3 Layers of Static Code Analysis in PHP

-
Every developer should be running some form of static code analysis on their code regularly. A recent article I read about how this is done at Etsy makes for what I believe should be a minimum standard of code analysis for any team of developers work on a shared codebase. We shall assume you are committing your codebase to some form of version control on a regular basis.

The 3 layers can be summarised as:
  1. Sanity Checks
  2. Formal Checks
  3. Security Checks


Sanity and Syntax Checks


In Stage 1 we perform basically a sanity check of the code. Are there any errors, missing semi-colon's or just plain stupid things being committed to our repository and code base. This is essentially a case of running php -l against all our files being checked in or changed to make sure we catch these before they are committed and let you fix them before they are picked up by the wider team.


Formal Checks


This stage involves a more global analysis of the source code files, checking for thing such as:
  • Too many or too few arguments in a function/method call
  • Undeclared global or local variables
  • Use of return value of a function that actually returns nothing
  • Functions that have a required argument after an optional one
  • Unknown functions, methods, or base classes
  • Constants declared twice
This can be accomplished by using tools such as PHPCodeSniffer. This allows us to ensure the above are picked up, and also that our code is in compliance with our agreed coding standard. Any issues, the commit is bounced back with the opportunity to resolve before being integrated into the repository.


Security Checks


The final layer of analysis, the security checks can be more thorough and use tools to scan our code for OWASP vulnerabilities, or as Etsy do - scan the repository with Antivirus and assess for dirty URLs.

Etsy claim they use ClamAV to check for any files or bad code which might make it's way into the repo, such as MSWord or PDF files that are suspicious.  ClamAV also scans URL's and checks these against Google's Safe Browsing List to pick up on suspected Phishing or malware sites.

It is also possible to check here to ensure things like passwords aren't committed to repositories or specific naughty functions or processes are used.  This can then trigger alerts for code reviews or ping back to the developer advising to fix ASAP.


Comments

Post a Comment

Popular posts from this blog

Navigating the Jungle of Web Traffic: A Technical Team Lead's Guide to "I'm a Celebrity, Get Me Out of Here"

-
"I'm a Celebrity, Get Me Out of Here" has become a cultural phenomenon, captivating audiences worldwide with its thrilling challenges and celebrity antics. As a Technical Team Lead, preparing for the surge in traffic during the show's broadcast is akin to navigating a dense jungle of user interactions. In this article, we'll explore the strategies and considerations that technical teams can employ to ensure a seamless online experience while aligning with marketing promotions. 1. Assessing the Infrastructure: Before the chaos ensues, evaluate your web infrastructure. Ensure that servers are optimized, databases are finely tuned, and CDN (Content Delivery Network) configurations are robust. Conduct load testing to simulate peak traffic and identify potential bottlenecks. This step is crucial for preventing server crashes and maintaining site performance under increased load. 2. Scalability and Elasticity: Consider implementing auto-
Read more

TCP Handshake over IPv6

-
The internet we know today heavily relies on TCP/IP to send our information around the world at lightspeed.  With more devices than ever connected to the internet (insert link to back this up, it sounded cool), using IPv4 we're soon going to run out of addresses.  And in fact if it weren't for technologies such as NAT we'd be in a stickier situation than we already are.   In preperation of running out of IP addresses, IPv6 was mustered up around 1998 by the IETF, a 128-bit addressing convention vs the old IPv4 32-bit addressing. So that means IPv6 has been around quite a while now.  Almost 20 years, yet still IPv4 is all the rage.  Perhaps us techies have trouble letting go of what we know.   I mean why set up an AAAA record, when you only need to set up an A record right?  Why configure DNS to use   2001:4860:4860:0000:0000:0000:0000:8888 or 2001:4860:4860::8888 when you can just use 8.8.8.8 right?  Well yeah, let's save all that for another article, once I've h
Read more

The Vital Importance of Secure Wi-Fi Networks

-
In today's digitally interconnected world, Wi-Fi has become an indispensable part of our daily lives. From homes to businesses, coffee shops to airports, we rely heavily on wireless networks to stay connected. However, amidst the convenience and ease that Wi-Fi brings, security should never be taken lightly. In this blog post, we'll delve into the critical importance of using secure Wi-Fi networks and the potential risks associated with neglecting this aspect of our online lives. The Threat Landscape First and foremost, let's address the ever-looming threats that exist in the digital realm. Unsecured Wi-Fi networks are a goldmine for cybercriminals, as they provide an easy entry point to intercept sensitive data. When you connect to an open, unencrypted Wi-Fi network, your data becomes vulnerable to eavesdropping and interception. Malicious actors can capture login credentials, personal information, and even financial details, putting you at risk of identity theft, financi
Read more