The document discusses various static analysis tools for PHP code including PHP_CodeSniffer, PHPDepend, PHPMD, phploc, phpcpd, vld, Bytekit, Padawan, and Phantm. It explains how each tool works at different levels like lexical analysis, syntactic analysis, and bytecode level. The document also presents tools for continuous integration and reporting of analysis results like phpUnderControl, Arbit, and plugins for Sonar to integrate static analysis of PHP code.
I explore various questions pertaining to a medley of topics. Initially the talk focuses on some undocumented fun to be had with identifiers. Attention next shifts to PHP’s comma operator and considers whether it even merits that designation. The main topic, which follows, derives from an example of some very questionable PHP logic. To avoid making a hasty, superficial judgment will entail discovering the hidden story behind PHP’s truth values. Particularly fascinating is the influence of other languages on their development and meaning. This segment also peers into PHP’s internal workings in a friendly fashion for non-C programmers. Novices as well as senior developers are all welcome; there’s plenty of code for everyone! Come learn about what surprises await you.
Vladimir Romanov - How to write code that is easy to read and change? What should you do when you see a piece of code written years ago which is hard to understand? In my experience, this boils down to 4 principles that I would like to share along with some examples in Apex
Applying Compiler Techniques to Iterate At Blazing SpeedPascal-Louis Perez
In this session, we will present real life applications of compiler techniques helping kaChing achieve ultra confidence and power its incredible 5 minutes commit-to-production cycle [1]. We'll talk about idempotency analysis [2], dependency detection, on the fly optimisations, automatic memoization [3], type unification [4] and more! This talk is not suitable for the faint-hearted... If you want to dive deep, learn about advanced JVM topics, devoure bytecode and see first hand applications of theoretical computer science, join us.
[1] http://eng.kaching.com/2010/05/deployment-infrastructure-for.html
[2] http://en.wikipedia.org/wiki/Idempotence
[3] http://en.wikipedia.org/wiki/Memoization
[4] http://eng.kaching.com/2009/10/unifying-type-parameters-in-java.html
This is a small note on the results of checking the OpenSSL project with the PVS-Studio analyzer. I analyzed the openssl-0.9.8-stable-SNAP-20121208 version.
Ejemplo de integración de un analizador léxico (lexer) y un analizador sintáctico (parser) implementados en JLex y CUP. Fuente: http://www.cis.uab.edu/courses/cs602/
Machine learning in php php con polandDamien Seguy
Machine learning is teaching the computer how to learn by itself. It is far easier to be done, especially when you have small data set and a good level of expertise in your field. Classifying objects, predicting who will buy, spotting comments in code is achieved with grassy algorithms like neural networks, genetic algorithms or ant herding. PHP is in good position to make use of such teachings, and take advantages of related technologies like fann. By the end of the session, you'll know where you want to try it.
I explore various questions pertaining to a medley of topics. Initially the talk focuses on some undocumented fun to be had with identifiers. Attention next shifts to PHP’s comma operator and considers whether it even merits that designation. The main topic, which follows, derives from an example of some very questionable PHP logic. To avoid making a hasty, superficial judgment will entail discovering the hidden story behind PHP’s truth values. Particularly fascinating is the influence of other languages on their development and meaning. This segment also peers into PHP’s internal workings in a friendly fashion for non-C programmers. Novices as well as senior developers are all welcome; there’s plenty of code for everyone! Come learn about what surprises await you.
Vladimir Romanov - How to write code that is easy to read and change? What should you do when you see a piece of code written years ago which is hard to understand? In my experience, this boils down to 4 principles that I would like to share along with some examples in Apex
Applying Compiler Techniques to Iterate At Blazing SpeedPascal-Louis Perez
In this session, we will present real life applications of compiler techniques helping kaChing achieve ultra confidence and power its incredible 5 minutes commit-to-production cycle [1]. We'll talk about idempotency analysis [2], dependency detection, on the fly optimisations, automatic memoization [3], type unification [4] and more! This talk is not suitable for the faint-hearted... If you want to dive deep, learn about advanced JVM topics, devoure bytecode and see first hand applications of theoretical computer science, join us.
[1] http://eng.kaching.com/2010/05/deployment-infrastructure-for.html
[2] http://en.wikipedia.org/wiki/Idempotence
[3] http://en.wikipedia.org/wiki/Memoization
[4] http://eng.kaching.com/2009/10/unifying-type-parameters-in-java.html
This is a small note on the results of checking the OpenSSL project with the PVS-Studio analyzer. I analyzed the openssl-0.9.8-stable-SNAP-20121208 version.
