Exakat 1.4.4 review

Exakat 1.4.4 review

Exakat 1.4.4 review

This week’s version includes a lot of under-the-hood work. We have worked on eliminating several internal analysis, such as ‘Used Classes’, which provides the basis for ‘Unused Classes’ : Unused classes are classes that are not used (sic), and used classes comes in a surprising number of situations : new, ::, use, etc. Those elimination lead to better performances : less work to do, less database storage and fewer dependencies. Besides that, we added support for ext/seaslog extension, revamped the PHP directive report for disable\_functions and disable\_classes and passed the 3000 Unit Test limit. Exakat 1.4.4 review, and that’s the way it is.

Report disable_functions/disable_classes

Exakat reports a comprehensive list of the important PHP directives that should be set in php.ini. By auditing the code, exakat detects all the used features, and extracts from them the list of directives that have an impact.

disable\_functions and disable\_classes are slightly different for that : they list PHP native functions and classes that should be removed and not made available. Usually, if you want to avoid including some PHP features, because you don’t use them, then you simply ignore them at compile time.

Yet, there is also a classic situation : instead of compiling PHP yourself, you rely on a standard binary, whether provided by your OS distribution, or vetted by your company. At that point, compilation is done, and the binary should be used as is, without modification.

At that point, you end up with a binary that supports several databases and PHP sockets, while your code has no use of them. In fact, in case a vulnerability is exploited, this is going to extend the possibilities of the intruder by giving it more capabilities.

This is where disable\_functions and disable\_classes have their usage : they hold a list of PHP native functions that are barred from being used. Even if compiled, they won’t be authorized.

As a security measure, it is a good idea to exclude those functions and classes. Here is a list of PHP functions and classes that you can consider.

  • exec
  • passthru
  • shell_exec
  • system
  • proc_open
  • proc_nice
  • proc_terminate
  • procgetstatus
  • proc_close
  • popen
  • pclose
  • curl_exec
  • curlmultiexec
  • show_source
  • symlink
  • fsockopen
  • pfsockopen
  • socket_connect
  • socketcreatelisten
  • socketcreatepair
  • socket_create
  • symlink
  • mail
  • apachechildterminate
  • apachegetmodules
  • apachegetversion
  • apache_getenv
  • apache_note
  • apache_setenv
  • pcntl_alarm
  • pcntl_errno
  • pcntl_exec
  • pcntl_fork
  • pcntlgetlast_error
  • pcntl_getpriority
  • pcntl_setpriority
  • pcntlsignaldispatch
  • pcntl_signal
  • pcntl_sigprocmask
  • pcntl_sigtimedwait
  • pcntl_sigwaitinfo
  • pcntl_strerror
  • pcntl_wait
  • pcntl_waitpid
  • pcntl_wexitstatus
  • pcntl_wifexited
  • pcntl_wifsignaled
  • pcntl_wifstopped
  • pcntl_wstopsig
  • pcntl_wtermsig
  • dl
  • leak
  • posix_kill
  • posix_mkfifo
  • posix_setpgid
  • posix_setsid
  • posix_setuid

Classes

  • phar

Note that eval is not in this list, although it would probably be one of the first to be there. eval is not a PHP function, but a language construct : it can’t be disabled with a directive.

As a performance measure, the longer the lists, the slower is PHP. Check the actual impact on your performances, and ideally, compile PHP with a smaller set of features : less code, less vulnerabilities.

Passing 3000 Unit Tests

Exakat’s analysis has now more than passing 3000 Unit Tests. Those unit tests are added whenever a new analysis is build, just like documentation.

So, the minimum test is 1, and the maximum is 22 : this is for Useless Instructions, which tends to have quite a lot of variations and special cases. The average number of tests is 2.26.

 

There are also 11469 assertions : each test covers more than one situation. Sometimes, multiple situations may be collected in one test, without disturbing each other. Others, they must be split, leading to more tests. Just like for tests, more assertions, the better.

What we want, what we don’t want

Unit tests for analysis have two sides : they always include what we are expecting from the analysis, and also, what we are not expecting. In fact, that second element could be rephrased as : ‘what we want not to avoid’.

Each test is actually built with a subtle mix of patterns that we want to find in code, and patterns of what we want to avoid. You can always recommend merging two str_replace() into one, when they work on the same variable, but what to do with those str_replace() are three or four ? We shall only report the first, and not the intermediate one. All those situations are better mentioned than not.

As usual, the list of wanted is a lot shorter than the list of unwanted : after all, we can list a very long list of elements that should not be reported by the analysis. As a rule of thumb, a short list of unwanted it generated at writing time, and this list is augmented with anything a test find when it fails. Usually, after two or three iterations, the unwanted list stabilize and get quiets.

Older analysis, more UT

One interesting point is that older analyses have more tests. As one analysis get older, more situations are identified, and they end up as tests : that way, any refactoring will keep being warned that those are important to remember. This is not a rigorous rule : some analyses are simple enough to require one UT, and be stable for ages. But, generally speaking, older means more UT, means more experience and know-how.

Following the number of tests

Anytime the full set of UT is run, a CSV file collect the current number of tests being run. That gives some general view of the number of tests, and its evolution. We like to go with the motto : more tests, the better. Those are important to build trust with the engine.

Support new extension : seaslog

Seaslog is ‘An effective,fast,stable log extension for PHP’, by Chitao.Gao. It is PSR-3 compliant, and focuses on performances.

Happy PHP code reviews

All the 357 analyzers are presented in the docs, including the worried Should Use Coalesce: PHP 7 introduced the ?? Operator, which replaces longer structures to set default values when a variable is not set.

It is a routine code modernisation, which affects 54% of PHP projects. Don’t use yesterday features, and adopt it now!

You can check all of the exakat reports at the gallery: exakat gallery.

Download Exakat on exakat.io, install it with Docker, upgrade it with ‘exakat.phar upgrade -u’ and like us on github.