Exakat Changelog

Version 2.6.8

2024-05-02 – Fang Xuanling

+ Updated analysis : Undefined Enum Case now handles class constant relays

Report
- Ambassador : upgraded manual rendering

Analysis

Version 2.6.7

2024-03-21 – Zhang Gongjin

+ New analysis : new rule for Deprecated attribute (analysis)

Analysis

Version 2.6.6

2024-03-14 – Gao Shilian

+ New analysis : report usage of strpos() < 1 (possible bug)

Report
- Ambassador : fixed documentation display of PHP scripts
- CallGraph : displays the call graph in dot format

Analysis

Tokenizer
- Made property inside a string with a Name, not a Identifier
- Mark variable in append as modified

Version 2.6.5

2024-01-31 – Cheng Yaojin

+ New analysis : dump all combined method calls

Architecture

Cobbler

Report

Analysis

Tokenizer
- Fixed display of ?-> inside strings
- Refactored Goto labels with a common atom between goto and labels
- Fixed minor errors with SEQUENCE (via NEXT)

–

+ New analysis: report literal passed by reference

Architecture
- Moved assert configuration to ini_set and php.ini
- Added a set of token values for Debian 12 and 8.3
- Void is now a single atom in the graph (speed up, less resources)
- Speed up Load with less arrays, more classes

Analysis

Tokenizer
- Added CALLED link to new calls
- Fixed edgecases with match and readonly

Version 2.6.3

2023-12-14 – Ma Sanbao

+ Updated analysis : Too Many Variables in Method

Analysis

Tokenizer
- Fixed bug with short assignment left operand not being marked as read as well as written
- Added fullnspath to Staticclass atom
- Added support for THROWN, CALLED, YIELDED links in methods

Version 2.6.2

2023-11-21 – Duan Zhixian

Analysis
- New analysis : Casting Method Favorite
- Updated analysis : Ellipsis detection improved
- New analysis : report arrays that are used for append and direct index access at the same time
- New analysis : report get_class() and get_parent_class() without arguments
- Updated analysis : Literal inventory now reports float, array() and heredocs
- New analysis : report usage of advanced static variable initialisation
- New analysis : cannot be readonly
- New analysis : report triplet stats from the internal graph
- New analysis : report static variables outside a method
- Updated analysis : Missing types are now covering class constants too
- New analysis : report usage of Deprecated features (CITE, functions, parameters…)
- Updated analysis : Could Be Typed * now supports class constants
- New analysis : add support for #[Override] before PHP 8.3
- New analysis : report variables that use their type as name

Version 2.6.1

2023-10-19 – Liu Hongji

Cobbler
- New Cobbler : Logical to In_array() conversion

Analysis
- Updated analysis : Use same types for comparisons was refactored
- Updated analysis : Add Zero skips ?? and ?: when it is used to create default values
- Updated analysis : Implode() args order was refactored with type support
- New analysis : report multiline expressions
- New analysis : report usage of typed constants
- Updated analysis : sprintf() argument counts is improved
- Updated analysis : double instruction skips try, while, do while.
- Updated analysis : useless instruction refactored clone expressions
- Updated analysis : array Append in a list() call
- Updated analysis : written only variables now take into account isset() too
- Updated analysis : recursive functions don’t report recursion via property or method call()
- Updated analysis : Shell favorite

Version 2.6.0

2023-10-04 – Xue Rengui

Architecture
- Refactored generation of VCS

Cobbler
- New cobbler : rename namespace
- New cobbler : rename function
- New cobbler : rename constant
- New cobbler : rename class
- New cobbler : rename interface
- New cobbler : rename enums
- New cobbler : rename trait
- New cobbler : rename method
- New cobbler : rename class constant
- New cobbler : rename property

Report
- Added Classes dependencies table to Ambassador
- Added Classes dependencies counts table to Ambassador
- Added Classes dependent counts table to Ambassador
- Added Namespaces to Exception tree
- Added list of repeated class names
- New report : Naming, that checks spelling

Analysis
- Updated analysis : Useless Null Coalesce now omits stdclass
- New analysis : report rewritten final class constant
- New analysis : report uselessly rewriten class constant
- Updated analysis : Fixed detection of use for functions and constants
- Removed analysis : Removed ‘Mark callable’
- Updated analysis : Fixed detection of calls to __construct
- Updated analysis : Avoid Boolean as Argument sped up
- Updated analysis : Property Could Be Local sped up
- New analysis : Report blind variable used beyond their foreach() loop
- Updated analysis : Could Use Try has more exceptions sources
- New analysis : Report recalled conditions
- Updated analysis : Upgraded Classes depencencies list with attributes, New initializers and instanceof
- New analysis : Report incompatible property definition between trait and class
- Updated analysis : Deep definition now includes define() calls and enums
- Updated analysis : Collection of File dependencies now include interfaces
- Updated analysis : Fixed but in Could Be Spaceship
- Updated analysis : Upgraded ‘unthrown exception’ to handle variables
- New analysis : report usage of self:: on
- New analysis : report usage of DNF
- Updated analysis : readonly usage covers classes and anonymous classes
- New analysis : report usage of FTN as standalone type
- New analysis : Collect usage of throw and their method
- New analysis : Collect literals used in comparisons
- New analysis : Suggest using array_combine()
- New analysis : Report comparisons with distinct scalar types
- New analysis : reports null being used as array’s index
- New analysis : collect all named things in the source code
- Updated analysis : isComponent also supports enum and declare
- New analysis : report useless Try clauses
- New analysis : report converted exceptions
- New analysis : report methods that are no more than a single if
- New analysis : suggest to ditch default before assigning it
- Updated analysis : Unset or Cast was refactored with less raw() calls
- Updated analysis : PPP declaration style
- New analysis : collect the number of injections in a constructor
- New analysis : collect the property usage level for each class
- New analysis : collect structures, instead of in dump
- New analysis : collect catch, to complete results with throw collect
- Updated analysis : report usage of standalone True, False, Null.
- New analysis : report identical cases in match and switch
- New analysis : report usage of constants in traits
- New analysis : preference between short and formal comparison
- New analysis : report yield that can be turned into a yield from
- New analysis : report usage of enum cases in static constant expressions
- New analysis : report modification of readonly properties in __clone()
- New analysis : report usage of internal classes with class_alias()
- New analysis : report usage PHP 8.3 new dynamic
- New analysis : static variables may be initialized with arbitrary expression in PHP 8.3
- New analysis : report when an interface’s class constant visibility is not public when in the class
- Updated analysis : upgraded pre-calculate used variable in closure
- Updated analysis : Insufficient typehint (extended coverage)
- New analysis : Report final trait method that are overwritten

Tokenizer
- Added support for typed constants
- Checked support for readonly anonymous classes
- Fixed LINK in DNF types
- Added support for attributes in enum, trait, interface and enumcase

Version 2.5.2

2023-02-04 – Wang Gui

Report
- New report : Format for SonarCube

Analysis
- New analysis : report array literal, used by index.
- New analysis : Cannot use empty strings with explode()
- New analysis : Report max() and min() applied on empty arrays.
- Updated analysis : Unused methods now skips internal use
- Updated analysis : Date formats are collected only on Datetime and Datetimeimmutable
- New analysis : strpos() used to convert integer to their ascii value
- New analysis : report double checks in the code
- New analysis : skip empty arrays in array_merge()
- New analysis : ellipis is slower than array_merge()
- Updated analysis : variable type is detected with cast too.
- New analysis : follow unvalidated data in $_SESSION
- Updated analysis : updated in_array() to also report short arrays
- Updated analysis : closure2string skips when other arguments are necessary
- Updated analysis : condition is always true is upgraded with more work on is_a() and class type
- Updated analysis : htmlspecialchars() changed behavior in 8.1
- Updated analysis : always false does a better job at comparing types
- Updated analysis : upgraded analysis with types
- New analysis : new functions in PHP 8.3
- New analysis : suggestion for str_ends_with()
- New analysis : suggestion for str_starts_with()
- Updated analysis : dirname with 3rd arg is suggested when using ‘$path/../’ strings
- New analysis : collect the number of arguments per PHP native calls
- New analysis : report if/then when a variable is assigned in one branch, but not in the other
- New analysis : report mono or multi bytes favorite
- New analysis : count the number of arguments to PHP native calls
- Updated analysis : Null on boolean now takes into account types
- Updated analysis : upgraded Make One Call analysis to spot calls within same expression
- Updated analysis : incompatible type with incoming now covers call with superglobals
- Updated analysis : fixed bug when calculating DEFINITION for superglobals
- New analysis : report different constructors
- New analysis : report usage of short ternary operator
- New analysis : report when finalizing the call before the closure is better
- New analysis : report object cast to int or float
- New analysis : report variables initialized before an if condition with reinitialisation
- New analysis : report incompatible constructors
- New analysis : Report sidelined methods from a trait
- New analysis : Report misused Generators
- New analysis : Substr() for partitions in a loop
- New analysis : suggest caching local calls to reduce processing
- New analysis : report list of PHP 8.3 new classes

