Code Climate Platform − the first open, extensible platform for all types of static analysis. [...] What does this mean exactly? First, we’re open sourcing our analysis tools, including the engines and algorithms we use to evaluate code. We’re also enabling anyone to write static analysis engines that run on our servers by following a simple specification. [...] Finally, using our new Code Climate CLI, you can now run any Code Climate-compatible static analysis on your laptop – for free.

This is a great step forward to helping ensure the overall quality of your codebase and makes it even easier than having to rely on a fully external service for the results. Plus, with the specification you can write rules and customize the checks according to your application or framework of choice. They have a developer program you can register for to find out more information about that.

tagged: codeclimate static analysis tool commandline platform opensource specification developer program

Link: http://blog.codeclimate.com/blog/2015/06/19/code-climate-platform/