Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Static Code Analysis PHP[tek] 2023
1. Reducing Bugs With Static Code
Analysis
Scott Keck-Warren
php[tek] 2023
@scottKeckWarren@phpc.social
@scottKeckWarren@twitter.com
2.
3.
4. How We Fixed Bugs (Don’t Do This)
1. Duplicate the bug
2. Fix it
3. Open SFTP connection to production
4. Manually edit the file
5. Cross our fingers nothing broke
24. What is Static Code Analysis?
Two Ways to Analyze Code
1. Dynamic Code Analysis
2. Static Code Analysis
25. What is Static Code Analysis?
Dynamic Code Analysis
• Run code (manually or automatically)
• Manual: slow and expensive
• Automated: slow to create but infinitely repeatable
26. What is Static Code Analysis?
Static Code Analysis
• Analyze our source code without actually executing
• Slow onboarding (maybe) on brownfield applications
• Infinitely repeatable
• Can be faster than dynamic tests
27. What is Static Code Analysis?
What specifically can we do with Static Code Analysis?
• Find errors
• Adhere to standards
• Automatically refactor our code
28. What is Static Code Analysis?
• Teams size is not a limiting factor to using SCA
• Compute can be
36. Feedback Loops:Worst Case
• Change is made
• Change is pushed to production
• Problem found a month later
• Problem is completely divorced from original
change
• Leaders to Confusion
• What caused this?
Process
Input(s)
Output(s
)
37. Feedback Loops:Okay Case
• Change is made on own branch
• Change is heavily tested on testing server
• Problem found during testing
• Problem solved quick because change is
still fresh in our mind
Process
Input(s)
Output(s
)
38. Feedback Loops:Better Case
• Change is made on own branch
• Change is heavily tested locally
• Problem found before code leaves our
computer
• Problem solved quicker but still delayed
Process
Input(s)
Output(s
)
39. Feedback Loops:Best Case
• Change is made on a file
• Changes are tested as we type/save
• Problem found immediately
• Problem solved immediately
Process
Input(s)
Output(s
)
40. Where Do We Run Static Code Analysis?
Best
Okay
Better
41. Where Do We Run Static Code Analysis?
Best
Test Server
Better
43. Test Server
• Goal: Going to give us secure base
• All tools run
• All files
• Slow
Best
Test Server
Better
44. Test Server
• Lots of options for this
• Quickly talk about GitHub Actions
• Quick to setup
• “Infinitely” scaleable
Best
Test Server
Better
45. Test Server
• Two ways to setup
• One Job For All Tools
• Tools Run In Series
• Multiple Jobs/Actions For Each Tool
• Tools Run in Parallel
Best
Test Server
Better
112. RequireStrictTypes
Fatal error: Uncaught TypeError: add(): Argument #1 ($a) must be of type int,
float given, called in /home/user/scripts/code.php on line 9 and defined in
/home/user/scripts/code.php:5
Note: add QR code to slides/resources
Note: QR code/link brings you to resources about this talk and slides
Hello Developers,
Story time
Want to tell you about some of the trama I had inflicted on me
Hopefully prevent you from having the same
First job as a professional developer
Small SaaS
3 developers
No source control to speak of
Bugs in productions were fixed like this
Go through steps <click for each>
Last part was important because we would occasionally find <next slide>
Chrome with white screen
Sometimes 1 page some times the whole site
Generally results in angry person on phone (get picture of this)
Asking “what happened?”
SSH into the server to check error logs
Miscopied our results
Add example code with undefined function
Copied changes to one file but not another
Other things
Happened at least once a week
sometimes multiple times a day
Graphic: Change -> Production directly
So close together barely and space between them
Need to add some space <click>
Change -> ? -> Production
When what do we fill the space with?
Change -> Checks -> Production
Better yet we’ll use two different types of checks
Better still will use several different checks of each type
Let’s talk about one of the mojor types today … <click>
static code analysis
Specifically:
How we can reduce bugs with SCA
For those of you who haven’t met me my name is …
Professional PHP Developer for 15 years
// team lead/CTO role for 10 of those 15
Currently Director of Technology at WeCare Connect
Survey solutions to improve employee and resident retention at skilled nursing facilities
Use PHP for our backend
Also …
Create Educational Videos on PHPArchitect YouTube
Discuss topics helpful for PHP developers
Found at youtube.com/c/phparch
If you want more content like this session follow me on social media and subscriber to our channel
I’m a huge fan of both
See my other talk on how to get more DCA
I’m a huge fan of both
See my other talk on how to get more DCA
Lots of things we’ll do with static code analysis
Read list
<bp1>
Currently have a team of 1 using it (me)
Have had teams of 8 using it
<bp2>
In the past Have run into situations where our team has been waiting for their tests to run
So easy today to spin up containers no longer a problem
<slide>
But Before we talk about that we need to talk about …
<slide>
Start with a process
Could be anything writing a class, sending an email, checking your email
Process has one or more inputs
Process happens and we get one or outputs
In a feedback loop the outputs become part of the import loop
Developers Are Driven By Feedback Loops Make a change, find a problem, fix the problem, repeat
Want these to be short -> We can affect the length
Let’s give some examples
First case is “Worst Case”
In this <read slide>
I’m lucky if I remember what I did be
Note lack of testing
Next option okay case <read slide>
Less of a difference between change and problem being found
Next best case <read slide>
I like to call this an immediate feedback cycle
Provides feedback immediately so we can resolve problems immediately
This is the ultimate goal for static code analysis
Using these feedback levels to build three tiers of static code analysis
<click for each piece>
At the bottom…<click>
is running the SCA tools using a test server
<Read slide>
Slow is fine here my day job takes 30 minutes to run all static and dynamic analysis
Fine with that because not watching
Whole talk on working with GitHub actions you’re not seeing because it’s happening right now
Have video php arch channel on how to setup
Graph from before showing us change to production
I like 1 action with a lot of small steps in four stages
1 dynamic stage where I run automated tests
3 static stages
Quick and easy first to fail fast in first stages
Slow in final stages
Saves some money and failing items in earlier phase generally cause failures in later stages
Return to our chart
See what’s next
Two ways to do this
First <slide>
Inside our .git directory then hooks
Session on this if you’re interesting we’re doing the quick-quick version
-> Default commit message
-> before we push
-> before commit is created
This is normally how we create commit
Pre-commit adds a conditional check
Is this good yes or no -> no we can’t create the commit
Might be wondering how ..