Tokenizer
- Added support for readonly + final/abstract class
- Fixed DEFINITION for static in new
- Fixed DEFINITION for global variable definitions
- Upgraded support for variable types with PDFF
- Adapted support for undefined Identifier between PHP 7 and 8

Version 2.5.1

2023-01-19 – Wang Gui

Architecture
- Extracted Called* to external class
- Introduced parallel loading for nodes and properties (links are WIP)

Analysis
- New analysis : suggest omitting empty arrays before array_merge()
- Updated analysis : more calls are collected
- Updated analysis : Strict comparison with boolean covers array_search and array_keys
- New analysis : report useless methods
- Updated analysis : Add Zero also covers syntax like +$a
- New analysis : report weak tests on array, without checks on index
- New analysis : report multiple types in switch (PHP 8 compability)
- New analysis : could be a readonly class
- Updated analysis : Comparison strings to int include in_array() and co
- New analysis : report class invasions
- New analysis : report property invasions
- New analysis : collect all setlocale() calls
- Updated analysis : Collected calls includes __construct()
- Updated analysis : Collected calls includes __clone()
- New analysis : report usage of ++ on strings
- New analysis : report usage of deprecated mb_string encodings

Tokenizer
- Fixed edge cases with readonly/namespace as method name
- Fixed handling of static keyword with rare combinaisons

Version 2.5.0

2023-01-05 – Wang Gui

Architecture

Cobbler

Report

Analysis
- Refactored analysis : WrongTypeWithCall skips variables without a type
- Refactored analysis : BailoutEarly skips blocks with one element only
- Refactored analysis : NonStaticMethodsCalledStatic extended to Stubs
- New analysis : ambiguous types for variables
- Refactored analysis : Unpreprocessed skips static::class
- Refactored analysis : Undefined constant skips class constants with variables
- New analysis : report exception that can’t be chained
- Refactored analysis : ShellExec preferences
- Refactored analysis : CreateMagicProperty was extended
- New analysis : report possible ::class usage
- New analysis : report wrong order of argument with variadic
- New analysis : report wrong encoding usage with mbstring
- Refactored analysis : Sped up ‘could be abstract method’
- Refactored analysis : Undefined Interfaces differentiate classes and interfaces
- New analysis : Ternary and Coalesce Operators order
- Refactored analysis : Set Parent DEFINITION also adds DEFINITION for CPM
- Refactored analysis : NativeClassTypeCompatibility upgraded fully to stub support
- New analysis : Report useless assignation of promoted properties
- Refactored analysis : Parameter name checking works with methods
- Refactored analysis : Classes/CouldUseClassOperator is extended to all CITE
- Refactored analysis : Classes/UndefinedConstants skips situations where the class is a variable of unknown type
- Refactored analysis : Infinite recursion also detects coalesce
- New analysis : Report methods / property confusions
- New analysis : Suggest using __NAMESPACE__, instead of hardcoded string
- Refactored analysis : Indirect injection is extended with ?? ?: and ? :
- New analysis : Report too many chained calls one in the other
- Refactored analysis : ‘This is for classes’ is extended to traits and enums
- Refactored analysis : ‘Unsupported types with operator’ is now using Stubs files
- New analysis : Report wrong typed with incoming values
- Refactored analysis : ‘Queries in loops’ is now using extended to methods and one functioncall down.
- Refactored analysis : Identical Variables in Foreach now searches inside the source
- New analysis : Empty Loops
- New analysis : Report arrays that are too much extracted
- New analysis : Report methods where variables are not needed (only unique usage)
- New analysis : Report possible emission of TypeError
- Refactored analysis : Cant Throw now skips Interfaces
- Refactored analysis : fixed false positive with Always False
- Refactored analysis : Constant Invalid names do not confuse the constant and its value
- Refactored analysis : Undefined Variable in Catch, now skips variables also created in the catch clause
- Refactored analysis : Implicit conversion to int : skip float returned values
- Refactored analysis : Closure could be static now checks for internal definitions of enums or anonymous class
- Refactored analysis : Dont Collect void is extended to unspecified return types
- Refactored analysis : useless coalesce
- Refactored analysis : Indirect Injections
- Refactored analysis : Useless Reference now checks PHP, ext and stubs
- New analysis : Suggest to throw exceptions with json_*code()
- Refactored analysis : Scalar are not arrays cleaned
- Refactored analysis : No net for xml now enforces class too
- Refactored analysis : Static for classes now omits static variables
- Refactored analysis : Incompatibility signature now omits __construct
- Refactored analysis : Unreachable code
- New analysis : collect all calls from methods to methods
- New analysis : set fullnspath to method calls
- New analysis : report variables with an initial capital S (readability)
- New analysis : type dodging in parameter with union type

Tokenizer
- Fixed bug with related to readonly position
- Fixed bug where define was not correctly set with fullnspath
- Fixed priorities for print and yield
- Added support for DNF in the engine
- Added definition with static calls, within a class
- Added support for methods and properties with static calls to parent::
- Refactored handling of scope with $this and self/static
- Created a Precedence class for each version
- Refactored calculations for currentMethods in external class
- Migrating from Method to readsStubs (WIP)
- Handled edge cases in Yield (yield yield)
- Removed link between bool and int values when loading (edge case of numeric strings)
- Cleaned Load of GlobalVars array

Version 2.4.9

2022-09-07 – Wang Gui

Analysis
- Refactored analysis : Uses Default now supports PDFF and functions
- Refactored analysis : Using PDFF with ext/seaslog and ext/memcache
- Removed analysis : ext/wikidiff2, ext/wincache, ext/iis, ext/libevent, ext/mhash, ext/parsekit, ext/kdm5
- New analysis : date() versus DatetTime preferences.
- New analysis : identify unused public methods
- Refactored analysis : Detecting wrong visibility with implemented methods was sped up
- Removed analysis : Interface/ConcreteVisibility, double with Classes/ImplementedMethodsArePublic
- New analysis : identify potential abstract methods
- Refactored analysis : Upgraded ‘Wrong Type With Call’ to use the known variable types
- Refactored analysis : No Parent now takes traits into account.
- Refactored analysis : Should Have Destructor : removed some false positives, refactored documentation.
- Refactored analysis : No Parent now also checks for traits
- Refactored analysis : Uses default argument skips Virtualproperties
- New analysis : Complete/SolveTraitConstants adds support for constants in traits (PHP 8.2)
- Refactored analysis : Complete/SetParentDefinition was trimmed of 2 useless queries
- Refactored analysis : PPP declaration style
- Refactored analysis : Is Global Constant (removed usage of .ini)
- Refactored analysis : Overwritten* are simplified for speed up and deduplication
- Refactored analysis : UndefinedClasses speed up
- Refactored analysis : Should Preprocess now adds Heredocs and skips variables inside strings
- Refactored analysis : Should use Ternary now skips elsif
- Refactored analysis : ext/fann now use pdff

Tokenizer
- Added support for PHP keywords in namespace names.

Version 2.4.8

2022-08-24 – Xue Rengui

Architecture

Cobbler

Report

Analysis
- Refactored analysis : strange names now covers types too.
- Removed analysis : ext/proctitle, Composer/IsComposerName, ext/cyrus
- Removed analysis : Composer/IsComposerInterface,
- Refactored analysis : VariableTypehint now skips self-transforming variables in default
- Refactored analysis : ErrorMessages now also tracks trigger_error()
- New analysis : ext/teds, ext/scrypt, ext/geospatial
- Refactored analysis with pdff : ext/crypto, ext/ev, ext/enchant
- Refactored analysis : refactored ‘could use short assignation’
- Removed analysis : ext/ereg, ext/async
- Refactored analysis : undefined class constants are also looked in the children classes
- Refactored analysis : vendor/symfony and vendor/phalcon
- Refactored analysis : Unused Methods now handles foreach() with new()
- New analysis : vendor/feast framework
- Checked unit tests : 4480 / 4450 test pass (99.3% pass)

Tokenizer
- Fixed detection of constant in ternary/coalesce
- Finish adding types

