Exakat 1.1.5 has a few upgrade for the reports and several under the hood enhancements. Such updates are important, as they pave the way to more important future updates, though they are usually not visible. This week, we added a new security report based on OWASP, removed the old ‘Devoops’ report, upgraded the ‘confusing variable’ report in Ambassador, added support for the HRtime extension. Ready ? let’s review Exakat 1.1.5.
New Owasp report
No need to introduce the OWASP top 10, which is the ultimate reference for web security. Exakat also includes security analysis, searching for injections in the code.
The security analysis are included in the default Ambassador report, and now, they have their own dedicated report. For each section of the OWASP top 10, a grade from A to F is provided.
As you can see, some sections of the report are not available : for example, A9 report usage of libraries with known vulnerabilities. This is not a part of the analysis, and is better done with A database of PHP security advisories.
Also, we included an extra section with the analysis that we include in security, but that do not fit in another section of the top 10. May be we’ll see some of those analysis migrate to the top 10 in the coming years.
HRtime is a PECL extension that implements high resolution timing in PHP. Instead of using microtime() to clock operations, HRtime offers a StopWatch class that can work down to the nano-second.
<?php $c = new HRTime\StopWatch;
$c->start(); /* measure this code block execution / for ($i = 0; $i < 10241024; $i++); $c->stop(); $elapsed0 = $c->getLastElapsedTime(HRTime\Unit::NANOSECOND); ?>
Removed old report
If you noticed that Exakat has shrunk this week for about 13 Mb, it’s the removal of the old report called ‘Devoops’. The report was the initial report we built, and it was replaced in 2015 by Ambassador, as the flagship report. It is now considered too old to be compatible anymore with the current versions.
Exakat has a ‘confusing variable’ analysis, that looks for variables with similar name : similar is defined in no less than four ways. A levenstein distance of 1, case-only differences, underscore-only difference and digit-only differences.
$myVariable is thus considered confusing if the following variables are also used :
$myVariable01. Confusing-looking variables leads to badly assigned values, and badly implemented code.
The analysis search for variables across the code, without grouping by context. If $db is the database link in one part of the code, why is it that the same connexion is also called $_db and $DB in other parts ?
In Tuleap, we can find
- $filetype and $filetype;
- $lang and $_lang
- $rowtrovecat and $rowtrove_cat
Some false positives are possible here : for example, $now and $row and $low are all very close, yet probably different enough to be distinct. Semantic issues may be reported : they will be until we include an English dictionary in Exakat.
PHP Minor version upgraded to 7.2.2 and 7.1.4
Two new minor versions were introduced last week, and exakat now includes the list of impacted functions in your code.
We also prepared the future PHP 7.3, with a new feature : the list() expression now is able to handle references. This means that the right array must be stored in a variable, and can’t be a literal. Then, the variables in the left operand are references to the corresponding values in the original array.
<?php $a = [1, 2, 3]; [$b, &$c] = $a; ?> </code></pre> <pre><code class="language-none">
Can’t wait for this version? This won’t be backward compatible, so keep in in mind for the future.
Happy PHP code reviews
Exakat 1.1.5 works harder than ever to find suspicious code that needs review and refactoring. The new analysis ‘Use Math’ aims at helping us using the right mathematical tool in the code. Too often, we can find :
</code></pre> <pre><code class="language-none"><?php $a = 3; $a += $a; // Should be $a *= 2; $a *= $a; // Should be $a **= 2; ?> </code></pre> <pre><code class="language-none">
Do you know other maths expressions that are available and underused ? Send us a note on twitter (@exakat) or on the slack channel : we’ll be happy discuss it.
All the 340+ analyzers are presented in the docs, including the embarrassed Use randomint(): rand(), mtrand(), uniqid(), microtime() and countless others should be replaced with random_int(). : it’s a quite common bug, rating at 40%.