SlideShare a Scribd company logo

Code review workshop

Damien Seguy
Damien Seguy

Static analysis is an emerging field, in particular in the PHP world. Reviewing source code at the speed of a computer requires powerful theoretical tools: control flow diagram, abstract syntactic trees, acyclic dependency graph. If all this seems far and remote from PHP, come and learn how they apply to your favorite language! They are all useful when it comes to detecting early those errors that end up in production, and sometimes, even before the code may compile. We’ll see how to combine all those aspects to build a useful auditing engine.

Technology
1 of 15
Download to read offline
THE CODE REVIEW WORKSHOP Miami, FL, USA - Sunshine PHP 2019 SunshinePHP
WHAT ARE WE DOING ? ➤ One mysterious code repository ➤ A large array of automated tools ➤ Tasks distribution ➤ You review the code ➤ with your agenda ➤ I'll introduce concepts
QUESTIONS ➤ How old is this code? ➤ What is the organisation of this code ? ➤ How large is the size of the team ? ➤ What are the external tools used by this code ? ➤ Would you use this code ? ➤ What does this code do ? ➤ Is it secure ? ➤ Is it fast ?
QUESTIONS (CONTINUED) ➤ Has this code already been reviewed ? ➤ What can we suggest to improve this code ? ➤ Are there obvious pattern or design choice in this code ? ➤ Are there external libraries, component, frameworks ? ➤ Is it maintenable ? ➤ Is it modern ? ➤ Is it backward compatible ?
COLLECTING INFORMATION ➤ Learn about code ➤ Read it ➤ Read the reports ➤ Deduce and infer answers ➤ Avoid bias ➤ Validate inferences with more code reading ➤ Share your finding ➤ Your inference may be someone else's validation ➤ Suggest potential modifications
WHAT'S IN FOR YOU ? ➤ Read code and make suggestions ➤ Test drive automated tools ➤ 10 tools are available ➤ Take them home : I'll help install if needed ➤ Learn about code smells ➤ Code modernisations ➤ The infamous dangling reference, string initialized arrays ➤ Don't be too manual… ➤ Experiment on your own
AVAILABLE TOOLS
AVAILABLE TOOLS ➤ Exakat : static analysis, inventories ➤ Phan : static analysis ➤ PHP Lint : PHP linting, by PHP itself ➤ phpcpd : copy paste detector ➤ PHPloc : Lines of code ➤ PHPmd : PHP Mess Detector ➤ phpMetrics : ➤ PHPStan : static analysis ➤ phpmnd : magic number dectector ➤ Psalm : static analysis ➤ More tools : 72 "PHP awesome static analysis list" ➤ https://github.com/exakat/php-static-analysis-tools
SHOW ME THE CODE!!! ➤ This is an open source code ➤ It is in production, available online ➤ Our work on this repository will go to the author(s) ➤ We'll write a report ➤ This code is related to death ➤ Ping me if this subject makes you uneasy ➤ @faguo, dseguy@exakat, quick aparté
SHOW ME THE CODE!!! ➤ This is an open source code ➤ It is in production, available online ➤ Our work on this repository will go to the author(s) ➤ We'll write a report ➤ This code is related to death ➤ Ping me if this subject makes you uneasy ➤ @faguo, dseguy@exakat, quick aparté
SHOW ME THE CODE!!! ➤https://www.exakat.io/ sunshinephp2019/workshop.zip ➤
0 1,25 2,5 3,75 5 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1 2 3 4 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 0,75 1,5 2,25 3 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1,75 3,5 5,25 7 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
SHOW ME THE CODE!!! mkdir exakat cd exakat curl -o exakat.phar http://dist.exakat.io/index.php?file=latest curl -o apache-tinkerpop-gremlin-server-3.3.4-bin.zip http:// dist.exakat.io/apache-tinkerpop-gremlin-server-3.3.4-bin.zip unzip apache-tinkerpop-gremlin-server-3.3.4-bin.zip mv apache-tinkerpop-gremlin-server-3.3.4 tinkergraph rm -rf apache-tinkerpop-gremlin-server-3.3.4-bin.zip # Optional : install neo4j engine. cd tinkergraph ./bin/gremlin-server.sh -i org.apache.tinkerpop neo4j-gremlin 3.3.4 cd .. php exakat.phar doctor https://exakat.readthedocs.io/en/latest/Installation.html#osx-installation-with- tinkergraph-3-3-4 https://exakat.readthedocs.io/ > Installation > Quick installation
SPEAKER ➤ Damien Seguy ➤ Exakat CTO ➤ Static analysis for PHP ➤ Elephpant retirement home

Recommended

What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
Rcos final presentation
Rcos final presentationRcos final presentation
Rcos final presentationmskmoorthy
 

Recommended

What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Ben Ten (0xA)
 