Version 2.4.7

2022-08-03 – Xu Jingzong

Architecture

Cobbler
- New cobbler : remove brackets to single-instruction commands

Report
- New inventory : IP

Analysis
- Refactored analysis : Could Use Array_sum()
- Refactored analysis : Wrong Attribute with properties
- Refactored analysis : implode Args order now support types
- Refactored analysis : fopen mode does accept rw
- Refactored analysis : references on objects (full refactor)
- New analysis : finding empty arrays with comparisons
- New analysis : using strict with in_array or not
- New analysis : no default for referenced parameter
- New analysis : No clone constant before PHP 8.1
- New analysis : Complete enum cases with definition to value and name
- Refactored analysis : better handling of clone in Variable Typehint
- Refactored analysis : cleaned some false positives with Undefined Properties
- Refactored analysis : Unresolved use now uses stubs; upgrade in function/const coverage
- Removed analysis : ext/recode, ext/runkit, ext/ming
- Refactored analysis : Better coverage for 1 + []
- Refactored analysis : Difference preference has gremlin upgraded
- New analysis : Ext/random (PHP 8.2)
- New analysis : IP inventory
- Refactored analysis : JsonSerialize and ReturnTypeWIllChange cover new methods

Tokenizer
- Added support for -> out of Enum cases (with name and value)
- Added new classes from PHP 8.2
- Fixed missing fullnspath for attributes with absolute path
- Added all attributes to properties

Version 2.4.6

2022-07-20 – Li Yuanji

Architecture
- Skip loading of WS property when only doing an audit (speed up loading)
- Finished moved to Gremlin 3.6

Cobbler
- New cobbler : adds brackets to single-instruction commands

Report
- Ambassador : refactored trait matrix

Analysis
- Refactored analysis : Wrong Type Hint with First Class Callable
- New analysis : PHP 8.2 new functions
- Refactored analysis : Useless Cast takes advantages of const types

Tokenizer
- Typed all internal atoms
- Added types to internal loading engine

Version 2.4.5

2022-07-07 – Li Yuanji

Architecture
- Docs : fixed presentation for cobblers

Cobbler
- New cobbler : remove abstract option

Report

Analysis
- Refactored analysis : No Pss Outside Class also checks for static closures
- New analysis : Report errors in sprintf() formats
- New analysis : Report methods and properties with the same name in a class
- New analysis : Report invalid chars in date scanning formats
- Refactored analysis : Useless Coalesce applied to PHP native methods
- New analysis : Report Abstract Private methods in traits (php 8.0-)
- Refactored analysis : Dynamic New now also works on parenthesis
- New analysis : Report Utf8_encode() and utf8_decode() deprecation
- Refactored analysis : Create Default Values checks on self-transforming variables
- Refactored analysis : Missing Typehint skips constructor and destructor
- Refactored analysis : Useless constructor skip one that has other constructor calling it
- New analysis : Some Magic methods have compulsory return types
- Refactored analysis : Overwritten const is extended to classes without constants (but in their parent or interfaces)
- Refactored analysis : Nested ternaries now checks assignations, New parameter to set the min depth
- Refactored analysis : Instantiating Abstract now uses PDFF
- Refactored analysis : $this may be OK in closures (they can be rebinded later)
- Refactored analysis : Adding ‘Void’ returntype when possible
- Refactored analysis : Don’t Collect Void was upgraded with methods returning nothing.
- Refactored analysis : Identical Expressions, now checks = and omits short assignations
- New analysis : If Then Return Favorite
- Refactored analysis : Useless Casting checks % distinctly
- Refactored analysis : Add Zero skips variables more often
- New analysis : Could Be Resource
- New analysis : DateTime Immutable is not immutable

Tokenizer
- Fixed namespace’s names dectection for older PHP versions
- Fixed Functioncall detection inside a new operator.

Version 2.4.4

2022-06-23 – Li Jiancheng

Architecture
- Upgraded to Gremlin 3.6.0 (tinkergraph)
- Prepared engine to work with GSneo4j 3.6.0

Cobbler
- New cobbler : turn ${a} into {$a} for PHP 8.2 compatibility
- Refactored cobbler : Adds null type to nullable parameters

Report

Analysis
- Refactored analysis : Non nullable setter skip properties set in constructor
- Removed analysis : ext/ffmpeg, ext/fdf, ext/xcache, ext/yis, ext/cairo
- Refactored analysis : ext/rdkafka, ext/zookeeper now uses PDFF
- Refactored analysis : Should Preprocess, now include local constant strings
- Refactored analysis : Undefined Interface, now not reporting extra Types
- New analysis : retyped reference, when a parameter with a type, eventually get a new type
- Refactored analysis : Static methods called from object, modernization
- Refactored analysis : New Analyzers, omits local defaults values
- Refactored analysis : Access Protected now takes into account PDFF
- Refactored analysis : Null type detection includes null defaut value for parameters.
- New analysis : Report type error for default values
- Refactored analysis : ‘ds’, ‘ssh2’ were upgraded to PDFF
- Checked unit tests : 4373 / 4349 test pass (99.5% pass)
- New analysis : Ice framework
- New analysis : taint

Tokenizer
- Fixed ‘constant’ bug with functioncall on a nsname
- Upgraded Typehint detection to handle clone() calls
- Upgraded Typehint inference for properties and variables

Version 2.4.3

2022-06-02 – Emperor Gaozu of Tang

Architecture
- Doctor failed to copy the tinkergraph configuration files
- Removed old connector GSneo4j/Tinkergraph
- Refactored starting/emptying of gremlin database
- Testing on PHP 8.2

Cobbler
- Added suggestions when the -P is not found
- New cobbler : add Final to classes
- New cobbler : removes Final from classes
- Upgraded cobbler : removes Readonly from classes

Report
- Ambassador, Emissary, Diplomat : removed link to the source code.
- Ambassador, Emissary, Diplomat : fixed link to online documentation

Analysis
- Fixed analysis : Undefined Classes and Trait where affected by the recent Complete/Returntyping
- Refactored analysis : ‘Variables Used Once’ not omit inherited parameters.
- Refactored analysis : ‘Functions without return’ not skip methods with Never and methods that throw in the main sequence.
- New analysis : ‘Parent is not Static’, but rather self
- Refactored analysis : ‘Use This’
- Refactored analysis : ‘Extension/Extxhprof’ to PDFF
- Refactored analysis : Removing usage of methods, moving to PDFF
- New analysis : ‘No magic method for Enums’
- Refactored analysis : ‘Multiple Identical Keys’ now also processes automated index
- New analysis : ‘Modifying Readonly’ (WIP)
- Refactored analysis : ‘Could use short assignation’ skips usage of ??
- New analysis : ‘Readonly Can only be assigned in defining class’
- Refactored analysis : ‘Runkit7’ was upgraded to PDFF
- Refactored analysis : ‘Gnupg’ was upgraded to PDFF
- Refactored analysis : ‘xdiff’ was upgraded to PDFF
- Refactored analysis : ‘event’ was upgraded to PDFF
- New analysis : ext/stomp, ext/csv
- New analysis : Suggestion making the default assignation in property definition
- Refactored analysis : ‘Redefined private properties’ now covers PDFF too
- Refactored analysis : ‘Failing Stubstr Comparison’ now accepts != <>
- Refactored analysis : ‘Insufficient typehint’ extended with class constants
- Refactored analysis : ‘Unused constant’ takes advantage of hierarchy
- Refactored analysis : ‘Useless Abstract’ extended to include single extended classes
- Refactored analysis : ‘Mismatched Default Value’ now omits parameters without default value
- New analysis : method is identity
- New analysis : report overloaded existing names in use, from PDFF
- New analysis : collect incoming date inventory
- New analysis : collect vendor’s API usage
- New analysis : report Array addition usage
- Checked unit tests : 4373 / 4349 test pass (99.5% pass)

Tokenizer
- Added support for PHP 8.2 readonly classes
- Fixed bug that made VariableTypehint automatically isPHP

Version 2.4.2

2022-05-18 – Li Chunfeng

Analysis
- Refactored analysis : ‘Raised access Level’ now supports PDFF files
- Refactored analysis : ‘Cant Extends Final’ also Works with anonymous classes
- New analysis : Report ‘Lowered access levels’
- Refactored analysis : ‘Final methods’ extended to traits
- Refactored analysis : ‘Overwritten Methods’ fixed bug with Traits
- New analysis : ‘Cant extends Final Methods’
- Refactored analysis : ‘Cant extends Final Constants’ with PDFF support
- New analysis : ‘Extension Excimer’
- New analysis : ‘Report implicit float to int conversions’
- Refactored analysis : ‘Is always false’ is extended to typed properties
- New analysis : ‘Report inegalities with different types’
- New analysis : Report traits used once
- Refactored analysis : ‘Is Not Implements’ now supports PDFF; support for trait added.
- Refactored analysis : ‘Wrong name with paramter’ : added support for PDFF
- Fixed analysis : ‘Overwritten Methods’ skipped some interfaces
- Refactored analysis : ‘Fossilized methods’ was counting methods that are defined with Virtualmethod
- Refactored analysis : ‘Fix bug’ when missing fqn in New for Classes/WrongTypedPropertyInit
- New analysis : Report unknown locales.
- New analysis : ext/pkcs11
- New analysis : ext/spx
- Checked unit tests : 4314 / 4317 test pass (99% pass)
- Refactored analysis : ‘Basename suffix’ detection extended

