Your SlideShare is downloading. ×

Static code analysis v2

1,823

Published on

Most of the time, auditing PHP code is done manually. One need to read the code to understand it, and find flaws (security, business, quality…) …

Most of the time, auditing PHP code is done manually. One need to read the code to understand it, and find flaws (security, business, quality…)

Static analysis takes over manual auditing by providing means to search all the code, without leaving a stone unturned : it still needs to do this according to direction.

During this session, we’ll cover the use an open static analysis tool, also known as cornac, that will provide us invaluable information such as : PHP 5.3 compabitility, security flaws, inclusion tree, unused variables and arguments, GPC manipulations, stange names and classes inventories.

This is the best way to take a look at one’s code with hindsight. We’ll share with the audience code metrics and must-check structures of code.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,823
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
36
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript

    • 1. Cornac for PHP PHP static code analysisOSCON, Portland, OR, USA, July 28th 2011
    • 2. Agenda• What is cornac?• Applications and results• How to make your code better
    • 3. Who’s speaking?• Damien Seguy• In transition from Alter Way, France to Bysoft, China• Industrialisation coach, LAMP expert• damien.seguy@gmail.com
    • 4. Yes, we take
    • 5. ./bin/cornac -I spotweb.ini> Tokenizeur> Auditeur> Done
    • 6. Quick Inventory
    • 7. Quick Inventory
    • 8. Quick Inventory
    • 9. Quick Inventory
    • 10. Quick Inventory
    • 11. Cornac• Static auditor• Analyze PHP code without executing it• Study the application as a whole
    • 12. Do not mistake with• Xdebug • xdebug executes code• grep • grep doesn’t understand PHP semantics• CodeSniffer • CodeSniffer check for coding and naming conventions
    • 13. Close cousins• PMD • PHP Mess Detector• PHP_Depends
    • 14. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    • 15. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    • 16. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    • 17. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    • 18. Static audit• Process large quantities of code• Process the same code over and over• Depends on auditor expert level• Automates searchs• Make search systematics
    • 19. Classes
    • 20. Classes
    • 21. Classes
    • 22. Classes
    • 23. Application inventory• Taking a global look at the application• List of structures names• List of used PHP functionnalities
    • 24. Technical aspects• Listing all technical aspects • PHP functionalities • Advanced functionalities • Deprecated functionalities • Dependences
    • 25. 5.3 migration• Incompatible evolutions• Obsolet functions• Reference handling• References with the ‘new’ operator• mktime doesn’t take 7 parameters anymore
    • 26. Structures names• Extract all structures names• Study the convention• Study the whole• Study semantics
    • 27. Inclusion network
    • 28. Inclusion network• include*, require*• Ignore variables• Circles represents files• Arrows represent inclusions
    • 29. Constant network• Link between constant definition and its usage• Constants are used within their definition file• Except one
    • 30. Global view• Provide a graph for the whole application• Get a feedback without dwelling on the precise names
    • 31. Hierarchies• Dot version• Not too many levels
    • 32. Hiérarchies • dotclear hierarchy
    • 33. Hierarchies
    • 34. Classes network• Gephi version• Link classes based on composition
    • 35. Cornac under the hood• Cornac depends on PHP tokenizer• It add a layer of structure : spoting larger structures• It removes all useless separators • {} [] () ; , ‘’ «»
    • 36. <?php print ("hello $world! "); ?> Extractions [1] => Array ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [1] => Array [0] => 314 ( [1] => hello [0] => token PHP [2] => 1 [1] => code PHP ) [2] => ligne ) [2] => "
    • 37. Extractions<?php print ("hello $world! "); ?>
    • 38. Extractions
    • 39. Iffectations
    • 40. Iffectations
    • 41. Iffectations
    • 42. Iffectations
    • 43. Unused classes• Classes, properties, variables, functions,
    • 44. Inner gearsTokeni Auditeur Display zeur Analyzer
    • 45. Evolution • WebTokeni Auditeur • XML zeur • ODS • PHPCodeBrow • Sonar • ... Analyzer
    • 46. Rules• Security• Best practices (PHP, CMS..)• In house conventions• PHP 5.3 5.4 migration• Performances• Design patterns
    • 47. http://www.cornac.info/ damien.seguy@gmail.comSpecial thanks to Christophe Zadowski and Alexis Tellier

    ×