 So we've got so many people trying to do some automated code review, right? Yeah, yeah, you have no time to do code reviews. You expect something else to do it We ever tried to do a code review with an elephant? No, no They're very mean They're very mean, but there's so many actually. That's why I started working on static analysis So we're happy to see that there are so many people here tonight We're going to spend the hour trying to review code without actually reading it and giving that to PHP itself Maybe and having it give us a number of information in its sites on what's in in the code so Most that would there would be many two parts the first one I'm going to give you a number of theoretical details on how a static analyzer works Maybe not all of them, but I know there are several authors of static analyzer I think we can count you as one maybe yeah somewhat while you use that there's Andre there's You do some more so I really have to watch my my language tonight. Pardon my French And then in the second part before after I'm done boring you with a theoretical detail will start will dive into actual Practical applications and what it can do with you. I have actually list of 68 of them And we have 60 minutes right? That's going to be fast So for those of you who don't know me. I'm actually the official travel agent of the oldest a elephant over Yeah, we bring it a bit everywhere not exactly this one, but another office the sons and Beside that I also do static analyzing as a CTO every day So that's exactly from where my experience coming and what I'm going to explain you tonight Besides doing the audit itself. You probably have set yourself unless your CTO in the position where you're coding, you know is brand-new technology and Then you have this specific line of code maybe one of the 1009 of code you have in the script And you start asking yourself a number of questions before you move to the next one, right? Is it is it a good good line of code? Is it fast? Hey, come back Is it fast? Is it is it compatible because well after fast usually we're sourcer itself. It's compatible Is it secure or so because that's usually business requirements and you're still on the same line right asking more and more questions coming up Why not why not use a framework? Why is it stuck? Yeah, oh Should I use that and you have suddenly all those questions because this is a number of Recommendation you can remember from various authors various experts maybe other languages and you don't know when to stop Okay, so you're up with a final question and then you want to have a review You want to have someone look at that code and say oh, yeah, good idea. Not bad idea Discuss it on something that though you go to conferences PHP is doing the job and you've learned most of the time things like that. There are three steps What you call actually PHP code is a text file Initially, it's just a bunch of bytes together that makes sense to PHP Hopefully maybe also for you, but that's the way it works then Derek comes and he just turned that into a code Yeah, with these little hands and then we send that to this end engine which actually execute that That's the three usual steps and that's not exactly the one we are interested in In between we have something that looks like static analysis, but is not this coding convention This is the moment where you decide that you want to make spaces around your egg wall Operator because it looks better That is be completely useless for this end engine in the end. It doesn't care about that Doesn't care about commands doesn't care how beautiful your code is because it's just text and it will do something from the code Not from your text. Okay, so we're not going to talk about that PHP docs commons white spaces not for us. We want things that will be executed now this three layers cake is something common in other languages Because they have the combination from the text they start with the same origin than us Okay, looking a little bit different, but it's there from the same origin They do have compilation, you know, they call JCC or Java C or whatever you call it Maybe it's kind of Eden, but it's there and then they have some intermediate codes that can run In PHP, we don't have that actually it's there, but it's kind of Eden So static analysis will actually have to be set as a side branch because the result of the static analyzing Will be probably the report Whatever it whatever shape it will have and we are going to fit that into us So we can go back to the code fix it and ultimately make the code better. Okay, so it's kind of a different branch We have and the thing is initially PHP is doing already a part of this static analyzing Okay, who's using linting? Oh good. That will be fast. So when we move from PHP 5 to PHP 7 we got that code and suddenly It went wrong. Why? Two defaults. Yes. Yeah, that's too easy for you You'll answer that later There are two defaults it until PHP 7 it was actually code that could work Just the second default was completely removed right completely ignored The first one was the one that was found and executed kind of simple here So linting is already a good static analyzer if you're on PHP 5 and you want to keep using PHP 5 Don't do that, but if you really want You can run PHP 7 static in a linting and get a lot more Details about the way you could behave on PHP 5 and just fixing that will do do things in the same time prepare your code for PHP 7 and Make your PHP 5 code better So that's a good start But that's that's very easy actually PHP is is not doing a lot