Tokenizer
- Fixed bug with float and power
- Fixed bug in global variable creation
- Create all possible links to static keyword
- Speed up creation of links to $GLOBALS

Version 2.4.1

2022-05-04 – Yuan Tiangang

Architecture
- New Dump : collect all stub’s structures

Report
- Sarif : Fixed URI (no initial /) and Exakat version
- Unused : report unused stuff in the code
- Ambassador : upgrade presentation of the Exception Treephp

Analysis
- New analysis : Deprecated String interpolation in PHP 8.2
- Refactored analysis : Spaceship features is used for isRead property
- Refactored analysis : Skip analysis of returntypes for methods with throw/assert/trigger_error()
- New analysis : Report unused Enumeration Cases
- Refactored analysis : Can’t instantiate class now takes local class into account
- Refactored analysis : Many new examples extracted from the docs
- Refactored analysis : fixed bug with ‘Wrong Type With Call’
- Refactored analysis : Conditional structures now includes Enums too.
- New analysis : Don’t throw raw exceptions
- New analysis : Useless Coalesce operator (when there is a type available)
- New analysis : ext/yar
- Refactored analysis : ‘Wrong number of argument’ now includes methods defined in a trait in a PDFF
- Refactored analysis : moved ext/amqp to PDFF

Version 2.4.0

2022-04-20 – Yin Kaishan

Report
- Ambassador : suggest literals to be turned into a constant, based on assignation and comparison

Analysis
- Refactored analysis : ‘Classes/WrongCase’ reported too many arguments
- New analysis : No constructor in interfaces
- Refactored analysis : Bail Out Early also report if/then when in last position of an sequence
- Refactored analysis : Useless Casting also checks for double application of typehint/cast
- New analysis : Could Be A constant (in Dump)
- New analysis : Could Be Spaceship
- Refactored analysis : Vendors/Concrete5 is updated to Concrete5 v9.0
- New analysis : Vendors Sylius
- Refactored analysis : Vendors/Joomla is updated to Joomla 4.2.0
- Refactored analysis : Wrong Number Of Arguments supports Constructors and methods (static and normal)

Version 2.3.9

2022-04-06 – Fu Yi

Architecture
- Changed Loading system to handle globals directly with gremlin, and without ids

Cobbler
- New cobbler : adds ‘function array_key_exists’ to the list of use statements to speed up array_key_exists.

Analysis
- Refactored analysis : Fixed bug with ‘each’ and namespaces in Php/Deprecated
- Refactored analysis : Next Month Trap was updated with support for datetime (Immutable)
- Refactored analysis : TimeStamp Differences now covers any seconds additions. Datetime::format(‘U’) was also added to sources.
- New analysis : Avoid using 86400 to handle days when calculating dates.
- New analysis : Do not reuse the source name in a foreach($a as $a)
- New analysis : Use constants when the function returns them
- Updated analysis : New constants for ‘Use Constants As Arguments’
- Refactored analysis : many Extensions/Ext* are moving to pdff support
- Refactored analysis : speedup Should Preprocess analysis
- Refactored analysis : Modernized Overwritten class constants
- New analysis : Report overwritten final constants from PDFF
- Refactored analysis : Moving Extensions/Ext* to PDFF
- Refactored analysis : Repeated Regex
- New analysis : Report string / integer comparison for PHP 8.0 migration
- Refactored analysis : Defined Class Constants differentiate from Enumeration cases
- New analysis : Complete functions with obvious typehints
- New analysis : Extension protobuf
- Refactored analysis : Upgraded Property analysis to use PDFF
- Refactored analysis : ‘Multiple identical keys’ now has an array size limit (15000)
- New analysis : Constant favorite : use or not?
- Refactored analysis : Upgraded ‘Unresolved classes’ with Pdff support

Tokenizer
- Fixed isPhp/isExt/isStub detection for catch classes

Version 2.3.8

2022-03-23 – Xiao Yu

Architecture
- Speed up gremlin queries

Report
- Pdff : added support for hasDefault in properties and parameters

Analysis
- New analysis : Report type of string introspection used in the code, as a favorite
- New analysis : Report functions to be of type ‘never’.
- Refactored analysis : Variables used once by context, now omits Blind variables
- Refactored analysis : Redeclared PHP functions works with PHP 8.1’s functions
- Refactored analysis : Modern Empty
- Refactored analysis : Deprecated Functions
- Refactored analysis : Removed usage of IsExtInterface in UndefinedClasses
- Refactored analysis : Suggesting static class names over objects takes into account the nature of the typehint available.
- Refactored analysis : Using PDFF with ext/gender, ext/decimal, ext/xxtea, ext/mailparse, ext/uuid.
- Refactored analysis : Using PDFF with ext/xmlreader, ext/writer, ext/mongodb, ext/gd, ext/dom
- Refactored analysis : Class Usage rule now skips Interfaces in Implements
- Removed analysis : Modules/*
- Removed analysis : Extensions/Extzbarcode

Version 2.3.7

2022-03-09 – Xiao Yu

Architecture
- Fixed all internal step’s case

Report
- New report : PerRule (same as PerFile, but grouped by rules)
- New report : CompatibilityPHP56 (based on Perfile, dedicated to Compatibility PHP 5.6)
- Updated report : Ambassador now lists @keywords in phpdocs (inventories)
- Updated report : Manual includes sections for namespaces, and global constants

Analysis
- New analysis : Use variables when they are created inside a loop
- New analysis : Simplify Foreach()
- New analysis : Identical Conditions on If-elseif
- Refactored analysis : Undefined Instanceof now relies on isPhp/isExt/IsStub
- Refactored analysis : First byte only, now uses variable typehints
- Refactored analysis : Dont loop on yield
- Refactored analysis : Interfaces suggestion now accepts php/ext/stubs configuration
- Refactored analysis : Static calls to traits exclude self, parent, static
- Refactored analysis : Don’t read and write at the same time : Extended to all containers, removed edge cases
- Refactored analysis : Undefined interfaces takes Variable Typehint into account
- Refactored analysis : Incompatible Method signature
- Refactored analysis : Unfinished objects now checks called internal methods
- Refactored analysis : Better coverage for Class Constants
- Refactored analysis : Insufficient typehint skips properties without a type

Tokenizer
- Extended support for Variable typehints

Version 2.3.6

2022-02-16 – Qin Qiong

Architecture

Cobbler
- Refactored cobbler : ‘SetTypehint’ checks more before adding a class typehint

Report
- Ambassador : added the list of extended dependencies as an audit report
- Diplomat : removed 4 rules from Analyze (Classes/Redefined*)

Analysis
- New analysis : Too Many Stringed If-then-elsif
- New analysis : Undefined Enumeration case
- New analysis : Unfinished objects
- New analysis : Class Alias usage
- New analysis : Undefined Methods
- New analysis : Suggest array_sum(), from the code
- New analysis : Missing type on any structure (method, parameter, property)
- New analysis : Spot unreachable methods
- New analysis : Public Reach lists the paths from public methods to private ones.
- New analysis : Avoid Static calls on objects when possible
- Deprecated analysis : Is Php Function
- Refactored analysis : Removed usage of IsExtFunction analysis
- Refactored analysis : ‘Could Be array’ relies on … too
- Refactored analysis : ‘No need for else’ now skips elseif
- Refactored analysis : ‘Undefined constants, functions, traits, interfaces, classes{const, static P/M}’ now leverages the stubs
- Refactored analysis : ‘Insufficient typehint’ checks for union types
- Refactored analysis : ‘Used Once Properties’ now omits classes that have dynamic properties
- Refactored analysis : ‘Unused class constants’
- Refactored analysis : ‘Reuse variable’ has a narrower focus, and takes scope into account.
- Refactored analysis : ‘Weak Type’ Extended analysis to typed containers
- Refactored analysis : Definitions stats now break down to isPHP/isStub/isExt
- Refactored analysis : Isset() calls with more complex expressions
- Bug: fixed PHp/MixedKeyword in analyzer database
- Checked unit tests : 4123 / 4132 test pass (99% pass)

Tokenizer
- Refactored Foreach variable detection
- Fixed constant detection in deep namespaces
- Restored Stubs from configuration and commandline
- Added fullnspath to static properties
- Added Complete/Is*Structure, to finish marking atoms with isPhp, isStub
- Deprecating Composer/IsComposerNsname
- Fixed bug with class_alias
- Added Not to guess list
- Fixed bug in engine with comments at the end of scripts.

