Static code analysis tools

Wed, 12 Jun 2024 18:11:24 +0200

development@hubzilla.org

Harald Eilertsen wrote the following post Wed, 12 Jun 2024 18:12:01 +0200

Static code analysis tools

To celebrate the reawakening of the dev forum, I thought I'd air something I've been pondering and experimenting with for a while.

What is our feeling about static analysis tools as part of the developer workflow?

We already install PHP Code Sniffer and PHP Mess Detector as part of the dev dependencies in composer, but afaik It's not much in use.

I have tried to create a coding standard for PHPCS, that aligns fairly closely with the current coding conventions in the core project. Essentially just turning off a lot of the checks from the "Generic" standard, and making some tweaks.

While it is a bit noisy, I think it for the most part gives useful feedback.

I have set up my editor to pick up both the PHPCS config and PHPMD when it's present, so it will show notifications from both of these directly in the file when saving. I've found this useful to catch mostly petty mistakes, and style issues.

PHPCS and PHPMD is mostly about style and conventions, but will also catch simple mistakes. It will sometimes give incorrect advice though, as they pretty much only analyse the current file without importing dependencies and includes.

I've also experimented a bit with Psalm which is a much more comprehensive tool focusing on actual coding mistakes and potential vulnerabilities. It analyses the entire code base, so creating the initial analysis can take quite some time. Once that is done however, it's quite responsive.

Psalm also includes a language server for PHP, so it's a great addition for jumping directly to definitions of functions, variables, classes etc from their call site, or simply hovering their definition where they are used.

I've also done some brief experiments with PHPStan which also seems like a fairly comprehensive static analyser able to find actual bugs and potential vulnerabilities in the code. It's also very actively maintained.

In my first trials it found a lot of issues in the code, so my personal take is that it may be too picky for us at this time. (It may be possible to configure it, though to be less strict.)

Personally I think these tools are helpful, and can help us emerge towards a consistent coding style, and help uncover bugs early in development.

What do the rest of you think?

#static analysis #phpcs #psalm #phpmd #phpstan

Wed, 12 Jun 2024 21:12:59 +0200 last edited: Wed, 12 Jun 2024 21:25:33 +0200

Mario Vavti

mario@hub.somaton.com

Seems like a good plan. I have to admit though that i have zero experience with this kind of tools.
Regarding coding standard, i have been pondering about moving to PSR-12. This seems to be hip among many projects at the moment...

Wed, 12 Jun 2024 21:39:20 +0200

Harald Eilertsen

harald@hub.volse.no

Yeah, I think moving towards PSR-12 is a good idea, as well as PSR-4 for autoloading classes and traits. These are also well supported by PHPCS, so we could use that to help drive us there. In any case we can always adapt to our preferences as we see fit.

I'll submit my current phpcs config in a MR, and then we can test, tweak it and discuss it there.

Thu, 13 Jun 2024 00:15:20 +0200

Harald Eilertsen

harald@hub.volse.no

Here's the MR: https://framagit.org/hubzilla/core/-/merge_requests/2135