Exakat 0.12.1 review
Exakat 0.12.1 has been published, right back from the excellent Dutch PHP Conference. The whole event covered 4 days, including Workshops, Sessions, Code Night, Uncon and DPCon social meetings. Exakat received enthusiastic feedback from ‘Reviewing unknown code with static analysis’ ! We also received suggestions from Marcus Bointon, Petra Drieskamper, Ivan Enderlin which made it to this version!
Features popularity
In the Ambassador report, the Appinfo section reports the PHP features that are being used in the code. Closures, cloning, variable constants, recursive functions, no scream operator @, literal unicode code blocks, or any of the 140 PHP extensions supported: all features are gathered into one place.
Now, thanks to Petra’s suggestion, we also report the popularity of the feature. For example, @ is being used in 53% of PHP code. This feature is actually very common, and often non characteristic of any project. On the other hand, variable arguments is used by 17% of projects, and … in 5%.
Exakat maintain a list of 1600+ open source code repository. They are used for testing stability and evaluating speed of processing. From all those audits, how often a project uses a PHP feature is measured.
PHPMailer review
During code Night, I had a very constructive auditing session with Marcus Bointon: it actually lead to fixing both tools, exakat and PHPMailer. PHPMailer is preparing its version 6.0, and it needs all the code reviews it can get.
Exakat spotted several edge case situations:
- Bail Out Early is also applicable to throw and goto;
- StrPos Comparison doesn’t apply to preg_match(): it only returns null when the regex is wrong, which doesn’t apply to hardcoded regex.
- Static Loops also applies to array variables
- Common Alternatives should ignore control structures
- Add Zero applies to 0, +0, -0, +-0, -+0, +-+0, 0.0, 00, 0x0, 0b0 …
- Failed Substr Compare support escape sequences
- Short Assignation should not be suggested when it is already a short assignation
This is an important part of the role of static analysis : collecting real coding situations, and including them as part of the analysis process. The example of ‘Add Zero’ rule, which tracks ‘+ 0’ situations is typical : 0 may be expressed by an infinite number of cases in PHP, when including all the signed possibilities, and a large number of cases otherwise. Now that those cases are identified, the whole analysis is ready for rougher coding styles!
Exakat 0.12 upgrade
Work on Janusgraph is progressing. The tests are being run on Berkeley DB backend, checking the features with unit tests. We found some small discrepancies in the Gremlin queries, and some more significant ones in the way results are passed back to PHP. Nothing impossible, but small bumps on the road. We are going to start testing Exakat on Cassandra / Elastic search this week.
PlantUML report
Ivan Erdelin mentioned the excellent PlantUML from Laurent Laville: a java-based tool that displays classes diagram from a simple to write TEXT format. We produced the following graph from Exakat inventories’s databases:
Here, the example has two classes, an interface and a trait in the same dummy project. The schema shows extension and trait usage, methods and properties, with their visibility. This gives a good overview of the code, and should be included in documentation. As usual, the whole process is automated.
We’ll add support for class constants, and for dependencies (like composition and aggregation).
No return from finally
Last, but not least, exakat now reports return statement in finally. Finally is a clause for try-catch structures, which runs some instruction unconditionally. Finally is applied when the try block run fully, but also when an exception is run.
The trap is that finally is actually run BEFORE the exception clause, so that it has higher precedence. When finally uses return, this actually prevents the exception from being processed, and leads to forgotten exceptions.
<?php function foo() { try { throw new \Exception(); } catch (Exception $e) { return 'Exception'; } finally { return 'Finally'; } } foo(); // display only Finally ?>
The return command is not the only command to avoid here: throwing an exception in the finally has just the same effect. And, unlike other languages, PHP doesn’t accept continue nor break in the finally at linting time, saving us the same trap.
Owasp categorizes ‘Return Inside Finally Block‘ a vulnerability.
Happy PHP code reviews
Exakat 0.12.1 includes again a lot of contributions : many thanks to Ivan, Marcus and Petra for their suggestions! You may always join us at meet-ups (like 010 PHP or Zend Con), on the slack channel, or on the github page, to send us suggestions or bug reports.
All the 320+ analyzers are presented in the docs, including the simple ‘Adding Zero‘ which spots code that adds 0 in various forms to other data. When this is needed, just use type cast (int).
Download Exakat on exakat.io, upgrade it with ‘exakat.phar upgrade -u’ and like us on github: https://github.com/exakat/exakat.