Exakat 2.1.8 reviewExakat 2.1.8 Review

Exakat 2.1.8 shines with the last warmth of summer. It is now time to start the resolute road to PHP 8.0 and its surprise incompatibility; or update PHP code stubs with the upcoming attributes. During the trip, we’ll stop observing the new SARIF format, the standard for static analysis tool in PHP and everywhere else.

Enjoy the Exakat 2.1.8 Review.

Attributes support in Exakat stubs

Attributes are coming to PHP 8.0. They are a way to add metadata to coding structures, such as classes, interfaces, traits or functions. They will replace structured PHPdoc, that we grew familiar with.

PHP 8.0 attributes look like this, since the final vote on the #[Attribute] syntax.

class Foo
   public string $bar;

   public function __construct(string $bar) {
       $this->bar = $bar;

We’ll see progressive adoption of the attributes, as tools will adapt to this new way to convey configurations in the code. IDE are part of those tools, and we’ll need new stubs to documents accurately the frameworks.

Exakat provides two ways to create stubs. Stubs and StubsJson both extract all information concerning a code source, and builds a stubs.php file with all needed PHP code, or a stubs.json file, with the same information, stored in JSON format.

Indeed, internally, Exakat uses the Json version to build the PHP version. Json will also be used soon to provide stubs during Exakat audits, with better performances and more flexibility. We shall detail that point in an upcoming version. Some of the work in progress is already available on exakat/stubs.

New report : SARIF

Exakat 2.1.8 offers a new report, called SARIF. Static Analysis Results Interchange Format (SARIF) Version 2.0 is a standard for static analysis results.

Based on JSON, it provides a way to describe issues that were detected during the audit. The precise location (file and line number), but also documentation, description, severity level and unique identifier.

This standard is a machine-oriented standards, which aims at reducing the gap between the formats used by every SCA. This is true in the PHP world, where each tool like Psalm, Phan, noverify, etc. return different format. Exakat alone provides more than 30 different formats, including human-readable formats.

Using SARIF format means that a generation of visualisation tools will appear : the SARIF viewers. Now that issues have been standardised, it is possible to collect multiple sources, display them in one GUI, and provide complementary analysis by leveraging multiple points of view on the code. Anyone looking for a project idea should take a shot at this.

If you know a Sarif Viewer, let us know.

Until the phpMySarif of all appears, we can already use sarif web component from Microsoft, and Github code scanning. Exakat’s Sarif report is compatible with both of them, so we can use it with both.

Preparing for PHP 8.0

PHP 8.0 Beta 4 is out, so it is time to get ready for migration. Now that the feature freeze is past (since July, mind you), behavior changes and deprecations are being surveyed.

Exakat is already working hard collecting those incompatibility, which will prevent current code from migrating without a change. Although those roadblocks are not too many, some are significant. More important, they may be caught now, as we speak. The list includes :

To run a quick check, use the following commands (Exakat installation, just in case).

php exakat.phar init -p myProject -R projectUrl
php exakat.phar project -p myProject 
php exakat.phar report -p myProject --format Text -T CompatibilityPHP80

The result will be displayed on the standard output, unless you mention the -f <filename>option, which will save it to a file called filename in the projects/myProject/ directory.

If you’re not already there, you may also try Compatibility74 or Compatibility73, for example.

The Weekly Audits: 2020, Week #41

Exakat includes a ‘weekly’ report: this report is built with a selection of five analyses. This means a short audit report, with few issues to review. This is not a lot to read them, and review them in your code. Everyone in the PHP community can focus on one of the classic coding problems and fix it. Talk about the weekly audit around you: you’ll find programmers facing the same challenges.

To obtain the ‘weekly’ audit, run an audit, and request the ‘Weekly’ report.

# Init the project (skip when it is already done)    
php exakat.phar init -p <yourproject> -R https://github.com/Seldaek/monolog.git -git 

# Run the project (skip when it is already done)    
php exakat.phar project -p <yourproject> 

# Export the weekly project (every Monday)    
php exakat.phar report -p <yourproject> -format Weekly 

# Open projects/<yourproject>/weekly/index.html in your browser    

Every week, you can find here 5 new analysis to review in your code. In fact, when your code is clean, you can also take a quick look at the upcoming analysis.

Weekly recommendations for PHP code review : 2020, week 2020-41

Happy PHP Code Reviews

All the 407 analyzers are presented in the docs, including the truculent : Invalid Pack Format. It spots invalid formulas in pack() calls. It’s a rare bug, but PHP won’t check for validity until execution, so it is worth checking before.

You can check all of the Exakat reports at the gallery: exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.