SlideShare a Scribd company logo

Using PHPStan with Laravel App

Muhammad Shehata
Muhammad Shehata

PHPStan is a static code analysis tool that find a new category of bugs that weren't discovered by other tools like SonarQube. In these slides we discuss: - What is code analysis and its types. - What do static code analysis tools focus on. - PHPStan Levels. - PHPStan setup and configuration. - Adding PHPStan to GitLab CI/CD pipeline.

Software
1 of 33
Download to read offline
PHPStan Muhammad Shehata SWE @robustastudio
What is Code Analysis Static Analysis Jargons How to Use It Final Thoughts What Does PHPStan Bring? Resources
What is Code Analysis
Code analysis is the process of testing and evaluating a program either statically or dynamically. Next slide
Static Static code analysis is a method of evaluating a program by examining the source code before its execution. It is done by analyzing a set of code against a set of coding rules. Analysis Dynamic Dynamic analysis is the process of testing and evaluating a program — while software is running. It addresses the diagnosis and correction of bugs, memory issues, and crashes of a program during its execution. Analysis
Static Analysis Jargons
Naming. Variables and methods’ names, are they too short or too long? Do they follow a naming convention like camel-case? Type Hinting. Some tools can suggest a name consistent with the return type. For example a getFoo() method that returns a boolean better be named isFoo(). Lines of Code. Measures the line of codes in your class or method against a maximum value. In addition to the number of method's parameter or class' number of public methods and properties. Measurements STATIC ANALYSIS JARGONS
Commented Code No commented out block of code, as long as you are using a version control system, you can remove unused code and if needed, it's recoverable. Return Statements How many return statements do you have through out your method? Many return statements make it difficult to understand the method. Return Types Makes sure that return type matches the expected. Having many return types possibilities confuses the analyzers. Code Structure I STATIC ANALYSIS JARGONS
Dedicated Exceptions Throw dedicated exception instead of generic run-time exceptions that can be cached by client code. No Static Calls Avoid using static calls in your code and instead use dependency injection. Factory methods is the only exception. DRY Checks for code duplication either in repeating literal values or whole blocks of code. Code Structure II STATIC ANALYSIS JARGONS
Complexity Having a lot of control structures in one method AKA the pyramid of doom. Possible fixes include: • Early return statements • Merging nested if statements in combination with helper functions that make the condition readable. STATIC ANALYSIS JARGONS
Cipher Algorithms Using cryptographic systems resistant to cryptanalysis, they are not vulnerable to well-known attacks like brute force attacks for example. Cookies Always create sensitive cookies with the “secure” flag so it’s not sent over an unencrypted HTTP request. Dynamic Execution Some APIs allow the execution of dynamic code by providing it as strings at runtime. Most of the time their use is frowned upon as they also increase the risk of Injected Code Security Issues STATIC ANALYSIS JARGONS
What Does PHPStan Bring?
PHPStan moves PHP closer to compiled languages in the sense that the correctness of each line of the code can be checked before you run the actual line. PHPStan repository README.md
2 157 191 203 212 226 351 378 429 516 0 100 200 300 400 500 600 Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Level 6 Level 7 Level 8 Level 9 Errors Errors Detected in a Laravel App. WHAT DOES PHPSTAN BRING That has been analyzed with SonarQube since day one
00 Basic Checks. Unknown classes, unknown functions, unknown methods called on $this, wrong number of arguments passed to those methods and functions, always undefined variables 01 $this Unknowns. Possibly undefined variables, unknown magic methods and properties on classes with __call and __get 02 Methods Unknown methods checked on all expressions (not just $this), validating PHPDocs Rule Levels WHAT DOES PHPSTAN BRING
03 Types. Return types, types assigned to properties. 04 Dead Code. Basic dead code checking - always false instanceof and other type checks, dead else branches, unreachable code after return; etc. 05 Arguments. Checking types of arguments passed to methods and functions. Rule Levels II WHAT DOES PHPSTAN BRING
06 Type Hints. Reports missing type hints. 07 Union Types. Reports partially wrong union types - if you call a method that only exists on some types in a union type, level 7 starts to report that. 08 Nullable Types. report calling methods and accessing properties on nullable types. Rule Levels III WHAT DOES PHPSTAN BRING
09 Mixed Type Be strict about the mixed type - the only allowed operation you can do with it is to pass it to another mixed WHAT DOES PHPSTAN BRING Rule Levels IV
How to Use It?
Installation HOW TO USE IT
Configuration File PHPStan uses configuration file, phpstan.neon or phpstan.neon.dist, that allows you to: HOW TO USE IT - Define the paths that will be analyzed. - Set the rule level. - Exclude paths. - Include PHPStan extensions. - Ignore errors. - Define the maximum number of parallel processes Config Reference
Ignoring Errors: Inline HOW TO USE IT
Ignoring Errors: Config HOW TO USE IT
PHPDocs PHPDocs are essential part to PHPStan robust. PHP in its most recent versions introduced native type hints, but it still leaves a lot of room for PHPDocs to augment the information. HOW TO USE IT
Properties and Inline Variables. PHPDocs can be written above class properties to denote their type, or in variable assignment as a last resort. Magic Properties. For custom __get/__set methods logic, a @property PHPDoc tag can be placed above a class. It can also define read/write access. Magic Methods. For custom __call methods logic, a @method PHPDoc tag can be placed above a class
PHPDocs HOW TO USE IT PHPDocs Reference Combining PHPDoc types with native type hints
The Baseline HOW TO USE IT Introducing PHPStan to the CI pipeline, increasing strictness level or upgrading to a newer version can be overwhelming. PHPStan allows you to declare the currently reported list of errors as “the baseline” and stop reporting them in subsequent runs. It allows you to be interested in violations only in new and changed code.
Generating the Baseline If you want to export the current list of errors and use it as the baseline, run PHPStan with --generate-baseline option It generates the list of errors with the number of occurrences per file and saves it as phpstan-baseline.neon HOW TO USE IT
Adding PHPStan to CI Pipeline Adding PHPStan to the CI pipeline and running it regularly on merge requests and main branches will increase our code quality. In addition to helping in code review. HOW TO USE IT
Final Thoughts
Final Thoughts  PHPStan and code analysis in general is not a substitute for testing.  PHP is moving in the direction of being more predictable and relaying less on magic.
Helpful Links about PHPStan and Other Tools • PHPStan configuration reference • PHPDocs usage with PHPStan • PHPStan extensions library • List of analysis tools for different languages RESOURCES
Thank You