Rcos final presentation
Rcos final presentationRcos final presentation
Rcos final presentationmskmoorthy
 
Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4Ben Ten (0xA)
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
SCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on WordpressSCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on WordpressSimo Ssimo
 
Web Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and SecurityWeb Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and SecurityThe Software House
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Let's Contribute
Let's ContributeLet's Contribute
Let's ContributeAnoop Thomas Mathew
 
Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)Frank Sons
 
The road to php 7.1
The road to php 7.1The road to php 7.1
The road to php 7.1Michelangelo van Dam
 
Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015Amy Bishop
 
Introduction to PHP - SDPHP
Introduction to PHP - SDPHPIntroduction to PHP - SDPHP
Introduction to PHP - SDPHPEric Johnson
 
Php|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just StylePhp|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just StyleLB Denker
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...Joe Ferguson
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
Let's talk FOSS!
Let's talk FOSS!Let's talk FOSS!
Let's talk FOSS!AditiSaxena72
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
TAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith AdamsTAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith AdamsHermes Alves
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016Joe Ferguson
 
Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity Peter Gfader
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Krzysztof (Chris) Ozog
 

More Related Content

What's hot

Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4Ben Ten (0xA)
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
SCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on WordpressSCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on WordpressSimo Ssimo
 
Web Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and SecurityWeb Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and SecurityThe Software House
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 

What's hot (6)

Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4Practical PowerShell Programming for Professional People - DerbyCon 4
Practical PowerShell Programming for Professional People - DerbyCon 4
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
SCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on WordpressSCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
SCAM: Multi-layer Software Configuration: Empirical Study on Wordpress
 
Web Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and SecurityWeb Application Testing. A Quick Guide to Testing and Security
Web Application Testing. A Quick Guide to Testing and Security
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 

Similar to Code review workshop

Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)Frank Sons
 
Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015Amy Bishop
 
Introduction to PHP - SDPHP
Introduction to PHP - SDPHPIntroduction to PHP - SDPHP
Introduction to PHP - SDPHPEric Johnson
 
Php|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just StylePhp|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just StyleLB Denker
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...Joe Ferguson
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...FINOS
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and WhenPaul Gower
 
TAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith AdamsTAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith AdamsHermes Alves
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016Joe Ferguson
 
Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity Peter Gfader
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Krzysztof (Chris) Ozog
 
Software Carpentry for the Geophysical Sciences
Software Carpentry for the Geophysical SciencesSoftware Carpentry for the Geophysical Sciences
Software Carpentry for the Geophysical SciencesAron Ahmadia
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfJavier Perez
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs
 

Similar to Code review workshop (20)

Let's Contribute
Let's ContributeLet's Contribute
Let's Contribute
 
Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)Effective Code Reviews (IPC 2018)
Effective Code Reviews (IPC 2018)
 
The road to php 7.1
The road to php 7.1The road to php 7.1
The road to php 7.1
 
Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015Getting Started with Scripts #HeroConf London 2015
Getting Started with Scripts #HeroConf London 2015
 
Introduction to PHP - SDPHP
Introduction to PHP - SDPHPIntroduction to PHP - SDPHP
Introduction to PHP - SDPHP
 
Php|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just StylePhp|tek '12 It's More Than Just Style
Php|tek '12 It's More Than Just Style
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...
 
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
OSSF 2018 - Jamie Jones of GitHub - Pull what where? Contributing to Open Sou...
 
Let's talk FOSS!
Let's talk FOSS!Let's talk FOSS!
Let's talk FOSS!
 
Code Review: How and When
Code Review: How and WhenCode Review: How and When
Code Review: How and When
 
TAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith AdamsTAKING PHP SERIOUSLY - Keith Adams
TAKING PHP SERIOUSLY - Keith Adams
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016
 
Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity Achieving Technical Excellence in Your Software Teams - from Devternity
Achieving Technical Excellence in Your Software Teams - from Devternity
 
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
Code Camp NYC 2017 - How to deal with everything... | Chris Ozog - Codesushi
 
Software Carpentry for the Geophysical Sciences
Software Carpentry for the Geophysical SciencesSoftware Carpentry for the Geophysical Sciences
Software Carpentry for the Geophysical Sciences
 
More about PHP
More about PHPMore about PHP
More about PHP
 
Open Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdfOpen Source Security and ChatGPT-Published.pdf
Open Source Security and ChatGPT-Published.pdf
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 

More from Damien Seguy

Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leedsDamien Seguy
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationDamien Seguy
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeDamien Seguy
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applicationsDamien Seguy
 
Top 10 pieges php afup limoges
Top 10 pieges php afup limogesTop 10 pieges php afup limoges
Top 10 pieges php afup limogesDamien Seguy
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Damien Seguy
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Damien Seguy
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confooDamien Seguy
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Damien Seguy
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbiaDamien Seguy
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic trapsDamien Seguy
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappesDamien Seguy
 
Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Damien Seguy
 
Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Damien Seguy
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3Damien Seguy
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Damien Seguy
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCDamien Seguy
 
Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Damien Seguy
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy peopleDamien Seguy
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonightDamien Seguy
 

More from Damien Seguy (20)

Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leeds
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le code
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applications
 
Top 10 pieges php afup limoges
Top 10 pieges php afup limogesTop 10 pieges php afup limoges
Top 10 pieges php afup limoges
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic traps
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappes
 
Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018
 
Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFC
 
Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy people
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

Code review workshop

  • 1. THE CODE REVIEW WORKSHOP Miami, FL, USA - Sunshine PHP 2019 SunshinePHP
  • 2. WHAT ARE WE DOING ? ➤ One mysterious code repository ➤ A large array of automated tools ➤ Tasks distribution ➤ You review the code ➤ with your agenda ➤ I'll introduce concepts
  • 3. QUESTIONS ➤ How old is this code? ➤ What is the organisation of this code ? ➤ How large is the size of the team ? ➤ What are the external tools used by this code ? ➤ Would you use this code ? ➤ What does this code do ? ➤ Is it secure ? ➤ Is it fast ?
  • 4. QUESTIONS (CONTINUED) ➤ Has this code already been reviewed ? ➤ What can we suggest to improve this code ? ➤ Are there obvious pattern or design choice in this code ? ➤ Are there external libraries, component, frameworks ? ➤ Is it maintenable ? ➤ Is it modern ? ➤ Is it backward compatible ?
  • 5. COLLECTING INFORMATION ➤ Learn about code ➤ Read it ➤ Read the reports ➤ Deduce and infer answers ➤ Avoid bias ➤ Validate inferences with more code reading ➤ Share your finding ➤ Your inference may be someone else's validation ➤ Suggest potential modifications
  • 6. WHAT'S IN FOR YOU ? ➤ Read code and make suggestions ➤ Test drive automated tools ➤ 10 tools are available ➤ Take them home : I'll help install if needed ➤ Learn about code smells ➤ Code modernisations ➤ The infamous dangling reference, string initialized arrays ➤ Don't be too manual… ➤ Experiment on your own
  • 8. AVAILABLE TOOLS ➤ Exakat : static analysis, inventories ➤ Phan : static analysis ➤ PHP Lint : PHP linting, by PHP itself ➤ phpcpd : copy paste detector ➤ PHPloc : Lines of code ➤ PHPmd : PHP Mess Detector ➤ phpMetrics : ➤ PHPStan : static analysis ➤ phpmnd : magic number dectector ➤ Psalm : static analysis ➤ More tools : 72 "PHP awesome static analysis list" ➤ https://github.com/exakat/php-static-analysis-tools
  • 9. SHOW ME THE CODE!!! ➤ This is an open source code ➤ It is in production, available online ➤ Our work on this repository will go to the author(s) ➤ We'll write a report ➤ This code is related to death ➤ Ping me if this subject makes you uneasy ➤ @faguo, dseguy@exakat, quick aparté
  • 10. SHOW ME THE CODE!!! ➤ This is an open source code ➤ It is in production, available online ➤ Our work on this repository will go to the author(s) ➤ We'll write a report ➤ This code is related to death ➤ Ping me if this subject makes you uneasy ➤ @faguo, dseguy@exakat, quick aparté
  • 11. SHOW ME THE CODE!!! ➤https://www.exakat.io/ sunshinephp2019/workshop.zip ➤
  • 12.
  • 13. 0 1,25 2,5 3,75 5 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1 2 3 4 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 0,75 1,5 2,25 3 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2 0 1,75 3,5 5,25 7 5.2 5.3 5.4 5.5 5.6 7.0 7.1 7.2
  • 14. SHOW ME THE CODE!!! mkdir exakat cd exakat curl -o exakat.phar http://dist.exakat.io/index.php?file=latest curl -o apache-tinkerpop-gremlin-server-3.3.4-bin.zip http:// dist.exakat.io/apache-tinkerpop-gremlin-server-3.3.4-bin.zip unzip apache-tinkerpop-gremlin-server-3.3.4-bin.zip mv apache-tinkerpop-gremlin-server-3.3.4 tinkergraph rm -rf apache-tinkerpop-gremlin-server-3.3.4-bin.zip # Optional : install neo4j engine. cd tinkergraph ./bin/gremlin-server.sh -i org.apache.tinkerpop neo4j-gremlin 3.3.4 cd .. php exakat.phar doctor https://exakat.readthedocs.io/en/latest/Installation.html#osx-installation-with- tinkergraph-3-3-4 https://exakat.readthedocs.io/ > Installation > Quick installation
  • 15. SPEAKER ➤ Damien Seguy ➤ Exakat CTO ➤ Static analysis for PHP ➤ Elephpant retirement home