The audit report contains several parts : the main part is the diagnostic, and the secondary part is the appinfo. Let’s review them.
The diagnostic collect all information in the code that needs to be reviewed, and probably fixed. The diagnostic has 3 parts : the dashboard, the full list and the detailed report.
The dashboard is the first. It gives an overview of the situation, including report severities, and the top 5 issues to fix.
Second, there is the analyzers result counts, which displays all the results, with severity and number of occurrences. One may choose to review code by name, severity, count or both. Low count reports means that a small number of fix will remove a report at the next run ; on the other hand, high severity means that big problems will be fixed, even if it take a long time to fix. Choice is up to project evolution.
Then, all reports that yielded analysis are listed in the summary. Each has a link to the documentation, the name of the file from root of the project, and the line where it appears. The code that appears is a standardized representation. It lacks the actual code presentation from the code script. This is the starting point for finding the issues and fixing them.
Most of the time, one will follow such list : understand the issue at stake (here, it is recommended no to use any function call such as strlen($search) ; but rather pre-calculate the length of the loop in $nb = strlen($search) and then compare the loop index $i to $nb ;). Then, one may review all the situations, and provide the adapted fix, then commit the whole.
Here is another example, with all the compilation error found in the code, covering all version of PHP from 5.3 to 5.6.
The Application part is a close relative of phpinfo(). It lists many PHP and CS features used in the application. All those points are informational, and only mention what is in the code.
This is a good starting point to get a feedback on the code : sometimes, some features are used in the code, while no one expected it : why does the code both uses include_once and autoload ? (Include() should be sufficient if autoload is outsourced). Or how come a blogging tool have usage of the infamous ‘eval()’ function ? This is now generating questions and new clues to be checked to keep the code under control.
Last, the report holds the documentations, which are linked to the detailed reports, and provide more information on why the code has been spotted, and how to change it. The report is also introduced with a short presentation and details about its version and configuration.