Recommended

Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Templates and Exception Handling in C++
Templates and Exception Handling in C++Templates and Exception Handling in C++
Templates and Exception Handling in C++
Nimrita Koul
 
Introduction of exception in vb.net
Introduction of exception in vb.netIntroduction of exception in vb.net
Introduction of exception in vb.net
suraj pandey
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
PVS-Studio
 
Chap04
Chap04Chap04
Chap04Terry Yoast
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software development
Mitosis Technology
 
Opal Hermes - towards representative benchmarks
Opal Hermes - towards representative benchmarksOpal Hermes - towards representative benchmarks
Opal Hermes - towards representative benchmarks
MichaelEichberg1
 

Recommended

Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Templates and Exception Handling in C++
Templates and Exception Handling in C++Templates and Exception Handling in C++
Templates and Exception Handling in C++
Nimrita Koul
 
Introduction of exception in vb.net
Introduction of exception in vb.netIntroduction of exception in vb.net
Introduction of exception in vb.net
suraj pandey
 
Mining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs ViolationsMining Fix Patterns for FindBugs Violations
Mining Fix Patterns for FindBugs Violations
Dongsun Kim
 
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
Interview with Dmitriy Vyukov - the author of Relacy Race Detector (RRD)
PVS-Studio
 
Chap04
Chap04Chap04
Chap04Terry Yoast
 
How to do code review and use analysis tool in software development
How to do code review and use analysis tool in software developmentHow to do code review and use analysis tool in software development
How to do code review and use analysis tool in software development
Mitosis Technology
 
Opal Hermes - towards representative benchmarks
Opal Hermes - towards representative benchmarksOpal Hermes - towards representative benchmarks
Opal Hermes - towards representative benchmarks
MichaelEichberg1
 
TBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program RepairTBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program Repair
Dongsun Kim
 
Code Metrics
Code MetricsCode Metrics
Code Metrics
Attila Bertók
 
Aspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionAspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency Injection
Robert Lemke
 
Coding standard and coding guideline
Coding standard and coding guidelineCoding standard and coding guideline
Coding standard and coding guideline
Dhananjaysinh Jhala
 
Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...
http://algorithmtraining.com/advanced-python-training-hyderabad/
 
Coding standards
Coding standardsCoding standards
Coding standards
Mark Reynolds
 
9781111530532 ppt ch05
9781111530532 ppt ch059781111530532 ppt ch05
9781111530532 ppt ch05Terry Yoast
 
Coding standard
Coding standardCoding standard
Coding standard
FAROOK Samath
 
Parallel Lint
Parallel LintParallel Lint
Parallel Lint
PVS-Studio
 
9781111530532 ppt ch03
9781111530532 ppt ch039781111530532 ppt ch03
9781111530532 ppt ch03Terry Yoast
 
9781111530532 ppt ch13
9781111530532 ppt ch139781111530532 ppt ch13
9781111530532 ppt ch13Terry Yoast
 
9781111530532 ppt ch04
9781111530532 ppt ch049781111530532 ppt ch04
9781111530532 ppt ch04Terry Yoast
 
9781111530532 ppt ch07
9781111530532 ppt ch079781111530532 ppt ch07
9781111530532 ppt ch07Terry Yoast
 
9781111530532 ppt ch06
9781111530532 ppt ch069781111530532 ppt ch06
9781111530532 ppt ch06Terry Yoast
 
Type Annotations in Java 8
Type Annotations in Java 8 Type Annotations in Java 8
Type Annotations in Java 8
FinLingua, Inc.
 
The Go Programing Language 1
The Go Programing Language 1The Go Programing Language 1
The Go Programing Language 1
İbrahim Kürce
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated Testing
Lee Englestone
 
Type Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeType Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLike
United International University
 
9781111530532 ppt ch11
9781111530532 ppt ch119781111530532 ppt ch11
9781111530532 ppt ch11Terry Yoast
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Engineering Software Lab
 

More Related Content

What's hot

TBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program RepairTBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program Repair
Dongsun Kim
 
Code Metrics
Code MetricsCode Metrics
Code Metrics
Attila Bertók
 
Aspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionAspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency Injection
Robert Lemke
 
Coding standard and coding guideline
Coding standard and coding guidelineCoding standard and coding guideline
Coding standard and coding guideline
Dhananjaysinh Jhala
 
Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...
http://algorithmtraining.com/advanced-python-training-hyderabad/
 
Coding standards
Coding standardsCoding standards
Coding standards
Mark Reynolds
 
9781111530532 ppt ch05
9781111530532 ppt ch059781111530532 ppt ch05
9781111530532 ppt ch05Terry Yoast
 
Coding standard
Coding standardCoding standard
Coding standard
FAROOK Samath
 
Parallel Lint
Parallel LintParallel Lint
Parallel Lint
PVS-Studio
 
9781111530532 ppt ch03
9781111530532 ppt ch039781111530532 ppt ch03
9781111530532 ppt ch03Terry Yoast
 
9781111530532 ppt ch13
9781111530532 ppt ch139781111530532 ppt ch13
9781111530532 ppt ch13Terry Yoast
 
9781111530532 ppt ch04
9781111530532 ppt ch049781111530532 ppt ch04
9781111530532 ppt ch04Terry Yoast
 
9781111530532 ppt ch07
9781111530532 ppt ch079781111530532 ppt ch07
9781111530532 ppt ch07Terry Yoast
 
9781111530532 ppt ch06
9781111530532 ppt ch069781111530532 ppt ch06
9781111530532 ppt ch06Terry Yoast
 
Type Annotations in Java 8
Type Annotations in Java 8 Type Annotations in Java 8
Type Annotations in Java 8
FinLingua, Inc.
 