of job here, right? There's another set of problem that looks like the same that should be also pay PHP Telling us what's wrong on what should not be How many cases do we have here? Depending on why of course How many different cases do we have here? zero one five two zero twelve Just one all of them are the same All of them are the same actually X is compared with the double equal and Besides that after the case well most of the time we just put a constant or literal But you could actually have anything that's an expression that will return you a result So the first one is the integer easy the second one would be called like a static expression Almost so it's something that could be prepared at compile time The third one is a string but since the string contains an integer if you will actually do the conversion True will be converted and K and really really converted and of course depending on why it will be also compared the same So all of them are the same, but PHP do not mention anything about that you you lint it and say, okay Yeah, we can try that Why is it? Why did he understands that there are two default ideas about it and suddenly those breaks all those cases are all the Same and just say nothing The problem is this has to be re-solved at execution time Okay People could actually do some work because some of the literals here could be solved at compilation time But in doubt it just said you just leave that on the side. It doesn't do anything This is where static analysis will start working This is where it says I can do and solve a number of those situations and reports that at least half of them are Are the same and they should be removed So how does static analysis work in general if you want to avoid reg X Which means that you're treating your text file just as another text file You want to go up a little take a little no distance and includes a more meaning more semantics Into the in the reading and for that you need to first take the files process them with the tokenizer So who among you has been using the tokenizer? Okay, you've done it. That's another problem one Okay, so I'm going to rephrase the question who among you have been using PHP And I see still a number of people who are too shy to raise the head The tokenizer is the first part whenever you execute something in PHP The tokenizer text the file then breaks that into tokens and then push the tokens to another part of the PHP That runs it. Okay, but those tokens are exactly the words that PHP can understand if you ever learn any Chinese where you have quickly learned that there is no space Every words are the same next to each other. There's no dem limitation between words You have to learn how to read the words and say, okay. Oh, this is this makes sense Oh, if I had one does it make sense so a black track. That's one word next word Here's the same the tokenizer will do the job of finding this is the space This is common. This is a string. This is a parenthesis How does that look like? It looks like a huge array lot filled with lots of cabalistic numbers This very simple piece of code that was even shortened to be really available Leads you to this number of her tokens. It's just an array all flattened with other arrays or Simple simple literals so you can find here the define is around there Before then there are 382 is actually a white space depending on the PHP version you have the parenthesis You have another literal you have the coma you have That's that's everything PHP weather is going to give you with from the tokenizer The first thing you learn when doing that is you can get rid of first third of all the token One third of the token are completely useless as I said commons doc comments and space Everything can give you a get rid of because no one cares about that The second third that can get rid of actually it's not us that going to get rid of it But it's everything that is a delimiter. Okay parenthesis in general is useful for the tokenizer to understand. Where is what? But in the end we don't care about them Okay, because in the end we're going to remove all these Long least long log of tokens into an abstract syntactic tree So I'm going to just call that a ST because it's difficult to pronounce Please. Thank you It's an abstract syntactic tree a ST and The previous file or this is one that you can guess actually just by reading you have at the top the file the file has one One script which include codes or Claude as a number of sequence Including and one use two different classes and two or three three calls Okay, so the previous tokens has now been reordered and reorganized every every element is in its place The variable may be a part of a function. It may be an an argument or not. It may be a Literal everything has its own place and we just have one third of the tokens That's excellence because at that point we we do not have to Follow and read the code one and after each other, which is what we you do as human But we have blocks all the functions makes one block There is the big block of function the sequence and the arguments and the name we have everything defined The classes are gathering constant properties and functions. They all together at one place So all the definitions are in place which mean that we can start working on things a little more complex like that here you have one class that's defined instantiated and You have you have a call on it. Okay, very simple nothing and nothing really a wizardry You can you can see from the the AST Well, the order of the elements is there But the important part is that