Static code analysis v2

2,076 views
2,009 views

Published on

Most of the time, auditing PHP code is done manually. One need to read the code to understand it, and find flaws (security, business, quality…)

Static analysis takes over manual auditing by providing means to search all the code, without leaving a stone unturned : it still needs to do this according to direction.

During this session, we’ll cover the use an open static analysis tool, also known as cornac, that will provide us invaluable information such as : PHP 5.3 compabitility, security flaws, inclusion tree, unused variables and arguments, GPC manipulations, stange names and classes inventories.

This is the best way to take a look at one’s code with hindsight. We’ll share with the audience code metrics and must-check structures of code.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,076
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
37
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Static code analysis v2

    1. 1. Cornac for PHP PHP static code analysisOSCON, Portland, OR, USA, July 28th 2011
    2. 2. Agenda• What is cornac?• Applications and results• How to make your code better
    3. 3. Who’s speaking?• Damien Seguy• In transition from Alter Way, France to Bysoft, China• Industrialisation coach, LAMP expert• damien.seguy@gmail.com
    4. 4. Yes, we take
    5. 5. ./bin/cornac -I spotweb.ini> Tokenizeur> Auditeur> Done
    6. 6. Quick Inventory
    7. 7. Quick Inventory
    8. 8. Quick Inventory
    9. 9. Quick Inventory
    10. 10. Quick Inventory
    11. 11. Cornac• Static auditor• Analyze PHP code without executing it• Study the application as a whole
    12. 12. Do not mistake with• Xdebug • xdebug executes code• grep • grep doesn’t understand PHP semantics• CodeSniffer • CodeSniffer check for coding and naming conventions
    13. 13. Close cousins• PMD • PHP Mess Detector• PHP_Depends
    14. 14. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    15. 15. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    16. 16. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    17. 17. PHP extensions list • The real list of extensions • Useful for deployment • Loved by hosting compan
    18. 18. Static audit• Process large quantities of code• Process the same code over and over• Depends on auditor expert level• Automates searchs• Make search systematics
    19. 19. Classes
    20. 20. Classes
    21. 21. Classes
    22. 22. Classes
    23. 23. Application inventory• Taking a global look at the application• List of structures names• List of used PHP functionnalities
    24. 24. Technical aspects• Listing all technical aspects • PHP functionalities • Advanced functionalities • Deprecated functionalities • Dependences
    25. 25. 5.3 migration• Incompatible evolutions• Obsolet functions• Reference handling• References with the ‘new’ operator• mktime doesn’t take 7 parameters anymore
    26. 26. Structures names• Extract all structures names• Study the convention• Study the whole• Study semantics
    27. 27. Inclusion network
    28. 28. Inclusion network• include*, require*• Ignore variables• Circles represents files• Arrows represent inclusions
    29. 29. Constant network• Link between constant definition and its usage• Constants are used within their definition file• Except one
    30. 30. Global view• Provide a graph for the whole application• Get a feedback without dwelling on the precise names
    31. 31. Hierarchies• Dot version• Not too many levels
    32. 32. Hiérarchies • dotclear hierarchy
    33. 33. Hierarchies
    34. 34. Classes network• Gephi version• Link classes based on composition
    35. 35. Cornac under the hood• Cornac depends on PHP tokenizer• It add a layer of structure : spoting larger structures• It removes all useless separators • {} [] () ; , ‘’ «»
    36. 36. <?php print ("hello $world! "); ?> Extractions [1] => Array ( [6] => Array [0] => 266 ( [1] => print [0] => 309 [2] => 1 [1] => $world ) [2] => 1 ) [2] => Array ( [7] => Array [0] => 370 ( [1] => [0] => 314 [2] => 1 [1] => ! ) [2] => 1 ) [3] => ( [4] => " [8] => " [5] => Array [9] => ) ( [10] => ; [1] => Array [0] => 314 ( [1] => hello [0] => token PHP [2] => 1 [1] => code PHP ) [2] => ligne ) [2] => "
    37. 37. Extractions<?php print ("hello $world! "); ?>
    38. 38. Extractions
    39. 39. Iffectations
    40. 40. Iffectations
    41. 41. Iffectations
    42. 42. Iffectations
    43. 43. Unused classes• Classes, properties, variables, functions,
    44. 44. Inner gearsTokeni Auditeur Display zeur Analyzer
    45. 45. Evolution • WebTokeni Auditeur • XML zeur • ODS • PHPCodeBrow • Sonar • ... Analyzer
    46. 46. Rules• Security• Best practices (PHP, CMS..)• In house conventions• PHP 5.3 5.4 migration• Performances• Design patterns
    47. 47. http://www.cornac.info/ damien.seguy@gmail.comSpecial thanks to Christophe Zadowski and Alexis Tellier

    ×