The Go Programing Language 1
The Go Programing Language 1The Go Programing Language 1
The Go Programing Language 1
İbrahim Kürce
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated Testing
Lee Englestone
 
Type Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeType Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLike
United International University
 
9781111530532 ppt ch11
9781111530532 ppt ch119781111530532 ppt ch11
9781111530532 ppt ch11Terry Yoast
 

What's hot (19)

TBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program RepairTBar: Revisiting Template-based Automated Program Repair
TBar: Revisiting Template-based Automated Program Repair
 
Code Metrics
Code MetricsCode Metrics
Code Metrics
 
Aspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency InjectionAspect-Oriented Programming and Depedency Injection
Aspect-Oriented Programming and Depedency Injection
 
Coding standard and coding guideline
Coding standard and coding guidelineCoding standard and coding guideline
Coding standard and coding guideline
 
Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...Algorithm Class- Python training in hyderabad, Python online training in hyde...
Algorithm Class- Python training in hyderabad, Python online training in hyde...
 
Coding standards
Coding standardsCoding standards
Coding standards
 
9781111530532 ppt ch05
9781111530532 ppt ch059781111530532 ppt ch05
9781111530532 ppt ch05
 
Coding standard
Coding standardCoding standard
Coding standard
 
Parallel Lint
Parallel LintParallel Lint
Parallel Lint
 
9781111530532 ppt ch03
9781111530532 ppt ch039781111530532 ppt ch03
9781111530532 ppt ch03
 
9781111530532 ppt ch13
9781111530532 ppt ch139781111530532 ppt ch13
9781111530532 ppt ch13
 
9781111530532 ppt ch04
9781111530532 ppt ch049781111530532 ppt ch04
9781111530532 ppt ch04
 
9781111530532 ppt ch07
9781111530532 ppt ch079781111530532 ppt ch07
9781111530532 ppt ch07
 
9781111530532 ppt ch06
9781111530532 ppt ch069781111530532 ppt ch06
9781111530532 ppt ch06
 
Type Annotations in Java 8
Type Annotations in Java 8 Type Annotations in Java 8
Type Annotations in Java 8
 
The Go Programing Language 1
The Go Programing Language 1The Go Programing Language 1
The Go Programing Language 1
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated Testing
 
Type Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLikeType Checking(Compiler Design) #ShareThisIfYouLike
Type Checking(Compiler Design) #ShareThisIfYouLike
 
9781111530532 ppt ch11
9781111530532 ppt ch119781111530532 ppt ch11
9781111530532 ppt ch11
 

Similar to Using PHPStan with Laravel App

PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Engineering Software Lab
 
Java Basics
Java BasicsJava Basics
Java Basics
shivamgarg_nitj
 
Refactoring legacy code driven by tests - ITA
Refactoring legacy code driven by tests - ITARefactoring legacy code driven by tests - ITA
Refactoring legacy code driven by tests - ITA
Luca Minudel
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Codeerikmsp
 
Best practices in enterprise applications
Best practices in enterprise applicationsBest practices in enterprise applications
Best practices in enterprise applicationsChandra Sekhar Saripaka
 
PHP Industrialization
PHP IndustrializationPHP Industrialization
PHP Industrialization
Damien Seguy
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System Slides
Amr Thabet
 
TDD And Refactoring
TDD And RefactoringTDD And Refactoring
TDD And Refactoring
Naresh Jain
 
Web application security
Web application securityWeb application security
Web application securitysalissal
 
Code review
Code reviewCode review
Code review
Abhishek Sur
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
Php manish
Php manishPhp manish
Php manish
Manish Jain
 
Introduction to automated quality assurance
Introduction to automated quality assuranceIntroduction to automated quality assurance
Introduction to automated quality assurancePhilip Johnson
 
Listen and look at your PHP code
Listen and look at your PHP codeListen and look at your PHP code
Listen and look at your PHP codeGabriele Santini
 
PHP 7 Crash Course
PHP 7 Crash CoursePHP 7 Crash Course
PHP 7 Crash Course
Colin O'Dell
 
Php 7 crash course
Php 7 crash coursePhp 7 crash course
Php 7 crash course
Khaireddine Hamdi
 

Similar to Using PHPStan with Laravel App (20)

PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
 
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
apidays LIVE Paris 2021 - Inside API delivery Pipeline, the checklist! - Fran...
 