Version 2.3.5

2022-02-02 – Yuchi Gong

Architecture
- ‘Complete’ ruleset will run the configured rulesets that are not already run

Cobbler
- New cobbler : removes readonly option on properties
- New cobbler : removes useless variables

Report
- Ambassador : added counts with the actual sizes of the classes (constants, properties, methods)
- Ambassador : Fixed display of compatibility features
- Uml : Report number of classes exported

Analysis
- New analysis : List all external dependencies extensions
- New analysis : report recycling of foreach() sources
- New analysis : report usage of readonly
- New analysis : Suggest updating if-then to ternary operator
- New analysis : Report multiple similar calls in a row
- New analysis : Suggest using FILE_APPEND with file_put_contents()
- New analysis : Report missing visibilities
- New analysis : Identify literal that may actually be existing constants.
- Fixed analysis : Cancelled parameter shall take ??= into consideration
- Refactored analysis : ‘Cannot use static with closure’ analysis is extended to properties
- Refactored analysis : Upgraded detection of variable modified by a reference in a PHP or custom function/methodcall.
- Refactored analysis : Fixed bug with ‘This is for class’ where typehint where not correctly seen inside a class.
- Refactored analysis : ‘Insufficient typehint’ was upgraded with class constants checks
- Refactored analysis : ‘Undefined class’ skips ? as a class
- Refactored analysis : ‘Static loops’ now takes into account modifications in the conditions
- Refactored analysis : ‘Complex expressions’ omits match
- Refactored analysis : ‘Cache variable outside loop’ fixed bug with function names and new expressions
- Refactored analysis : ‘Logical mistakes’ now checks for constants on the rest of the comparison
- Refactored analysis : ‘Cant instantiate class’ now takes into account self/static
- Refactored analysis : ‘Should use self’ also reports self opportunities in new expression.
- Refactored analysis : ‘Written only’ fixed a bug with propperties
- Refactored analysis : ‘No choice’ also spots ?: null and ?? null
- Refactored analysis : Written Only Variable now takes into account references in parameters
- Refactored analysis : Classes’s strange names covers methods, properties and classes.
- Refactored analysis : Caught but never thrown exceptions have an updated list of exception
- Refactored analysis : Unresolved Catch uses updated PHP exception/error list
- Refactored analysis : PHP 8.0 new types now covers mixed and also properties.
- Refactored analysis : PHP 8.0 union type differentiate between ?A and null|A
- Refactored analysis : CIT same names was extended to Enumeration

Tokenizer
- Fixed boolval for multiplications
- Fixed spaceship for string and boolean values
- Added processing to isPhp/isExt/isStub to implemented names

Version 2.3.4

2022-01-19 – Yuchi Gong

Cobbler
- New cobbler : remove unused use expression
- Added 4 directives to each rules : namespaces, ignore_dirs, include_dirs and file_extensions. They filter out some of the results.

Report
- Composer : upgrade the list of core PHP extensions

Analysis
- New analysis : Mark simple getters/setters in classes
- New analysis : Report unchecked divisions (int and operators)
- New analysis : report possible abstract constants in classes (which should be defined in a parent)
- New analysis : report recycled variables
- Refactored analysis : Upgraded ‘Object references’ with union and intersectional types
- Refactored analysis : Removed edges cases in ‘Don’t collect void’
- Refactored analysis : Extension detection now takes into account enums
- Refactored analysis : Upgraded AlwaysFalse with better typehinting inference
- Refactored analysis : indentation levels missed several results while reporting
- Refactored analysis : interfaces, traits and constants were missing for use expression resolution
- Refactored analysis : Undefined Interfaces now exclude better PHP or ext’s interfaces
- Refactored analysis : Never Used Parameter confused Void and first argument
- Refactored analysis : Self were reported as outside a class when in foreach()
- Refactored analysis : Clone with non-arrays now checks PHP native functions too
- Refactored analysis : Excluded powers from calculations in IsZero
- Refactored analysis : Fixed discrepancy between ‘ and ” handling of \
- Extended tests : match without default

Tokenizer
- Fixed a bug where static keyword is processed as a simple nsname
- Fixed a bug where typehints were not marked as isPhp, isExt or isStub
- Fixed an edge case with array functions inside match() syntax
- Fixed an edge case with Closures and reference-use variable
- Fixed an edge case with static inside ternary
- Fixed yield expression scope
- Added Table for PHP 8.2 compilations checks
- Removed extra void with use expression for traits

Version 2.3.3

2022-01-05 – Xu Maogong

Cobbler
- New Cobbler : removes attributes

Report

Analysis
- New analysis : suggest using ?-> when Null is a possiblity
- New analysis : Report backward incompatibility with overloaded interface constants
- New analysis : Mark variables as local constants when only assigned once
- New analysis : suggest using iterable, based on array|traversable usage
- New analysis : Report usage of PHP 8.1 intersection typehints
- Refactored analysis : Hidden Nullable rule now handles intersection types
- Refactored analysis : ‘Use Nullable’ covers properties too
- Refactored analysis : ‘Could Be stringable’ is extended to trait usage
- Refactored analysis : skip static and globals when counting variable usage in methods
- Refactored analysis : PHP 8.0 Union type detection includes properties
- Added tests to Complete/Overloaded* (CPM)

Tokenizer
- Fixed a bug with Ternary and constants

Version 2.3.2

2021-12-16 – Wei Zheng

Cobbler
- New cobbler : removes a method

Report

Analysis
- New analysis : suggest ::class instead of get_class()
- New analysis : report when a class extends stdclass (for dynamic properties review)
- New analysis : Reports when checks are made on the existence of properties
- Upgraded analysis : Useless Typechecks is upgraded with union and intersectional type checks
- Upgraded analysis : Reporting invalid access to protected CPM
- Upgraded analysis : Removed Used Properties with classes with dynamic properties
- Fixed bug in PropagateConstants

Tokenizer
- Added detection of typehints for variables

Version 2.3.1

2021-12-01 – Li Shimin

Cobbler
- Fixed bug with Settypehint when multiple types are available

Report
- New Pdff report : PHP Document File Format

Analysis
- New analysis : report promoted properties
- New analysis : report deprecated PHP 8.2 callable
- New analysis : report new in initializers
- New analysis : report nested attributes
- New analysis : report direct calls to Trait methods and properties
- New analysis : report auto vivification of false (PHP 8.1)
- New analysis : report implicit float to integer conversion for arrays
- Updated analysis : Declare Static and Global early.
- Updated analysis : No Null For Native now uses typehints
- Updated analysis : refined No Static variable in method

Tokenizer
- Fixed bug with __METHOD__ when it is called outside a method

Version 2.3.0

2021-11-18 – Wei

Architecture
- Catchup tokens from PHP 5.6 till 7.2
- Report unknown Rulesets during reports command
- Extended ‘catalog’ command to list rules too
- Extended ‘catalog’ command to return YAML format

Report
- Added several new analysis to the Rector report
- Added mixed and never to Appinfo report
- Ugraded Sarif report with bartlett/sarif-php-sdk

Analysis
- New analysis : report the missing mixed returntype for jsonserialize
- New analysis : report final with constants
- New analysis : report never usage (typehint)
- New analysis : report PHP 8.1 typehint incompatibilities
- New analysis : report PHP 8.0 typehint incompatibilities
- New analysis : report PHP 8.0 named parameters
- New analysis : report First Class Callable Syntax
- New analysis : New Functions in PHP 8.1
- New analysis : Removed functions in PHP 8.1
- New analysis : Prepare ‘never’ for PHP 8.1
- New analysis : Prepare ‘mixed’ for PHP 8.0
- New analysis : detect mixed and never usage as typehints
- Upgraded analysis : Wrong Number of arguments also works with new first class callable syntax
- Upgraded analysis : Typehint stats now includes union and intersection types
- Upgraded analysis : Removed functions in PHP 8.0

Version 2.2.5

2021-11-03 – Wood star

Analysis
- New analysis : Calling Trait Static Method directly is deprecated in PHP 8.1
- New analysis : No reference for returned void
- New analysis : No Null for PHP native methods
- Updated analysis : Wrong type for argument now covers classes, union type and intersection types.
- Updated analysis : Wrong type for argument now covers classes, union type and intersection types.
- Updated analysis : Unused Private Methods are also detected with array($this, ‘xx’) syntax
- Checked unit tests : 3821 / 3805 test pass (99% pass)

Cobblers
- New cobbler : remove typehints from arguments, returns and properties

Version 2.2.4

2021-10-21 – Gold star

Dataset
- Updated PHP native dataset with missing classes and typehint.