with the class and the the tool can actually link the instantiation to their definition So now we have a way to move from the last Well the next to the last line to the definition and go on again and find other elements inside the course That's one way. We don't have to read the thing one after each other We can start go to the definition do so find something else come back or maybe go somewhere else The only thing we're starting to miss at that point beside the definition is the order in which it's executed Because basically the element you have here is not are not in the same order than the one you have here It's probably in the information, but the AST kind of loses this information So we have to start thinking on top of the AST about flow control Flow control is a diagram that will take care of the order the sequence order of execution Here is another example You will again part of my French the slides are in French at that moment. So probably you're going to learn something Here is a very little script. There is a source That's there and then there is a if the if has two branches Which mean that you should not navigate both of them at the same time That's exactly what you want from a heap right if there is a condition met Then you do something otherwise you go on the else if it's there the AST will probably look at that Well, we look like that and the other diagram we want would be a flow control graph that looks like that Slightly different from the previous one right this time We want to know the order in which everything is executed the first one is a common path It's all always dawn So it's right after the the initial column PHP the second one is the the condition itself So at that point we know we have branching and then we have the two branches at each other on each side Which will merge you ultimately? Well here at the exit because it's a very simple example, but they will merge and maybe go on with something else That's another way to navigate the information right initially We had the definition now We have a way to navigate just the way PHP is going to execute the information Okay, it may branch depending on situation and state That's a state machine branch on one side on the other and that would be the same for every part of the code And it's completely independent from the definition we've seen earlier There's completely it's completely moving from one flow diagram to the other one is completely arbitrary and actually Before we start going to other tools I would like to introduce you with another What's what I found the definition as a program dependency graph, but that's again the same script you have here That's applying the dependencies on the data So it's not anymore the sequence. That's important. That's how you need other Statement to be executed before you reach this one So take a look at the first one the first one is unconditional because well you have nothing Okay, source is something that exists this which can check it easily. There's a function called that it written something So feeding X is okay now if we move along along the script Of course if we want to execute the if and the condition then we only have to execute the previous one So this this I'll say that this sequence is always valid When we want to move inside the else then we have two dependencies We need X to exist so it has to be depending on the first source and it also needs that X as a special condition So to reach that point. Yeah, of course we need to follow the control flow but we also have To meet a special condition, which is that X is smaller than 10 which also means that probably X can be you know identified as as an integer and Then then we can go on between that for example if Y is not existing here on the else we can understand that the two branches are unbalanced Anything that will use why after the after the if then could then rely to go through one of the bench That has not set a Y and then that would be a problem I'm not sure. I'm clear, but so here the dependency is is a list of things that The data has to be prepared before reaching that point and that includes the conditions so In the end we have three different ways to navigate inside the code One thing you learn from satellite analysis is that keep constantly moving from one paradigm to the other The first one you have here is well, we want X. We want the source. Where is the source? What does it do? Does it really bring us an integer? Then we knew AST AST will tell us where in this in the code is the source It may not look like like that. Maybe I have a use statement before that send that into a namespace that we haven't heard about But AST will tell that us then we get the value it goes there Which of the of the path will be followed and which sequence will be executed? That's from the program dependency and the on the photograph Yes, yes, it also depends Yes, it also depends. Yeah, right. You're right. It's missing. It's the contrary. Yeah. It's the other condition. It's the You're right. It's missing the link. That's this link This link is I should also be there. I missed it. It's actually should be the contrary, right? So this X, I don't see it. This one here depends directly on the condition The other one here depends on the negation of the condition because it's the else This is missing the link here and the schema So in between in the end we can consider actually PHP as a database PHP code is a data set Now it's kind of the contrary of what we have that are usually usually we have the data set and No, we have the query language like SQL