Ejemplo de integración de un analizador léxico (lexer) y un analizador sintáctico (parser) implementados en JLex y CUP. Fuente: http://www.cis.uab.edu/courses/cs602/
Machine learning in php php con polandDamien Seguy
Machine learning is teaching the computer how to learn by itself. It is far easier to be done, especially when you have small data set and a good level of expertise in your field. Classifying objects, predicting who will buy, spotting comments in code is achieved with grassy algorithms like neural networks, genetic algorithms or ant herding. PHP is in good position to make use of such teachings, and take advantages of related technologies like fann. By the end of the session, you'll know where you want to try it.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
"Even bad code can function. But if code isn't clean, it can bring a development organization to its knees. Every year, countless hours and significant resources are lost because of poorly written code. But it doesn't have to be that way." In this knolx session, a few important topics for having clean code are covered. Basically the following topics - Meaningful name, Functions, Comments and Classes.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
Describe the C#.Net major features. This slide includes C# 5.0, C# 6.0 and C# 7.0. C#.net evolution part 1, that is published previously included the C# 1.0, C# 2.0, C# 3.0 and C# 4.0.
Sometimes you see code that is perfectly OK according to the definition of the language, but which is flawed because it breaks too many established idioms and conventions. On the other hand, a solid piece of code is something that looks like it is written by an experienced person who cares about professionalism in programming.
A presentation at Norwegian Developer Conference 2010
Everyone must migrate to PHP 7, take advantage of exceptional performances, cut half their hardware and enjoy the best of PHP ever. This workshop is for everyone that is still stuck with PHP 5, and wants to review his million LOC project before jumping to PHP 7.
When migrating, we need to check old code and target only the interesting issues. This session will connect the backward incompatibilities and new features to actual location in the code, relying on static analysis to process quickly large code base. Based on the accumulated experience of the tools and our own, we'll review the issues, diagnose criticality, select the best fixes and prioritize the tasks. All tools are Open Source, and ready to be integrated into your project life.
Steer and/or sink the supertanker by Andrew RendellValtech UK
Andrew Rendell's (Principal Consultant from Valtech) presentation on: "Steer and or sink the supertanker"!
This presentation was held at the SPA conference on the 14th June 2011.
A case study into the pros and cons of over three years experience of continuous source code analysis followed by an interactive session using the real tool on real source code.
Andrew discusses what continuous inspection is and why directing software development can feel like trying to steer a super tanker.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
"Even bad code can function. But if code isn't clean, it can bring a development organization to its knees. Every year, countless hours and significant resources are lost because of poorly written code. But it doesn't have to be that way." In this knolx session, a few important topics for having clean code are covered. Basically the following topics - Meaningful name, Functions, Comments and Classes.
Let's turn the table. Suppose your goal is to deliberately create buggy programs in C and C++ with serious security vulnerabilities that can be "easily" exploited. Then you need to know about things like stack smashing, shellcode, arc injection, return-oriented programming. You also need to know about annoying protection mechanisms such as address space layout randomization, stack canaries, data execution prevention, and more. These slides will teach you the basics of how to deliberately write insecure programs in C and C++.
A PDF version of the slides can be downloaded from my homepage: http://olvemaudal.com/talks
Here is a video recording of me presenting these slides at NDC 2014: http://vimeo.com/channels/ndc2014/97505677
Enjoy!
Describe the C#.Net major features. This slide includes C# 5.0, C# 6.0 and C# 7.0. C#.net evolution part 1, that is published previously included the C# 1.0, C# 2.0, C# 3.0 and C# 4.0.
Sometimes you see code that is perfectly OK according to the definition of the language, but which is flawed because it breaks too many established idioms and conventions. On the other hand, a solid piece of code is something that looks like it is written by an experienced person who cares about professionalism in programming.
A presentation at Norwegian Developer Conference 2010
Everyone must migrate to PHP 7, take advantage of exceptional performances, cut half their hardware and enjoy the best of PHP ever. This workshop is for everyone that is still stuck with PHP 5, and wants to review his million LOC project before jumping to PHP 7.
When migrating, we need to check old code and target only the interesting issues. This session will connect the backward incompatibilities and new features to actual location in the code, relying on static analysis to process quickly large code base. Based on the accumulated experience of the tools and our own, we'll review the issues, diagnose criticality, select the best fixes and prioritize the tasks. All tools are Open Source, and ready to be integrated into your project life.
Steer and/or sink the supertanker by Andrew RendellValtech UK
Andrew Rendell's (Principal Consultant from Valtech) presentation on: "Steer and or sink the supertanker"!
This presentation was held at the SPA conference on the 14th June 2011.