Analysis
- New analysis : Report incompatible typehint with native PHP methods in PHP 8.1
- New analysis : Report Missing Attribute Attribute
- New analysis : Report full_path index in $_FILES usage
- Updated analysis : Type detection also include return type from methods

Cobblers
- Updated cobbler : Set typehint handles typehint from arguments

Tokenizer
- Added more cases for Constant types

Version 2.2.3

2021-10-06 – Wu

Architecture
- Updated INI files for PHP 8.1

Data
- Extended PHP directives lists

Report
- New report Migration 8.1

Analysis
- New analysis : PHP 8.1 removed directives
- New analysis : PHP 8.1 removed constants
- New analysis : Wrong named parameter for PHP native function
- New analysis : Report duplicate named arguments
- New analysis : htmlentities (and co) default 2nd argument
- Updated analysis : Scalars are not arrays. Extemded with type support.

Tokenizer
- Support for callable strlen(…)
- Test for new syntax for octal 0o123

Version 2.2.2

2021-09-22 – Si

Architecture
- Refactored documentation

Report
- Added support for PHP 8.1 compatiblity

Analysis
- New analysis : Restrict $GLOBALS usage
- New analysis : No object as array’s index
- New analysis : Overreaching classes (PHP feature)
- New analysis : Report Enum usage
- Updated analysis : Typehints/* got new Unit Tests
- Updated analysis : Explode optimisation

Tokenizer
- Reduced the number of DEFAULT creation for properties
- Added support for new PHP 8.1 syntax (Enum )

Version 2.2.1

2020-11-20 – Chen

Architecture
- Export : WIP of exporting PHP code from graph
- New directives : rules_version_max, rules_version_min, ignore_rules and ignore_namespace

Report
- Sarif : Fixed line number that may be null or less
- Ambassador : Fixed visibility report

Analysis
- New analysis : check for match as a keyword
- New analysis : replace static variable by static properties
- New analysis : warn about usage of get_object_vars()
- New analysis : report global and static variables that are declared multiple times
- Updated analysis : extended Used Classes to abstract classes
- Updated analysis : wrong number of argument now supports $this()
- Updated analysis : parse_str last argument doesn’t apply anymore in PHP 8
- Updated analysis : useless argument now omits parameter with default value
- Checked unit tests : 3797 / 3800 test pass (99% pass)

Tokenizer
- Fixed race condition with phpdocs
- Refactored static and global variables definitions (avoid double definitions)
- Fixed detection of [] inside a list()
- Fixed detection of alternative syntax for switch
- Added use property to usenamespace too (for grouping)

Version 2.2.0

2020-10-15 – Mao

Architecture
- Extended Export command to produce PHP scripts from the graph database
- Added more typehints
- Added new command ‘onefile’
- Sped up database restart with id reset
- Updated list of functions for several extensions. Started adding methods, class constants..

Report
- Ambassador : updated popularities
- Ambassador : added missing PHP 8.0 ruleset

Analysis
- New analysis : report arguments and properties whose name clashes with the typehint
- New analysis : report long preparation before throw command
- New analysis : missing __isset() method
- New analysis : suggest array_keys() for array_search in loops
- New analysis : array_map() complains with values by reference
- New analysis : report final private properties
- New analysis : report misnamed constant/variable
- New analysis : check for attribute configuration (PHP 8.0)
- New analysis : suggest dropping variable in catch clause
- New analysis : report resources that should not be tested with is_resource (PHP 8.0)
- New analysis : check for named arguments and variadic
- Updated analysis : wrong number of argument now supports $this()
- Updated analysis : redefined private property uses OVERWRITE
- Updated analysis : refactored UndefinedFunctions for speed
- Updated analysis : array_map() complains with values by reference
- Updated analysis : removed false positives on properties in strings
- Updated analysis : unsupported types with operators skips cast values
- Updated analysis : cancelled parameters are also for array_map/array_walk
- Updated analysis : variable variable skips variables inside strings
- Updated analysis : removed functions are not reported when in if/then with function_exists()
- Updated analysis : wrong optional parameter fixed false positive with …
- Updated analysis : extended list of removed directives, functions and constants
- Removed analysis : RealVariables
- Checked unit tests : 3761 / 3772 test pass (99% pass)

Tokenizer
- Added Void to empty default/case
- Bitoperation added to isRead
- Fixed list[] in a Foreach
- Fixed token T_OPEN_DOLLAR_CURLY_BRACKET

Version 2.1.9

2020-10-01 – Yin

Architecture
- Removed old and unused commands
- Modernized usage of docker as phpexec
- New directive php_extensions to managed list of ext

Report
- Ambassador : removed 3 gremlins from typehint stats, added scalar types
- New Migration80 report, dedicated to PHP 8.0 migrations
- New Stubs.ini report, dedicated to exakat extensions production

Analysis
- New analysis : report arguments which are not nullable because of constants.
- New analysis : could use stringable interface
- New analysis : suggest explode()’s third argument when applicable
- New analysis : suggest PHP 8.0 promoted properties
- New analysis : report arrays with negative index, and auto-indexing
- New analysis : report unsupported types with operators
- New analysis : report usage of track_errors directive (PHP 8.0)
- New analysis : report useless types on __get/__set
- New analysis : count the number of use expressions in a file
- New analysis : Avoid modifying typed arguments
- New analysis : Report Assumptions in the code
- New analysis : array_fill() usage with objects
- New analysis : mismatch between parameter name and type
- Updated analysis : magic methods definitions also find usage for __invoke()
- Updated analysis : noscream operator usage may have exceptions
- Updated analysis : identical methods and identical closures
- Updated data : list of exceptions and their emitters

Tokenizer
- Upgraded detection of extensions’ structures, beyond functions

Version 2.1.8

2020-09-18 – Chou

Architecture
- added ‘–‘ options, and kept the ‘-‘ options, for migration purposes. (–format and -format are both available)
- Added support for PHP 8 attributes in dump.sqlite
- Added ‘precision’ to rule docs.
- Moved all but one data collection from Dump -collect to Dump/ analysis.

Report
- New report : SARIF
- Typehint suggestion report : Tick classes when they are fully covered
- Weekly report : fix donuts display.
- Stubsjson : Added support for PHP attributes
- Stubs : Added support for PHP attributes

Analysis
- New ruleset : CI-Checks
- New analysis : ‘Multiple declare(strict_types = 1)’
- New analysis : ‘No more (unset) in PHP 8’
- New analysis : Cancel methods in parent : when methods should not have been abstracted in parent class.
- New analysis : ‘$php_errormsg is removed in PHP 8’
- New analysis : ‘Mismatch Parameter Name’ checks parameter names between inherited methods for consistency
- Upgraded analysis : ‘Useless Arguments’ is accelerated
- Upgraded analysis : ‘Don’t use Void’ weeded out false positives
- Upgraded analysis : ‘Wrong type for native calls’ weeded out false positives
- Upgraded analysis : ‘Non static methods called statically’ was refactored for PHP 8.0 support
- Upgraded analysis : ‘PHP Keywords’ includes ‘match’
- Upgraded analysis : ‘Useless instruction’ reports ‘$a ?? null’ as useless.
- Upgraded analysis : ‘Uncaught exceptions’ is extended to local variables
- Upgraded analysis : ‘Foreach favorites’ also covers the keys
- Upgraded analysis : ‘Should Preprocess’ skips expressions with constants
- Upgraded analysis : ‘Compare Hashes’ has more functions covered
- Removed analysis : ‘Normal Properties’ : no need anymore.