or gremlin and we we want the data to query it, right? Here we have the data set to have no way to query it. We don't know how to query that, right? We can execute it. PHP will make sense of that run it do something But how can we go inside and collect information we want? Okay, so we need we need a list of We need we need the tools to do that and they have different approaches So I have a list of well, I have currently 68 of them I checked the slide this morning, which makes me discover another three of them. So Thank you for the conference. That's that's an upgrade And I'm not going to show you all of them But I would like to show you a number of them broken down in five categories and there are others There are lots other categories and hopefully you can even imagine yours migration tools code quality security metrics and inventories That should cover a number of elements. Okay, so how come migration tools are interested in static analysis, okay? What happens when you want to move to PHP from PHP 5 to PHP 7? Well, there's a Only one source you go in the manual and the manual tells you okay. These classes disappeared. Those are new These functions disappeared. Those are new and those have changed their behavior. Oh So getting rid of something is usually easy, you know what you're losing, right? So it was there It's not anymore. So if it appears in the code Then you have to remove it changing behavior is a lot more difficult and How many pages of documentation do you have at the moment to migrate from 5 to 7? Shall we try the guess again 12 pages? 7 that's a good guess that means that I don't want to see PHP 100 So there's a there's a huge list of them right it would be probably easy to Talk about one or two of them now, but there's a long list There's different situations and sometimes it's very difficult to actually track them in the code For example disappearing classes. Okay, that's an easy one disappearing directive oh How can you track disappearing directive you cannot track directly the code unless the code itself is dependent like Corset therefore corset we change that's appeared in PHP 5 5 This one actually has an impact now on HTML entities and stimulate a special course and another one. There's the decode table So sometimes it's kind of difficult and their static analysis can collect can capitalize all those different elements all those different Sources and made that into a one element win in one place So at least the two first statistical analyzer I heard that were completely specific on moving from 5 to 7 and Probably just 7 because they were not updated ever since Or a pgp 7 more pages PHP 7 cc for those of you who said yes when I asked about staying PHP 5 and you can use those Otherwise the one I work on for example will give you reports like that Remember we're talking about static analysis. So there's no fear into using PHP 7 2 even 7 2 is not yet there Right um, I kind of have to change the name if suddenly they decide to move from 7 to 2 8 I guess that's worth it, right? There's already a number of things. There's probably like 12 no less than that six different RFCs that were voted So we already have a number of things that are available for PHP 7 2 and even though we don't compile it We can check for them. So there's of course a number of things The demo remove directives there is new there are new functions. There are new New function that appears there are Extensions that disappears. There are things we cannot test currently Okay, so it's also written there and there are things that Also already the wrong so we can we should actually take a look at that and prepare the code for PHP 7 2 Okay, so this is just the world reports on the on the on the migration itself There are more details each time you have the name of the file the the name of the file the fine line and the problem That's linked to it others code quality code quality tools So beside migration besides knowing what to do between one version to another then There's called quality. So things that are evergreen. Okay, you try to use a property, but the property is not defined Well, that's usually the problem It doesn't really hurt the code, right? Because pitch we will still run with it But for example if you create a standard object STD object and create the classes That will be actually slower than making an array and then casting the wall of it into an object at the end Little things like that So probably if you do not create a class and then define a class you're going to have little, you know performance loss the time it's really tedious to review the code all the time for missing Definition of properties or things like that So probably a tool is going to do that a lot better than you for you And especially it's not going to get bored at testing all the code all the time So there's several of them. I chose especially stand because we have the author here So it's nice if you have extra question. You can also go and meet him Fun was started by Rasmus So it's interesting because it raised the attention on unit on static analysis It's still being worked on Avaly every day probably from Etsy So they're using that over there and it's open source all the tools here open source some come from Vimeo think So that's that's another company that's our sourcing in their own tool Here is a result from PHP Stan I add to adapt their presentation because it doesn't fit nicely and I also remove the redundant one But again, you see the fine name you got the line and each time you have an explanation that says, okay This is what I found