A case study into the pros and cons of over three years experience of continuous source code analysis followed by an interactive session using the real tool on real source code.
Andrew discusses what continuous inspection is and why directing software development can feel like trying to steer a super tanker.
With PHP 8.0 recently released and PHP 5.x still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 8.x, but on how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
Practical tips for dealing with projects involving legacy code. Covers investigating past projects, static analysis of existing code, and methods for changing legacy code.
Presented at PHP Benelux '10
With PHP 5.4 out and many production environments still running 5.2 (or older), it's time to paint a clear picture on why everyone should move to 5.3 and 5.4 and how to get code ready for the latest version of PHP. In this talk, we'll migrate an old piece of code using some standard and some very non-standard tools and techniques.
With PHP 7.2 recently released and PHP 5.3 and 5.4 still accounting for over 40% of all production environments, it's time to paint a clear picture on not just why everyone should move to 7.0 (or preferably 7.1), but on how to get code ready for the latest version of PHP.
Using the version compatibility checker for PHP_CodeSniffer and a few simple step-by-step instructions, upgrading old code to make it compatible with the latest PHP versions becomes actually really easy. In this talk, we'll migrate an old piece of code and get rid of the demons of the past and ready for the present and future.
Review unknown code with static analysis Zend con 2017Damien Seguy
Code quality is not just for Christmas, it is a daily part of the job. So, what do you do when you're handed with a five feet long pole a million lines of code that must be vetted? You call static analysis to the rescue. During one hour, we'll be reviewing totally unknown code: no name, no usage, not a clue. We'll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code?
"What To Expect From PHP7" by Lorna Mitchell
We have a new major release of PHP! But what does this mean for PHP developers in the Real World (TM)? This talk has everything you need to know to be the expert. Find out how the remarkable performance improvements could look on your own system, and see the shiny new features in this major release of the web's favourite scripting language. Get advice on how to upgrade your application, making use of the new features and avoiding the backwards compatibility traps. Developers and technical leaders everywhere who want to use better PHP will benefit from this session.
Review unknown code with static analysisDamien Seguy
Review unknown code with static analysis
Code quality is not just for christmas, it is a daily part of the job. So, what do you do when you’re handed with a five feet long pole a million lines of code that must be vetted ? You call static analysis to the rescue. During one hour, we’ll be reviewing totally unknown code code : no name, no usage, not a clue. We’ll apply a wide range of tools, reaching for anything that helps us understand the code and form an opinion on it. Can we break this mystery and learn how everyone else is looking at our code ?
The why and how of moving to PHP 5.4/5.5Wim Godden
With PHP 5.5 out and many production environments still running 5.2 (or older), it's time to paint a clear picture on why everyone should move to 5.4 and 5.5 and how to get code ready for the latest version of PHP. In this talk, we'll migrate an old piece of code using some standard and some very non-standard tools and techniques.
The why and how of moving to php 5.4/5.5Wim Godden
With PHP 5.5 out and many production environments still running 5.2 (or older), it's time to paint a clear picture on why everyone should move to 5.4 and 5.5 and how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
The why and how of moving to PHP 5.5/5.6Wim Godden
With PHP 5.6 out and many production environments still running 5.2 or 5.3, it's time to paint a clear picture on why everyone should move to 5.5 and 5.6 and how to get code ready for the latest version of PHP. In this talk, we'll look at some handy tools and techniques to ease the migration.
PHP / MySQL applications are compatible to all operating systems, support all the popular databases, 100% remotely configurable, perfect for web programming & provide higher performance and speed.
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
MySQL is a Relational Database Management System (RDBMS) that uses Structured Query Language (SQL).
PHP is the most popular scripting language for web development. It is free, open source and server-side (the code is executed on the server).
PHP third party tool and plug-in integration such as chat, forum, blog and search engine
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
2. Gabriele Santini
Architect/Consultant at SQLI
Contributor to PHP_CodeSniffer
So expect a special focus on this…
Sonar PHP Plugin
I have to show you!
Ex-mathematician :
love business modelling
love architectures
love quality assurance
3. Static Analysis
All you can say about your program without actually
execute the code
The rest is also interesting, let’s talk about it another time !
Examples ?
Syntax check, coding style, anti-patterns, metrics,
OO design analysis, …
What PHP does before executing the code ?