1. `git diff` -> Runs the git diff command which shows us changes in our repository
2. `--diff-filter=AM` -> filters out files to only show us modifications and additions
3. `--name-only` -> returns just the name of the file and not the contents
4. `--cached` -> returns changes that have been staged for the next commit and not every changed file
5. `app tests` -> limit our results to files in the app and tests directories
6. `| grep ".php$"` -> Limit our results to just `.php` files
Example graphic at command line
Example graphic in VScode
Example output in VScode
Still can be bypassed
Which is why we have secure base at the test server
VS Code example of syntax error: Missing “use” statement
Not native but with error lens plugin
Love these which is why I need to restart VScode so frequently
Here’s where it get good
Too many PHP SCA tools to review them all here
Show graphic of git repo with list of SCA tools
https://github.com/exakat/php-static-analysis-tools
https://analysis-tools.dev/tag/php
Bug Reduction -> things that might break code
Rule Validation -> things that don’t meet our standards
Code Analysis -> What’s code like
Focus on first two here
Third one is something I do weekly to see our code health but not automatically in 3-tiers
Free
Easy to use
Everything is command line based so it runs at pre-commit and test server
The most important SCA tool
Linting answers the most important question about our code
Built in linting mode
1 file at a time “slow” because of that
Have to run it through additional tools
Also only finds one problem at a time
So error in city and last name
Only show error in city
Fix and repeat to find second
Graphics here
Like to make this my first check
If it fails others will fail as well
Another basic check
“free”
Pushing these to production causes weird output
Can and does break site
Don’t want it that
Pushing these to production causes weird output
Can and does break site
Don’t want it that
Where in graphic
Teams are comprised of people with lots of life experience and thramas
That affects how they type each character
Having a coding standard makes code easier to read
Without a coding standard can have chaos
How do we fix this?
Better how do we fix this automatically
PHP_CodeSniffer library allows us to define standard, enforce it, and fix it
PHP_CodeSniffer library has two command line scripts
PHP CodeSniffer
PHP Code Block Fixer
We need tell php_codesniffer what rules to use
<slide>
I like third option
PSR12 as a base
PSR family of standards is used by a lot of frameworks so it’s helpful
Created at root of project
Created at root of project
If we run phpcbf on code this is what we get
Better right or at least consistent
<Read slide>
Let’s take a slight detour for another example
Function that adds two numbers
Use it to add 1.25 and 2.75
Does anyone know what the output of this is?
That seems like a bug to me what about you?
This is due to something that PHP does called type juggling
Because dynamic language it automatically converts types
We wanted int so it gave us ints
Mostly great but sometimes weird bugs
<click> have our two numbers
<click> We specified int parameters to our function php said I’m going to make these integers
<click> PHP converts number to integers and in this case strips out the fractions
<click> 3
December 2015 PHP 7 added this declare function - Prevents this kind of bug
7 years ago
If we run our code again
<next slide>
We get type error
I constantly forget to add strict_types to my code
Need a little help
PHP_Codesniffer provides that
Doesn’t work by magic also need to make sure parameter types
No support out of box for this
To do that we need to look for more rules (or sniffs as code sniffer calls them)
<Read slide>
Next require parameter types hints
Without parameter types strict types doesn’t help us completely
Return and property types aid in us making these kinds of mistakes (also helps other tools)
Let’s review where we’re at
Still have a space need to discuss and that’s
Help us find fatal errors due to changes in our code or mistakes
Have a very basic user class
Somewhere in my code I need the ID
Have a very basic user class
Somewhere in my code I need the ID
Running first time on brownfield application
Potentially lots of “problems”
Run with —generate-baseline
Only need to worry about changes
Have a pipeline now
This works and works because we
Graphic
At least of some of us
Took weeks
Might still have projects running on 7.4 because can’t justify upgrade
Took FOREVER
Full of potential errors because shortcuts were made
Didn’t even get to implement the new features in 8.0 like Constructor Property Promotion
Upgrade to 8.1 took less time but still a while
8.2 might take just a bit because we haven’t done it yet
Lot’s of manual work
Rector
List of rules and sets of rules can be found on their website
LevelSetList::UP_TO_PHP_80 is amazing because it will upgrade our code to 8.0 when possible
Ready to go to 8.1? <click>
Ready to go to 8.1? Just change it
Keep your feedback loop SHORT
Immediately if possible