Tokenizer
- Moved isPhp attribute to Task/Load plugin
- Created isExt attribute to Task/Load plugin

Version 2.1.7

2020-09-07 – zi

Architecture
- Refactored loading class, to keep query load at optimal size for Gremlin
- GC during load to free memory
- More typehints
- Move several collections to Dump/ ruleset

Report
- Upgraded Typesuggestion report with report on closures and arrow functions
- Added Arrowfunctions in inventories
- Added collection of arguments and details for closures and arrowfunctions

Analysis
- New analysis : Could Be In Parent : suggest methods that should be defined in a parent
- New analysis : Don’t pollute namespace
- New analysis : report insufficient return typehints
- Upgraded analysis : ‘Method signature must be compatible’ now PHP 8.0 compatible
- Upgraded analysis : ‘Wrong type with native function’ fixes false positives
- Upgraded analysis : ‘Same condition’ added coverage for || conditions
- Upgraded analysis : ‘Missing returntype’ extended to class typehints
- Upgraded analysis : ‘Should Use This’ also covers special functions like get_class_called()
- Upgraded analysis : ‘No concat in loop’ skips nested loops
- Upgraded analysis : ‘Always false’ covers typehint usage
- Upgraded analysis : ‘NoChoice’ doesn’t report large expressions
- Upgraded analysis : ‘Dont mix PlusPlus’ skip () and =
- Upgraded analysis : ‘Fallthrough’ don’t report final cases without break
- Checked unit tests : 3663 / 3630 test pass (99% pass)

Tokenizer
- Removed ‘root’ property
- Upgraded to new Attributes #[] in detection and normalisation
- Fixed constant detection within instanceof
- Created RETURN and RETURNED for Arrowfunctions (there is no return otherwise)
- Parent method also calls children methods when those are not defined there
- Support for multiple attributes in one syntax

Version 2.1.6

2020-08-28 – Night Patrol Deity

Architecture
- More typehints coverage
- Various speed-up
- Lighter logging with gremlin
- Fixed installation path

Report
- Upgraded Typesuggestion report
- Upgraded Stubs and Stubsjson

Analysis
- New analysis : report PHP 8.0 unknown parameters
- New analysis : overwritten methods with different argument counts
- New analysis : Warn of iconv and TRANSLIT for portability
- New analysis : Warn of glob and {} for portability
- Upgraded analysis : ‘Useless check’ covers new situations.
- Upgraded analysis : ‘Abstract away’ now covers new calls.
- Upgraded analysis : ‘Must return Typehint’ skips Void.
- Upgraded analysis : ‘Missing new’ with less false positives
- Checked unit tests : 3559 / 3630 test pass (98% pass)

Tokenizer
- Support for Virtualmethod and imports from traits
- Refactored Usenamespace atom
- Fixed calculations of fullnspath for static::class
- Fixed detection of null/true/false in new()
- Added support for T_BAD_CHARACTER

Version 2.1.5

2020-08-04 – Day Patrol Deity

Architecture
- Fixed comment size estimation by 1 for T_COMMENT
- Added more typehints to code

Report
- Typehint suggestions : added ticks to fully typed methods
- Emissary : Extract more information from dump.sqlite, instead of datastore.sqlite
- Ambassador : Added a list of parameters, defined in the application
- Ambassador : Added a list of fossilised methods
- Stubs : Added check around PHP native functions and CIT
- StubsJson : Added property for PHP native structures

Analysis
- New analysis : Report insufficient initialisation for array_merge() collector variable
- New analysis : Report useless triple equals
- New analysis : Don’t compare typed boolean return values
- New analysis : Report wrong type used with PHP functions
- New analysis : Suggest abstracting away some PHP native functions
- New analysis : Report try block that are too large
- New analysis : Report variables potentially undefined in catch clause
- New analysis : Report swapped arguments in methods overwriting
- Upgraded analysis : InvalidPackFormat speed up
- Upgraded analysis : Added parameter to Security/ShouldUsePreparedStatement to choose the preparing method
- Upgraded analysis : Added parameter to Security/HardcodedPasswords to choose the name of properties/index
- Upgraded analysis : PHP 8.0 new scalar typehint, stringable interface

Tokenizer
- Added support for named parameters (PHP 8.0)
- Trimmed some properties from atoms
- Removed non-existent atom mentions
- Added support for Attributes (WIP)
- Added support for ?->
- Added support for new T_*_NAME tokens

Version 2.1.4

2020-07-23 – Marshal of Heavenly Blessing

Architecture
- Added time of last commit in audit results
- Added more typehints
- Upgraded PHP native method description with typehints (WIP)

Report
- Typehint suggestion report
- New toplogies : call order,
- Ambassador : new statistics for typehint usage

Analysis
- New analysis : Report double assignation of objects
- New analysis : Typehints/CouldBe*, which makes suggestions for typehints
- New analysis : Checks for argument type when typehint is present in custom methods
- Upgraded analysis : Too Many Finds may be configured for threshold and prefix/suffix
- Upgraded analysis : Typehints stats were extended to properties and multiple typehints
- Upgraded analysis : Global outside Loop is extended to static variable too
- Upgraded analysis : ErrorMessages also detect local variable contents
- Upgraded analysis : Speed up for NullBoolean, Interfaces IsNotImplemented, InvalidPackFormat, arrayIndex, noWeakCrypto
- Checked unit tests : 3532 / 3496 test pass (99% pass)

Tokenizer
- Removed ‘aliased’ property in atoms
- Fixed spotting of PHP native constants, when in Define() structure
- Fixed loading of false values
- Added support for the trailing comma in closure’s use expression
- more handling of phpdocs
- Null is now reused when it is a default value, as a typehint.
- Logical was split in two : Logical and Bitoperation
- Added support for match() {} expression
- Fixed boolean calculations during Load
- Removed auto-referencing in DEFAULT calculations

Version 2.1.3

2020-07-02 – Marshal of the Heavenly Canopy

Architecture
- Removed all usage of datastore in Reports, and only rely on dump.
- ignore_rules is now case insensitive
- Moved some of the loading to a separate gremlin call to reduce the size of node load.
- Fixed the branch option with Git calls.
- Storing trait’s use expresion’s options.

Report
- Ambassador ; New inventory : PHP protocol used (php, phar, glob://…)
- Stubs and StubsJson, have been tested extensively

Analysis
- New analysis : report double assignations of the same object ($a = $b = new C)
- New analysis : report cyclic references
- Upgraded analysis : Used Constants edge situations
- Upgraded analysis : No real comparison : extended analysis to constants
- Upgraded analysis : extended detection of dynamic method calls to call_user_func*
- Upgraded analysis : paths are detected with new functions
- Checked unit tests : 3490 / 3520 test pass (99% pass)

Tokenizer
- More phpdoc support (from code to report)
- Added isPHP to absolute FQN notations

Version 2.1.2

2020-06-25 – Mountain Deity

Architecture
- Removed files task from initproject.
- Added ignore_rule directive, to ignore specific rules while running a specific report
- More documentation (in particular, modifications section)
- Exakat avoids to return twice the same results (file and line)
- Sped up some analysis, and added a time limit per analysis
- Removed double linking for static variables

Report
- New reports ; Stubs and StubsJson, which produce the stubs of the audited code (PHP and JSON format) (WIP)
- New report ; Typehint suggestion (WIP)
- Ambassador ; offers the configuration for all the rules that spotted issues in the current audit, for reuse in other codes
- Collect the number of property per class

Analysis
- New analysis : Report methods that are too much indented on average
- New analysis : Report possible confusion between a class and an alias
- New analysis : Report variables that are static and global at the same time
- New analysis : Report statement with long blocks
- New analysis : Report phpdoc’s deprecated methods and function calls
- Upgraded analysis : Dereferencing levels now include () and =
- Upgraded analysis : Unused Methods now skips classes that calls themselves dynamically
- Upgraded analysis : No Need Get_class() was refactored
- Upgraded analysis : Avoid Optional Properties was refactored
- Upgraded analysis : Variable inconsistent Usage was extended with more reach
- Upgraded analysis : Indirect Injections was upgraded with better reach with variables
- Upgraded analysis : Direct Injections was upgraded with include
- Upgraded analysis : PHP 8.0 new scalar typehint, stringable interface
- Upgraded analysis : Mismatch Type and default now avoids undefined constants
- Upgraded analysis : Wrong Optional Parameter is upgraded for PHP 8.0
- Upgraded analysis : Indentation level was refactored
- Checked unit tests : 3480 / 3510 test pass (99% pass)

Tokenizer
- Upgraded detection of PHP native constants, when they are in absolute notation
- Dump task stores use expressions’ options, plus minor fixes
- Added support for Attributes (PHP 8.0)
- Added support for Union types (PHP 8.0)
- AtomIs step (WITH_VARIABLE) was extended with local variables
- DEFAULT doesn’t point anymore on auto-updated values
- Extended support for phpdoc in the code
- Added support for promoted properties (PHP 8.0)

Version 2.1.1

2020-06-01 – Earth Deity

Architecture
- Using timeLimit() to prevent Gremlin from running too deep in the rabbit hole
- Added Neo4j Graphson V3 Graph driver
- Moved ‘Dump’ rules to a specific Ruleset for easier administration
- Propagated the upgrade to PHP 8.0 union types to three more rules
- Fixed access to the list of ignored files
- Added support for explicit stub files
- Fixed multiple calls to Dump (better reentrant)

Report
- New report : Meters, which holds measures for the audited code.
- Ambassador : inventory of OpenSSL ciphers