4. Levels of analysis
Lexical analysis
Read sources linearly searching for known patterns
Convert them to a sequence of tokens
5. Levels of analysis
Lexical analysis
Read sources linearly searching for known patterns
Convert them to a sequence of tokens
Syntactic Analysis
Parse the tokens to find their logical structure
6. Levels of analysis
Lexical analysis
Read sources linearly searching for known patterns
Convert them to a sequence of tokens
Syntactic Analysis
Parse the tokens to find their logical structure
Opcode (Bytecode) Generation
Generates an intermediary code that the Zend Engine
will be able to execute
8. Syntactic Analysis
Produces an AST
Abstract SyntaxTree
Decompose code in a tree-like form
Can be executed once a context is given
Used in compilers
12. PHP_CodeSniffer
By Greg Sherwood
PEAR library
Venerable project
Code Style
But also a lot more
Works at lexical analysis level
Heavily use the tokenizer extension
14. PHP_CodeSniffer
Sniffs
Classes that detectViolations
One or more type per class
Grouped in folders by subject:
Commenting, Formatting,WhiteSpace
Files, ControlStructures, Strings
Functions, Classes, NamingConventions
CodeAnalysis, Metrics
You can create your own!
15. PHP_CodeSniffer
Standards
Sets of Sniffs that define your coding style
Installed :
PEAR,
Generic,
Zend*,
Squiz, MySource
PHPCS
16. PHP_CodeSniffer 1.3
Rulesets XML!
<ruleset name="MyPEAR">
<description>A variation of the PEAR coding standard.</description>
<!-- Include some additional sniffs from the Generic standard -->
<rule ref="Generic.Functions.FunctionCallArgumentSpacing"/>
<message>Please review spacing in function ‘%s’</message>
</rule>
<rule ref="Generic.NamingConventions.UpperCaseConstantName"/>
<!-- Lines can be 90 chars long, but never show errors -->
<rule ref="Generic.Files.LineLength">
<properties>
<property name="lineLimit" value="90"/>
<property name="absoluteLineLimit" value="0"/>
</properties>
</rule>
<!– Not so important for us -->
<rule ref="Generic.PHP.DisallowShortOpenTag">
<severity>2</severity>
</rule>
</ruleset>
17. Inside PHP_CodeSniffer
Sniff class main methods
register()
Make the sniff a listener for the declared tokens
process($phpcsFile, $stackPtr)
Called by the file during parsing when a declared token is
found
File
Represents a parsed file
Holds the tokens structure and offers convenience
methods
19. Inside PHP_CodeSniffer
Life of a Sniff
DisallowMultipleStatementsSniff
public function register()
{
return array(T_SEMICOLON);
}
public function process($phpcsFile, $stackPtr)
{
[…]
22. Inside PHP_CodeSniffer
Life of a Sniff
DisallowMultipleStatementsSniff
public function register()
{
return array(T_SEMICOLON);
}
public function process($phpcsFile, $stackPtr)
{
$tokens = $phpcsFile->getTokens();
$previous = $phpcsFile->findPrevious(…);
if ($previous === false) {
return;
}
// Continue =>
23. Inside PHP_CodeSniffer
Life of a Sniff (2)
// Ignore multiple statements in a FOR condition.
// First some gym for nested parenthesis
[…]
if ($tokens[$owner]['code'] === T_FOR) {
return;
}
[…]
// If the previous semicolon is on the same line we add an error
// to this file
if ($tokens[$previous]['line'] === $tokens[$stackPtr]['line']) {
$error = 'Each PHP statement must be on a line by itself';
$phpcsFile->addError($error, $stackPtr);
return;
}
}//end process()
24. PHP_CodeSniffer
At SQLI we have some framework standards
Zend Framework
Based onThomasWeidner work
Symfony
In collaboration with Fabien Potencier
Waiting for a serious release after 1.3 release
25. PHP_CodeSniffer
At SQLI we have some framework standards
Zend Framework
Based onThomasWeidner work
Symfony
In collaboration with Fabien Potencier
Waiting for a serious release after 1.3 release
That’s nice, but…
Where are the standards for the other tools ?
I’ld expect a Drupal,Wordpress, Cake official standard
28. PHP_CodeSniffer
How far a standard can go in detection ?
Interestingly far for generic PHP Code
Very far if you know your tool’s structure
Imagine for example forcing PHP alternative syntax in
Symfony views…
Or checking for escaping in ZendViews !