that is wrong Collection of them. There is a class that is not found Possibly because of misconfiguration or to load couldn't find the class or maybe it's in composer. There is missing functions also What as well is always interesting there? Oh missing variables So undefined variable probably one of those variable that's being used before it's actually Initialized and get a value in it Again, it doesn't really always urge but if you know what they are you go in that line Fix it and then save it. That's done good enough so some more Security tools of Course you can have some others that are specific to security and If we've seen the previous one that's go on the security on the code quality They're usually rely heavily on the AST because of definitions Security tools usually rely on checking where the value goes and when it is filtered Here you have a few of them rips has been actually run for long long time I mentioned the zero five because it's the last Version they have that's available as open source. Now. It's a SAS Probably the they're the same guy just upgraded Infrastructure, okay, I don't know if the zero five works anymore and seven to be true But at least you can take out the code and they work heavily on that because this kind of schema Allows them to provide you they look for the link between a sink So a place where the security may have trouble and the origin which is usually the incoming variables Okay, and in between sometimes the path is not easy. That's one thing and there are lots of conditions So in the end they can tell you okay from here this goes into the main square query Okay, and there are those conditions when you can meet all those conditions, then you have a vulnerability That's an interesting result PCQ is working Directly on the code see it looks actually a lot like PHP stands same same result except here the order is more like one line one result You have the name of the file you have the line the explanation which may be actually longer more Documentation and you have an extract of the code that is being used Okay, so for example in the middle we have avoid the use exit and because it leads to injection and apparently the old file is displayed No, there's no exit mention Hmm, okay on the last one header should not be done with concatenation. Sorry for that. The concatenation is on the other side Trust me on that Okay, so let's say the first one mentioned the what the usage of requests anywhere and yes generally speaking You don't want to leave any request anywhere Metrics metrics I not always consider them as a static analysis because they will give broader results Telling you okay sick climatic complexity is way too high So please don't take take a look there, but they will not point an exact line So it won't it's broader. It's still site kind of interesting and Here is a bunch of them and the pitch matrix one has been around and it's especially pretty nice So it's nice looking it fits very well in reports whenever you have to do one of them There is the number of lines of codes on one side and the cyclomatic complexity here So the way the dots are scattered are always very interesting Okay, here. There is obviously one major class that reached 385 and Butch of them that intermediate and a lot of them that are really small and very simple This is characteristic of a framework approach Okay, so obviously there is the senior guys who built four or five Big classes that suddenly explode in terms of complexity because they are always extended Into components and the components are done by people who are not the senior ones But they have to write know the classes extend the main one and call APIs on the on this So suddenly you have this huge class which cannot be broken down for monolith approach problems And all the others are smaller. So you can also see that on the other side You see this ring of green and simple classes are the one done by the juniors And obviously the one in the middle is the class the framework approach. That's kind of interesting to see It's kind of visual Of course, there are other other classes all around and another one that can be done by pitch-p matrix Which is more static analysis is this this they actually collected all the methods and They make a link between the method on the calling one Obviously this does not fit in a session here And I should be moving my my mouse over everything over every link so I could see which one is linked But the general presentation is actually interesting to analyze You should take a look at that. There are a few of them that are obviously concentrating a lot of calls Again, that's the same code. So we understand that what we've seen but with psychromatic pro complexity appears here again some of the white range of components are calling only the same Classes and those are the one we should review at least we know how to navigate and and which part of the code We should take a look at Actually pretty quick so inventories will be the last section and Inventories is something that I really enjoy it's always spectacular to do one of them Basically takes you take one of a part of the of the code for example You you list all the of the literals and you see how often they appear and suddenly you take a look at the value Understand why some special value appears if you look at a pitch-p code that has that make usage of three three thousand six hundred What that? Yeah, what well not only but yeah most of the time is it's something like that So does it has to be our code it or could it be put in a constant so it makes sense in the code? Because otherwise all the numbers does not always make sense suddenly there is a What was that the last I've seen 18? 