Code auditing

Exakat 1.9.4 Review

Posted on by dams

Exakat 1.9.4 review

Exakat 1.9.4 has a new harvest of new code reviews to make PHP code better and better : rules for PHP 7.4, whose Compatibility PHP 7.4 ruleset now has 21 rules; rules for backward compatibility; inventory of structures nesting and dimensions for arrays; rules for ?? and . precedence. We also introduced a new report, ‘Stubs’. 

There are two motives for reading the Exakat 1.9.4 review; one, that you enjoy it; the other, that you can boast about it.

Quick Run for PHP 7.4 Compatibility

By default, Exakat runs all necessary rules for generating the Ambassador report. And, sometimes, Exakat must run only for one special aspect, such as migration to PHP 7.4. 

There are two places to configure the expected reports : command line and config.ini

  • command line: when invoking exakat with the project command, you may use the -format option to request any special report. It is possible to use the option multiple times, to produce several reports.
php exakat.phar project -p exakat -format Migration74
  • config.ini: in the projects/<name>/config.ini file, add the project_reports[] line, with the name of the report. Repeat the process for each report. With this configuration, there is no need to use the -format option in command line
;projects/<name>/config.ini
project_reports[] = 'Migration74';

In command line : php exakat.phar project -p exakat

Since Ambassador is the largest report available, running one single audit with a smaller report is faster. Yet, Ambassador also comes with the ability to produce other reports, even when the audit is finished; for smaller reports, this is not always the case.

The documentation has the full list of reports

Coalesce and Concatenation precedence

Coalesce was introduced in PHP 7.0, with the operator ??. It will also be upgraded to an assignment operator in PHP 7.4, with ??=

Coalesce is a way to provide a default value, when a variable is not set. For example, here, $a is created with the value of $b, and if $b is not available (read null), 

<pre class="wp-block-syntaxhighlighter-code">
&lt;?php

$a = $b ?? 'b';

?>
</pre>

This is a very convenient way to ensure a variable always have a valid value. 

Problems happen with the same expression is used in combination with concatenation. Such as this ; 

<pre class="wp-block-syntaxhighlighter-code">
&lt;?php

$a = 'a' . $b ?? 'b' . 'c';

?>
</pre>

There are two fallacies here : the first is that $b is used by the coalesce operator. In fact, since concatenation has a higher precedence, 'a' . $b is actually used. And this is never NULL, because of the literal string. So, the second part of the operator is never used, and this is mostly a strange @ operator (?? hides errors while it checks the variable).

The second part of the coalesce is also a fallacy here : it is not 'b', but 'b' . 'c'. Again, concatenation has precedence, and the second argument of the coalesce is actually 'bc', even if it is build with a concatenation. To check it, just try the following code : 

<pre class="wp-block-syntaxhighlighter-code">
&lt;?php

$a = $b ?? 'b' . 'c' . 'd' . 'e' . 'f';

?>
</pre>

This will assign $b or 'bcde' to $a, and nothing else.

In doubt, use parenthesis to ensure that the expected order in the expression is the right one. Or avoid combining concatenation and coalesce operators : it will be longer to write, but safer.

How Deep Is Your Code?

Object Calisthenics recommends no more than one level of indentation. No nested if then, or nested loops. I meet companies which are enforcing a strict level of 2 maximum. Others differs, and set the bar at 4 or 5. 

So, how deep is your code ? Exakat 1.9.4 introduces two features to track them : first, Max Level Of Nesting, which spots methods, functions, closures or arrowfunctions (coming with PHP 7.4), with more than 4 levels of nesting. All structures that introduce a new sequence are noted : if..then, for, foreach, do..while, while, switch. And a closure is always distinct of its parent method.

The acceptable level of nesting may be configured by using the maxLevel parameter.

4 levels are quite large, and will only catch the worst offenders. Just like for the number of arguments, it is the natural limit where most coders will start wondering if it is reasonable. You may very well decide to use a lower level, as a coding convention.

If you’re still wondering how deep is your code, you’ll get a panoramic view of it with the Ambassador report (Exakat’s default report) : in the section ‘Audit logs’, a new section was added with indentation levels. It shows the repartition of code lines, by levels. 

This will help decide what level of nesting is reasonable for your application. 

The Weekly Audits: 2019, Week #37

Exakat includes a ‘weekly’ report: this report is built with a selection of five analyses. This means a short audit report, with few issues to review. This is not a lot to read them, and review them in your code. Everyone in the PHP community can focus on one of the classic coding problems and fix it. Talk about the weekly audit around you: you’ll find programmers facing the same challenges.

To obtain the ‘weekly’ audit, run an audit, and request the ‘Weekly’ report.

# Init the project (skip when it is already done)    
php exakat.phar init -p <yourproject> -R https://github.com/Seldaek/monolog.git -git 

# Run the project (skip when it is already done)    
php exakat.phar project -p <yourproject> 

# Export the weekly project (every Monday)    
php exakat.phar report -p <yourproject> -format Weekly 

# Open projects/<yourproject>/weekly/index.html in your browser

Every week, you can find here 5 new analysis to review in your code. In fact, when your code is clean, you can also take a quick look at the upcoming analysis. 

Weekly recommendations for PHP code review : 2019, week 2019-37

  • Multiply By One : Multiplying by 1 is a fancy type cast.
  • Implicit Global : Global variables, that are used in local scope with global keyword, but are not declared as global in the global scope.
  • Could Use Try : Some commands may raise exceptions.
  • Unresolved Use : The following use instructions cannot be resolved to a class or a namespace.
  • Identical Conditions : These logical expressions contain members that are identical.

Happy PHP Code Reviews 

All the 374 analyzers are presented in the docs, including the ordinary Multiply By One: Multiplying by 1 is a fancy type cast.

This is an unusual bug, with more than 17% of chance to appear. 

You can check all of the Exakat reports at the gallery: exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.