Post on 21-Jan-2017
Modern Static Code Analysis in PHP
25 Feb 2016, Mannheim@kalessil
Introducing myself• The author of Php Inspections (EA Extended)
o A plugin for PhpStorm adding strong code semantics analysis
• A contributor of Symfony 1.5 and Symfony 2o With SCA focus of course
• A contributor of PHP CS Fixero SCA and contributed fixers
• Background is PHP/Java Expert level in Enterprise
Modern Static Code Analysis in PHP
25 Feb 2016, Mannheim@kalessil
PHP• I love the community and hate language itself (not only me)
• Infrastructure around PHP is great (Composer, ZF, Symfony, Yii, Hosting and etc.)
• Php has low entry level for new developers (hits code quality)
• Php has 2 really important characteristics (hits apps life-cycle)
o It’s fast to go on a market when you develop apps in PHP
o It’s painful to maintain survived applications
Modern software• Getting more complex with each year
o Increases maintenance costs and complexityo Requires more intelligent tools
• Continuous Integration and Deliveryo Increases costs of failures at delivery phaseo Raises additional stability requirements to development processes
• Agile development processeso Affects code quality and introducing un-finished code/featureso Requires more intelligent tools
Peer2Peer review still works
But…
Really!
Let’s dig dipper…• Code Style (formatting, naming, spaghetti code)
o Can be covered by existing (“old”) tools, so easily solvable• Lack of API knowledge
o Remember low entry level of PHPo You have to educate people (or tools can do it just during development)
• Obviously inefficient code constructso Remember low entry level of PHPo Remember Agile processeso You have to reject this (or tools can do it just during development)
• Lack of team experienceo That’s team work (but tools still can educate during development)
So how to simplify own life?
Or let machines work for us
Generations of SCA tools
• 1st generationo Eclipse and other first IDEso PHP CodeSniffer
• 2nd generationo JetBrains IDEs + SCA pluginso SensioLabs Insight, Scritinizer, SonarCubeo Exacat, PHP CS Fixer
• 3rd generationo We’ll see them soon, expert systems specialized on code defectso SCA tools based on PHP 7 real PSI tree (presented in JB IDEs currently)
Semantic Analyzers• Php Inspections (EA Extended)
o Targeting transition of 2nd and 3rd generation toolso Expert-level code reviewso “In-stream" analysis, when developers are not disturbedo Productivity booster (automated code adjustments)o CI usage availableo Requires no configurations at start, just install the plugin
• Exakato Targeting transition of 2nd and 3rd generation toolso CI/local usage availableo Expert-level code reviews
Code Style• Php CodeSniffer (a 1st generation tool)
o CI/local usage availableo Reports code style violationso Customizable and extendable
• PHP CS Fixer (a 2nd generation tool)o CI/local usage availableo Fixes code style violationso Customizable and extendable
SaaS alternativesSensioLabs Insight• Framework/CSM centric• Good technical debt estimation• 2nd generation tool
Scrutinizer• Plays nicely with Open Source• A little bit noisy• Based on 1st generation tools ("old” tools)
In between:
• Based on 1st generation toolsto But exists “Sonar way” ruleso Only reports issueso Requires initial configuration, or not really usable
• IDEs integration
• Multi-language projects supportedo But unfortunately not all
• Integrated metrics and code style presets
Live demonstration
Thank you!