1800s 19 That appears all over the cold What is that? 18 19 that was apparently a port on the radius server Anyone using that I learned that too But all the others and it makes sense like 389 that's a port I know so okay I let it go. I think it's the LDAP one and at some point so many of these Magic number was appearing across the code because they decided to outcode some of the ports Okay, so that's that's interesting to see and to have the literal just taken out of context and see how often they are You'll probably don't want to review any zero on one because they appear to too many situations But otherwise the one that are kind of weird appears several times. They're interested Before we move on the secular day at this one error messages Make a selection of all the error messages that are being used in exit Just extract like them like that that's an exception and list them and try to see what that does Anyone knows pitch P IPM? This is the application that was no no Can you tell me what they do? From the error messages from there Just reading in the error messages. This is when something is wrong. They stop they make an exit or die and they say something Okay, we've got something the file is not writable Is that something you expect your your user to find the code if something world doesn't work on the application No, you expect something at least well either it has to be sent to headers so they can be that can be a maintenance page that being displayed or not something that's like that just you know written and stopped The other thing I find interesting is there's no way we can understand what's happening there There's no held up. So apparently this is doing something with held up. There are security reasons for something There's an admin system But just reviewing those error messages could be interesting give you an idea of how the code the application behave If there's none of them because there's no die, that's also good Okay, otherwise there should be something that's more interesting So what what could be interesting with that doing spelling like collects all the variables and check the spelling Believe me you're going to get some work And not for the foreigner who do not speak English. I Think the HTTPA for a refer was was something interesting the name of the of the classes is also a good list So everyone knows the magic number syndrome It's what I mentioned earlier when you use the number that's actually has some special value But it's like a little scattered everywhere. You suddenly see something like 20.6. Okay That's French VAT, but you have to know that if you don't know that then it's just like why is this number everywhere? And why is it actually scattered all across the place? Right shouldn't it be like centered so when we decide to change it from one to the other to a new value That's probably going to change then maybe we have written a constant so it can be changed The other thing from inventories is that we could you know scan the code and extract information to put that into another To to give information to someone else like all the compilations on the compilation directives So for example You read the code and you find all the functions are are being called Okay, given the list of PHP.net you can find which all the extensions being used in Disapplication, okay, so this is again on the the pitch PM Obviously from the from the function names, you know, which extension are used so from the extension are used You are you know the one that are used the one are not used and you can decide and offer a list of compilation Or say switch to optimize the PHP code Right, so from the peer from the code you read it You have the exact line of codes to be compiling PHP and avoid compiling too many extensions What do we do often usually we just know a pity yet and get the standard PHP from Someone who decided how it is it should be done and then we end up with having held up because okay It was kind of default if we have a security problem then someone can explode the celled up extension to go somewhere else okay, so maybe it's interesting to have this list like automatically extracted and Provided to the DevOps they will decide if they want to compile something specific and update it whenever we need a new extension Or they just you know I want to optimize it for performance But we don't have to do it We just have to write the code and static analysis will provide us the information The other one that's always very useful is the protective PHP directive checklist How many times do you do have the system admin comes and so yeah your application is running which one which of the directive are Important to use like I don't know why I have my SQL so compile it and I have I don't know well that that's all No, if nothing special. No, no, no, it's okay And then you come back say yeah, it's not working the upload is not working. Yeah, but you didn't tell me to activate the upload Why because there's no list done you have to think about it to review the world code and here static analysis An analyst can review the course. Oh at that point you're moving in the loaded file. So meaning that you depends on Uploading so I can suggest you that some of the uploading has to be done and You have to change like three directives so you can provide the world is to the to the system admin and that's automated other usage I'll be done with those five Five different Themas, but they are all