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis Parasoft .TEST, Write better C# Code Using Data Flow Analysis
Parasoft .TEST, Write better C# Code Using Data Flow Analysis
 
Java Basics
Java BasicsJava Basics
Java Basics
 
Refactoring legacy code driven by tests - ITA
Refactoring legacy code driven by tests - ITARefactoring legacy code driven by tests - ITA
Refactoring legacy code driven by tests - ITA
 
Working Effectively With Legacy Perl Code
Working Effectively With Legacy Perl CodeWorking Effectively With Legacy Perl Code
Working Effectively With Legacy Perl Code
 
Best practices in enterprise applications
Best practices in enterprise applicationsBest practices in enterprise applications
Best practices in enterprise applications
 
PHP Industrialization
PHP IndustrializationPHP Industrialization
PHP Industrialization
 
DEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System SlidesDEFCON 21: EDS: Exploitation Detection System Slides
DEFCON 21: EDS: Exploitation Detection System Slides
 
TDD And Refactoring
TDD And RefactoringTDD And Refactoring
TDD And Refactoring
 
Web application security
Web application securityWeb application security
Web application security
 
Code review
Code reviewCode review
Code review
 
Java basics
Java basicsJava basics
Java basics
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Php manish
Php manishPhp manish
Php manish
 
Introduction to automated quality assurance
Introduction to automated quality assuranceIntroduction to automated quality assurance
Introduction to automated quality assurance
 
Listen and look at your PHP code
Listen and look at your PHP codeListen and look at your PHP code
Listen and look at your PHP code
 
PHP 7 Crash Course
PHP 7 Crash CoursePHP 7 Crash Course
PHP 7 Crash Course
 
Php 7 crash course
Php 7 crash coursePhp 7 crash course
Php 7 crash course
 
Bb Tequila Coding Style (Draft)
Bb Tequila Coding Style (Draft)Bb Tequila Coding Style (Draft)
Bb Tequila Coding Style (Draft)
 

Recently uploaded

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 

Recently uploaded (20)

