Modern Static Code Analysis in PHP

25 Feb 2016, Mannheim@kalessil

Introducing myself• The author of Php Inspections (EA Extended)

o A plugin for PhpStorm adding strong code semantics analysis

• A contributor of Symfony 1.5 and Symfony 2o With SCA focus of course

• A contributor of PHP CS Fixero SCA and contributed fixers

• Background is PHP/Java Expert level in Enterprise

Modern Static Code Analysis in PHP

25 Feb 2016, Mannheim@kalessil

PHP• I love the community and hate language itself (not only me)

• Infrastructure around PHP is great (Composer, ZF, Symfony, Yii, Hosting and etc.)

• Php has low entry level for new developers (hits code quality)

• Php has 2 really important characteristics (hits apps life-cycle)

o It’s fast to go on a market when you develop apps in PHP

o It’s painful to maintain survived applications

Modern software• Getting more complex with each year

o Increases maintenance costs and complexityo Requires more intelligent tools

• Continuous Integration and Deliveryo Increases costs of failures at delivery phaseo Raises additional stability requirements to development processes

• Agile development processeso Affects code quality and introducing un-finished code/featureso Requires more intelligent tools

Peer2Peer review still works

But…

Really!

Let’s dig dipper…• Code Style (formatting, naming, spaghetti code)

o Can be covered by existing (“old”) tools, so easily solvable• Lack of API knowledge

o Remember low entry level of PHPo You have to educate people (or tools can do it just during development)

• Obviously inefficient code constructso Remember low entry level of PHPo Remember Agile processeso You have to reject this (or tools can do it just during development)

• Lack of team experienceo That’s team work (but tools still can educate during development)

So how to simplify own life?

Or let machines work for us

Generations of SCA tools

• 1st generationo Eclipse and other first IDEso PHP CodeSniffer

• 2nd generationo JetBrains IDEs + SCA pluginso SensioLabs Insight, Scritinizer, SonarCubeo Exacat, PHP CS Fixer

• 3rd generationo We’ll see them soon, expert systems specialized on code defectso SCA tools based on PHP 7 real PSI tree (presented in JB IDEs currently)

Semantic Analyzers• Php Inspections (EA Extended)

o Targeting transition of 2nd and 3rd generation toolso Expert-level code reviewso “In-stream" analysis, when developers are not disturbedo Productivity booster (automated code adjustments)o CI usage availableo Requires no configurations at start, just install the plugin

• Exakato Targeting transition of 2nd and 3rd generation toolso CI/local usage availableo Expert-level code reviews

Code Style• Php CodeSniffer (a 1st generation tool)

o CI/local usage availableo Reports code style violationso Customizable and extendable

• PHP CS Fixer (a 2nd generation tool)o CI/local usage availableo Fixes code style violationso Customizable and extendable

SaaS alternativesSensioLabs Insight• Framework/CSM centric• Good technical debt estimation• 2nd generation tool

Scrutinizer• Plays nicely with Open Source• A little bit noisy• Based on 1st generation tools ("old” tools)

In between:

• Based on 1st generation toolsto But exists “Sonar way” ruleso Only reports issueso Requires initial configuration, or not really usable

• IDEs integration

• Multi-language projects supportedo But unfortunately not all

• Integrated metrics and code style presets

Live demonstration

Thank you!