How to perform static code analysis in php? [closed]
-
22-08-2019 - |
Question
Is there an static analysis tool for PHP source files? The binary itself can check for syntax errors, but I'm looking for something that does more, like:
- unused variable assignments
- arrays that are assigned into without being initialized first
- and possibly code style warnings
- ...
Solution
Run php in lint-mode from the command line to validate syntax without execution:
php -l FILENAME
Higher-level static analyzers include:
- php-sat - Requires http://strategoxt.org/
- PHP_Depend
- PHP_CodeSniffer
- PHP Mess Detector
- PHPStan
- PHP-CS-Fixer
- phan
Lower-level analyzers include:
- PHP_Parser
- token_get_all (primitive function)
Runtime analyzers, which are more useful for some things due to PHPs dynamic nature, include:
- Xdebug has code coverage and function traces.
- My PHP Tracer Tool uses a combined static/dynamic approach, building on Xdebug's function traces.
The documentation libraries phpdoc and doxygen perform a kind of code analysis. Doxygen, for example, can be configured to render nice inheritance graphs with graphviz.
Another option is xhprof, which is similar to xdebug, but lighter, making it suitable for production servers. The tool includes a PHP-based interface.
OTHER TIPS
Unitialized variables check. Link 1 and 2 already seem to do this just fine, though.
I can't say I have used any of these intensively, though :)
For completeness -- also check phpCallGraph.
PHP Mess Detector is awesome and fast.
I have tried using $php -l and couple other tools. However the best one in my experience (YMMV, of course) is scheck of pfff toolset. I heard about pfff on Quora (http://www.quora.com/Is-there-a-good-PHP-lint-static-analysis-tool)
You can compile and install it. There are no nice packages (on my mint Debian, I had to install libpcre3-dev, ocaml, libcairo-dev, libgtk-3-dev and libgimp2.0-dev dependencies first) but it should be worth an intsall.
The results are reported like
rjha@mint ~ $ ~/sw/pfff/scheck ~/code/github/sc/
login-now.php:7:4: CHECK: Unused Local variable $title
go-automatic.php:14:77: CHECK: Use of undeclared variable $goUrl.
See Semantic Designs' CloneDR, a "clone detection" tool that finds copy/paste/edited code. It will find exact and near miss code fragments, in spite of whitespace, comments and even variable renamings. A sample detection report for PHP can be found at the wesite. (I'm the author).
The NetBeans IDE checks for syntax errors, unusued variables and such. It's not automated, but works fine for small or medium projects.
There a new tool called nWire for PHP. It is a code exploration plugin for Eclipse PDT and Zend Studio 7.x. It enables real-time code analysis for PHP and provides the following tools:
- Code visualization - interactive graphical representation of components and associations.
- Code navigation - unique navigation view shows all the associations and works with you while you write or read code.
- Quick search - search as you type for methods, fields, file, etc.
PHP PMD (project mess detector) and PHP CPD (copy paste detector) as the former part of PHPUnit
There is RIPS - A static source code analyser for vulnerabilities in PHP scripts. Sources of RIPS available at SourceForge.
From the RIPS site:
RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.
There is absolutely new tool for static code analysis called PHP Analyzer.
Among many types of static analysis it also provides basic auto-fixing functionality, see documentation.
UPDATE: PHP-Analyzer is now deprecated project but you still can access it on legacy branch
You may want to try compiling with Facebook's hiphop.
It does a static analysis on the entire project, and may be what you're looking for.