Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph.
If all this seems far and remote from PHP, come and learn how they apply to your favorite language! They are all useful when it comes to detecting early those errors that end up in production, and sometimes, even before the code may compile. We’ll see how to combine all those aspects to build a useful auditing engine.
2. WHAT ARE WE DOING ?
➤ One mysterious code repository
➤ A large array of automated tools
➤ Tasks distribution
➤ You review the code
➤ with your agenda
➤ I'll introduce concepts
3. QUESTIONS
➤ How old is this code?
➤ What is the organisation of
this code ?
➤ How large is the size of the
team ?
➤ What are the external tools
used by this code ?
➤ Would you use this code ?
➤ What does this code do ?
➤ Is it secure ?
➤ Is it fast ?
4. QUESTIONS (CONTINUED)
➤ Has this code already been
reviewed ?
➤ What can we suggest to
improve this code ?
➤ Are there obvious pattern or
design choice in this code ?
➤ Are there external libraries,
component, frameworks ?
➤ Is it maintenable ?
➤ Is it modern ?
➤ Is it backward compatible ?
5. COLLECTING INFORMATION
➤ Learn about code
➤ Read it
➤ Read the reports
➤ Deduce and infer answers
➤ Avoid bias
➤ Validate inferences with more code reading
➤ Share your finding
➤ Your inference may be someone else's validation
➤ Suggest potential modifications
6. WHAT'S IN FOR YOU ?
➤ Read code and make suggestions
➤ Test drive automated tools
➤ 10 tools are available
➤ Take them home : I'll help install if needed
➤ Learn about code smells
➤ Code modernisations
➤ The infamous dangling reference, string initialized arrays
➤ Don't be too manual…
➤ Experiment on your own
9. SHOW ME THE CODE!!!
➤ This is an open source code
➤ It is in production, available online
➤ Our work on this repository will go to the author(s)
➤ We'll write a report
➤ This code is related to death
➤ Ping me if this subject makes you uneasy
➤ @faguo, dseguy@exakat, quick aparté
10. SHOW ME THE CODE!!!
➤ This is an open source code
➤ It is in production, available online
➤ Our work on this repository will go to the author(s)
➤ We'll write a report
➤ This code is related to death
➤ Ping me if this subject makes you uneasy
➤ @faguo, dseguy@exakat, quick aparté
11. SHOW ME THE CODE!!!
➤https://www.exakat.io/
sunshinephp2019/workshop.zip
➤