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 

Using PHPStan with Laravel App

  • 2. What is Code Analysis Static Analysis Jargons How to Use It Final Thoughts What Does PHPStan Bring? Resources
  • 4. Code analysis is the process of testing and evaluating a program either statically or dynamically. Next slide
  • 5. Static Static code analysis is a method of evaluating a program by examining the source code before its execution. It is done by analyzing a set of code against a set of coding rules. Analysis Dynamic Dynamic analysis is the process of testing and evaluating a program — while software is running. It addresses the diagnosis and correction of bugs, memory issues, and crashes of a program during its execution. Analysis
  • 7. Naming. Variables and methods’ names, are they too short or too long? Do they follow a naming convention like camel-case? Type Hinting. Some tools can suggest a name consistent with the return type. For example a getFoo() method that returns a boolean better be named isFoo(). Lines of Code. Measures the line of codes in your class or method against a maximum value. In addition to the number of method's parameter or class' number of public methods and properties. Measurements STATIC ANALYSIS JARGONS
  • 8. Commented Code No commented out block of code, as long as you are using a version control system, you can remove unused code and if needed, it's recoverable. Return Statements How many return statements do you have through out your method? Many return statements make it difficult to understand the method. Return Types Makes sure that return type matches the expected. Having many return types possibilities confuses the analyzers. Code Structure I STATIC ANALYSIS JARGONS
  • 9. Dedicated Exceptions Throw dedicated exception instead of generic run-time exceptions that can be cached by client code. No Static Calls Avoid using static calls in your code and instead use dependency injection. Factory methods is the only exception. DRY Checks for code duplication either in repeating literal values or whole blocks of code. Code Structure II STATIC ANALYSIS JARGONS
  • 10. Complexity Having a lot of control structures in one method AKA the pyramid of doom. Possible fixes include: • Early return statements • Merging nested if statements in combination with helper functions that make the condition readable. STATIC ANALYSIS JARGONS
  • 11. Cipher Algorithms Using cryptographic systems resistant to cryptanalysis, they are not vulnerable to well-known attacks like brute force attacks for example. Cookies Always create sensitive cookies with the “secure” flag so it’s not sent over an unencrypted HTTP request. Dynamic Execution Some APIs allow the execution of dynamic code by providing it as strings at runtime. Most of the time their use is frowned upon as they also increase the risk of Injected Code Security Issues STATIC ANALYSIS JARGONS
  • 13. PHPStan moves PHP closer to compiled languages in the sense that the correctness of each line of the code can be checked before you run the actual line. PHPStan repository README.md
  • 14. 2 157 191 203 212 226 351 378 429 516 0 100 200 300 400 500 600 Level 0 Level 1 Level 2 Level 3 Level 4 Level 5 Level 6 Level 7 Level 8 Level 9 Errors Errors Detected in a Laravel App. WHAT DOES PHPSTAN BRING That has been analyzed with SonarQube since day one
  • 15. 00 Basic Checks. Unknown classes, unknown functions, unknown methods called on $this, wrong number of arguments passed to those methods and functions, always undefined variables 01 $this Unknowns. Possibly undefined variables, unknown magic methods and properties on classes with __call and __get 02 Methods Unknown methods checked on all expressions (not just $this), validating PHPDocs Rule Levels WHAT DOES PHPSTAN BRING
  • 16. 03 Types. Return types, types assigned to properties. 04 Dead Code. Basic dead code checking - always false instanceof and other type checks, dead else branches, unreachable code after return; etc. 05 Arguments. Checking types of arguments passed to methods and functions. Rule Levels II WHAT DOES PHPSTAN BRING
  • 17. 06 Type Hints. Reports missing type hints. 07 Union Types. Reports partially wrong union types - if you call a method that only exists on some types in a union type, level 7 starts to report that. 08 Nullable Types. report calling methods and accessing properties on nullable types. Rule Levels III WHAT DOES PHPSTAN BRING
  • 18. 09 Mixed Type Be strict about the mixed type - the only allowed operation you can do with it is to pass it to another mixed WHAT DOES PHPSTAN BRING Rule Levels IV
  • 19. How to Use It?
  • 21. Configuration File PHPStan uses configuration file, phpstan.neon or phpstan.neon.dist, that allows you to: HOW TO USE IT - Define the paths that will be analyzed. - Set the rule level. - Exclude paths. - Include PHPStan extensions. - Ignore errors. - Define the maximum number of parallel processes Config Reference
  • 24. PHPDocs PHPDocs are essential part to PHPStan robust. PHP in its most recent versions introduced native type hints, but it still leaves a lot of room for PHPDocs to augment the information. HOW TO USE IT
  • 25. Properties and Inline Variables. PHPDocs can be written above class properties to denote their type, or in variable assignment as a last resort. Magic Properties. For custom __get/__set methods logic, a @property PHPDoc tag can be placed above a class. It can also define read/write access. Magic Methods. For custom __call methods logic, a @method PHPDoc tag can be placed above a class
  • 26. PHPDocs HOW TO USE IT PHPDocs Reference Combining PHPDoc types with native type hints
  • 27. The Baseline HOW TO USE IT Introducing PHPStan to the CI pipeline, increasing strictness level or upgrading to a newer version can be overwhelming. PHPStan allows you to declare the currently reported list of errors as “the baseline” and stop reporting them in subsequent runs. It allows you to be interested in violations only in new and changed code.
  • 28. Generating the Baseline If you want to export the current list of errors and use it as the baseline, run PHPStan with --generate-baseline option It generates the list of errors with the number of occurrences per file and saves it as phpstan-baseline.neon HOW TO USE IT
  • 29. Adding PHPStan to CI Pipeline Adding PHPStan to the CI pipeline and running it regularly on merge requests and main branches will increase our code quality. In addition to helping in code review. HOW TO USE IT
  • 31. Final Thoughts  PHPStan and code analysis in general is not a substitute for testing.  PHP is moving in the direction of being more predictable and relaying less on magic.
  • 32. Helpful Links about PHPStan and Other Tools • PHPStan configuration reference • PHPDocs usage with PHPStan • PHPStan extensions library • List of analysis tools for different languages RESOURCES