Analysis
- New analysis : Report unused traits
- New analysis : Report chmod 777 system calls
- New analysis : Check for keylength when generated by PHP
- New analysis : Report methods with prefix/suffix and expected typehint
- New analysis : Mark classes when they call dynamically their own methods
- New analysis : Check for constants hidden in variable names ${X} != $X;
- New analysis : Throw will be an expression in PHP 8.0
- Upgraded analysis : Dangling operator now checks for loops too
- Upgraded analysis : ‘Variables used once’ now skips variable definitions
- Upgraded analysis : ‘Access Private’ takes into account dynamic classes
- Upgraded analysis : ‘Could Centralize’ now uses a custom threshold. Default is 8 usage of an expression to centralize.
- Upgraded analysis : ‘Return true/false’ checks that they are alone in the blocks
- Upgraded analysis : ‘Unreachable code’ checks on constants values before reporting the next expression
- Upgraded analysis : ‘Magic methods’ are case insensitive
- Upgraded analysis : ‘No Hardcoded passwords’ has new functions that require a password
- Upgraded analysis : ‘Unused methods’ are omitted for dynamically called methods and overwritten methods
- Upgraded analysis : Insufficient Property Typehint also works for untyped properties
- Upgraded analysis : PHP 8.0 new scalar typehint, stringable interface
- Checked unit tests : 3383 / 3444 test pass (98% pass)

Tokenizer
- Arguments with null as default values, automatically are nullable
- Intval is also an integer for logical operations
- Default Values now omits recursives assignations
- Fixed fullnspath for PHP short tags
- Added link between new command and constructor of anonymous classes.

Version 2.1.0

2020-05-13 – City God

Architecture
- results stored in HashResults are now testable
- Moved all query methods to Query/DSL namespace, from Analyzer class

Report
- New report : ClassReview, with focus on classes structures
- New report : Typechecks, with focus on type hint usage
- Ambassador : Added typehint stats section
- Ambassador : fixed display of classes name in classes tree
- Ambassador : some missing sections have been rehabilitated

Analysis
- New analysis : Trailing comma in signature (PHP 8.0)
- New analysis : Hidden nullable types
- New analysis : Not implemented abstract methods
- New analysis : Report confusion between variables and arguments with arrow functions
- Upgraded analysis : No literal for reference was extended
- Upgraded analysis : Add zero is extended to constants
- Upgraded analysis : This is for classes is now valid with arrow functions
- Upgraded analysis : Useless arguments takes also into account constants
- Upgraded analysis : Wrong Type With Call supports variadic arguments
- Upgraded analysis : Extension constants now support fully qualified names
- Upgraded analysis : Bad Typehint relay is compatible with union types
- Upgraded analysis : Multiple Identical Cases now handles constants too
- Checked unit tests : 3437 / 3477 test pass (99% pass)

Tokenizer
- Restored ‘List’ atom
- Interface methods are now ‘abstract’ by default
- Added ‘array’ typehint for variadic arguments
- Distinguish between argument and local variable in fn functions
- Removed nullable property
- propagate calls now propagates closures and arrow functions
- Added support for union types (PHP 8.0)
- Check all error messages from php, not just the first ones

Version 2.0.9

2020-04-30 – Jialan

Architecture
- Added option in TU for analysis that won’t fill the result table.
- Reduced the number of duplicate links in the graph
- Upgraded tokens for PHP 8.0.

Analysis
- New analysis : Don’t collect void
- New analysis : Wrongly inited properties
- New analysis : Not inited properties
- Upgraded analysis : PHP 8.0 removed functions
- Upgraded analysis : Useless instructions also include global/static variables
- Upgraded analysis : Bad Relay Function now works with return types and property types
- Upgraded analysis : ‘Scalar or object properties’ are upgraded with static calls
- Removed analysis : Classes and Arrays IsRead and IsModified. Use properties now.
- Checked unit tests : 3347 / 3420 test pass (97% pass)

Tokenizer
- Fixed edge case for xor, with intval
- Refactored multiple calculation for cast values
- Added support for links between constants and use expressions
- Linked classes with calls, when using use expression

Version 2.0.8

2020-04-20 – Ao Run

Architecture
- Added new information in dump.sqlite, to make report autonomous

Analysis
- Upgraded analysis : Paths are also recognized with constants, and more functions
- Upgraded analysis : Should Use single Quotes
- Checked unit tests : 3328 / 3398 test pass (97% pass)

Tokenizer
- Fixed detection of PHP constants

Version 2.0.7

2020-04-14 – Ao Shun

Architecture
- Adopted strict_types
- Removed ctype1 attribute
- Moved linting into separate processes
- Refactored analysis to export to dump via SQL
- Added ‘None’ ruleset to Dump task

Report
- Ambassador : Added Constant’s order report
- None : Added support for No report

Analysis
- Upgraded analysis : Undefined class constants
- Upgraded analysis : Undefined global constants
- Upgraded analysis : Undefined property
- Checked unit tests : 3347 / 3420 test pass (97% pass)

Tokenizer
- Support PHP 8.0’s tokens
- Added support for multiple typehint in the engine
- Fixed edge case for boolean type casting

Version 2.0.6

2020-03-04 – Ao Qin

Architecture
- Refactored analysis types for first UT
- Moving to PHP 7.4 by default

Report
- Rector : added more coverage
- All : better display of typed properties

Analysis
- New analysis : Semantic names of arguments
- New analysis : !$a == $b
- New prototype : possibles interfaces
- Upgraded analysis : Overwritten literals now skips .=
- Upgraded analysis : Scalar or object handles return type
- Checked unit tests : 3322 / 3420 test pass (97% pass)

Version 2.0.5

2019-11-25 – Ao Guang

Architecture
- Fixed access to severity and timetofix from compiled extension

Report
- Ambassador : Fixed links to documentation

Analysis
- Upgraded analysis : Mismatched Type and Default now omit undefined constants
- Checked unit tests : 3366 / 3402 test pass (99% pass)

Version 2.0.4

2019-11-18 – Army Defeating Star of Heaven’s Gate

Architecture
- Reducing Analyzer’s class method count
- Moving more collections to Dump/ and Complete/

Report
- Rector : added more coverage
- Ambassador : Skiped analysis are now reported, not with -1
- Ambassador : Foreach favorites’s graph is displayed
- Ambassador : Visibility suggestion has full method names

Analysis
- Upgraded analysis : Don’t Mix ++ now skips $a[$b++]
- Upgraded analysis : Type hint stats skips some return values
- Checked unit tests : 3365 / 3401 test pass (99% pass)

Version 2.0.3

2019-11-11 – Military Star of the North Pole

Architecture
- Added check on xdebug presence (nesting limit)
- Moving more collections to Dump/

Analysis
- New analysis : Nullable typehint requires a test on NULL
- New analysis : Typehint that requires too much
- Upgraded analysis : Printf check on arguments works with ‘.’
- Upgraded analysis : No magic for arrays skips __get()
- Upgraded analysis : Const recommended, but not when methods are used
- Upgraded analysis : Written only variables handles compact()
- Upgraded analysis : Callbacks need returns, but not for spl_autoload_register()
- Upgraded analysis : Extended analysis to Concatenation an Heredoc for Email
- Upgraded analysis : Disconnected classes handles case sensitivity
- Checked unit tests : 3371 / 3397 test pass (99% pass)

Version 2.0.2

2019-11-04 – Danyuan Star of Honesty and Chasity

Architecture
- Adding more typehint
- Created new class to build Dot files
- Cleaned double examples
- Dump handles multiple definitions for constants, class, trait, functions.

Report
- Added new Topology report
- Added new Type hint topology sort
- Stubs : added class constant visibility

Analysis
- New analysis : Report argument whose name clashes with typehint
- New analysis : Report properties that are insufficiently typed
- Moved ‘Inclusions’ to Dump/
- Added steps to find original and relayed arguments

Tokenizer
- Fixed paralellisation bug in Load

Version 2.0.1

2019-10-28 – Military Star of the North Pole

Architecture
- Added more return type
- Centralized reading for ini or json

Report
- Ambassador: fixed Foreach favorites
- Ambassador: added sort to number of parameter list
- Checked unit tests : 3345 / 3377 test pass (99% pass)

Analysis
- Upgraded xmlwriter to json

Version 2.0.0

2019-10-21 – Civil Star of Mystery and Darkness

Architecture
- Manual file/line fixes
- More simplifcations in load step

Report
- Ambassador : fixed performance display
- Ambassador : report list of shell commands
- Typehint4all : first report
- Perfile : fixed sorting

Analysis
- New analysis : Report possible typehint for bool, int, string, array. WIP
- Upgraded analysis : common alternatives are extended to switch and elsif
- Upgraded analysis : xmlreader description includes class constants, properties and methods.
- Upgraded analysis : callback needs return, is extended to php native functions
- Checked unit tests : 3345 / 3377 test pass (99% pass)

Want to Keep in touch with us, subscribe to our newsletter !