29. PHP_Depend
By Manuel Pichler
Functional port of JDepend
OO design analysis
Metrics visualisation
Dependency analyzer
Works at the syntactic analysis level
30. PHP_Depend
How it works
PHP_Depend first makes an AST off your code
A « personal » one, made by PHP objects
ASTComment, ASTClosure, ASTEvalExpression, …
This is made by the Builder/Parser component
Using PHP Reflection
31. PHP_Depend
How it works (2)
Then PHP_Depend can answer questions by
« visiting » the AST
Task of Metrics Analyzers, that extend AbstractVisitor
IOC, the visitor decides what to do according to AST
Class : visitMethod, visitForStatement(), …
Analyzers can fire listeners during analyze() call
To get ongoing informations about the visit process
35. PHPMD
By Manuel Pichler
Detects rules violations
Analog to PHP_Codesniffer
Works at syntactic analysis level
Actually on the same AST
Depends on PHP_Depend
Has rulesets !
36. PHPMD
What it gives:
Code Size Rules
complexities, lengths, too many, …
Design Rules
OO, exit, eval
Naming Rules
Too short/long identifiers, old constructors, …
Unused Code Rules
Methods, members, parameters
37. phploc
By Sebastian Bergmann
Simple tool to give basic metrics
Fast, direct to the goal
Works mostly on lexical level
But use bytekit for ELOC if it can
38. phpcpd
By Sebastian Bergmann
Simple tool to detect duplicated code
Works at lexical analysis level
Use the tokenizer to minimize differences
Comments, whitespaces, …
Takes a minimum number of lines and tokens
Encodes according to this
Uses an hash table to find duplicates
39. vld
Vulcan Logic Disassembler
By Derick Rethans
Works at bytecode level
Shows generated bytecodes
Calculates possible paths (CFG)
Find unreachable code
Could be used for code coverage path metrics
42. Bytekit
By Stefan Esser (SektionEins)
Works at … bytecode level
Similar to vld
Exposes opcodes to a PHP array
bytekit_disassemble_file($filename)
Can be used directly for a custom script
44. Bytekit-cli
By Sebastian Bergmann
PHP Interface to use bytekit to spot violation rules
Initial state
Implemented rules :
Check for disallowed opcodes (example eval, exit)
Check for direct output of variables
In svn, check for unescaped ZendView
45. Padawan
By Florian Anderiasch
Focus on anti-pattern detection
alpha (?)
Works on syntactic analysis level
Based on PHC (PHP compiler)
Use an XML dump of the AST PHC generates
Makes xpath searches on it
46. Padawan
Interesting approach
Rules are fairly simple to write
Already many interesting tests :
Empty constructs (if, else, try,..), unsafe typecasts, loop
repeated calls, unused keys in foreach, …
PHC not easy to install
Risk on PHC manteinance
47. Phantm
By Etienne Kneuss
Highly experimental
Severe limitation on PHP dynamic features
False positives
Works on syntax analysis level
Based on Java tools (Jflex, CUP, Scala)
Reports violations
Non top-level declarations, call-time pass-by-ref, nontrivial
include calls, assign in conditional, …
Exploring Type FlowAnalysis
Tries to infer types and check for type safety
48. Conclusion
Use the right tool for the right job
Coding style is better analysed at the lexical level
OO design is better viewed after syntactic analyses
Unreachable code after bytecoding
Contribute !
Plenty of things still to implement
Easy to have new ideas
At least use them (you should!) and give feedback
49. Restitution
Once all this is collected what to do with it ?
At least, show it in a suitable form
At best, integrate this in your CI system
50. phpUnderControl
By Manuel Pichler
CI for PHP
Based on CruiseControl
Integrates natively various tools :
PHPUnit (+XDebug for code coverage),
PHP_CodeSniffer
PHPDocumentor
PMD via PHPUnit (now PHPMD)
54. Arbit
By Qafoo (with Manuel Pichler)
Basically a project multi-services tool
Ticketing system
Repository browser
Continuous integration
As Manuel is in it, some graphical
presentations are unique for this tool
Still alpha
58. Plugins Sonar for PHP
By me
Really by the Java guys at SQLI
Frédéric Leroy, Akram Ben Aissi, JérômeTama
Sonar is the state of the art for Open Source QA
Reporting in Java
Thought for multilanguage
Can easely integrate all PHP reportings ported from
Java tools
Junit => PHPUnit
JDepend => PHPDepend
Java PMD => PHPMD
59. Plugins Sonar for PHP
Ok, not always so easely
CheckStyle is not PHP_CodeSniffer
Formats are not identical
Multi-language doesn’t mean no work to add one
First release on May 2010
0.2 Alpha state, but workable
Easy to install : give it a try !
Last version demo : sonar-php.sqli.com
Ok, enough, here are the screenshots
66. Conclusion
Sonar really goes further
Best integrates with Hudson
Still is java…
But SonarSource really cooperates
How to interact with phpUnderControl, Arbit ?
(actually our solution – PIC PHP SQLI- is based on
phpUC + Sonar)
This needs to evolve