all over new user new news age for static analysis that are always interesting For example a dependency graph, okay Do we have to deal with dependency anymore in PHP There's auto load right No It's solving a part of the problem. There's still people doing includes So maybe there is a list of inclusion and a year or key of inclusions, okay? Beside that you have static expressions, you know when you do a constant and you can put You can mix it with all the constants then suddenly this file depends on other constant to be to be organized to be a Defined before we reach the file So dependencies there are several of them and the machine can can find all of them I'm in space graph. That's what you see kind of blurry at the bottom That means that well, I get another one. I'll finish with this not actually Depth rack depth rack is another static analysis tool that will allow you to check there are any Dependencies that should not happen. So let's say you have a VC model view controller And you want to avoid that the model is calling the controller directly or the controller is calling actually the database directly So you will set up a rule saying, okay, I do not accept any call to this class from the controller directory You have to do it yourself. You have to explain explicitly what are the relations? You do not want to to see and then the machine will take a take a look at all the classes and say Oh, yeah, at that point you're calling this other method means you have a coupling between those classes That's interesting to remove as in terms of dependencies Taint analysis follow. It's it's a bit like for the security. It follows the different Usage of the variable if it starts with a get for example, they're also underscore get it will just taint all the variables That are using or depending on the get and then this way you can see which of which part of your code is being tainted by You know dirty value or value that has to be filtered before being used The final one here, okay So we said name space graph for example the little the lonely the long bar that you've seen is actually the Composer namespace so all the composter classes are now in one track Every time every time there is a namespace that acts like a folder then you have one shade of color Okay, so the deepest namespaces over there And you can see that most of the classes inside composter stay within their own namespace Okay, like then own folder. So here you have like five six different classes They all like extend each other inside the namespace. So that's a kind of consistent set of classes on The other hand when you see here on the side You can see that they are two different and separate namespaces and at some point There is an extension at least two of them the other one is on the side So apparently there is the namespaces and the classes are well grouped by usage Except for a few of them Maybe that could be interesting to start looking at those and see why they were either split into different namespaces or made together Or not because you don't care that's also a possibility So finally 68 you probably have ideas for more So you can do your own you can do your own you can ask James If you want to do more better or better the best initially would be to compile yourself the AST extension So there is an internal AST in PHP 7, but we do not access it We use it, but we don't access it just like we use tokens It's actually a very easy compilation So just get it download it and compile it and you can you can have access to that that will do the heavy work Of building the AST and believe me it takes time It's better in PHP 7 but it really takes time So the AST is probably the best at least you start with all those definitions from there You can probably build the control and the dependency and program control graph if you need them Anyway, if you're still in PHP 5 There is a parser that emulates the behavior of PHP 7 AST into PHP 5 So you don't need to move to PHP 7 It's probably going to be a lot better for you to do that But you can still rely on that there was some of the parser I have mentioned earlier are using PHP parser So that that's a good good project Better reflection also Does does PHP still rely on that? No, okay, I thought Okay, it's a native one so you see he did his own In in in spite of if if you are if you really have no tools or you have no time The good old reg x still works Okay, I used to be campaigning against it. That's a bad idea, but I actually find myself doing that a lot any time You have a keyword search in your code Don't don't break a sweat. No time for static analysis. Just you know grab fine. That will be sufficient On the other end if you're trying to look for I don't know static calls to methods and you only rely on the double column Yeah, go and use a static analyzer because reg X is not going to work No, okay, whatever so You can also fork an existing tool to my experience at the moment except maybe using better reflection It's kind of difficult to go inside the tool But maybe they have already laid the work the artwork for you So if you take a look that can be a good source of information So to write that we have no number of tools. Do you need ideas? Here are a number of ideas things that have not been done at least I'm not aware of them So can give that to you if you're interested or if you know about them I'm interested in that the thing that surprises me is that we can start we are starting to do some static analysis for PHP and Beside maybe symphony. I know no other Don't know all the framework that actually provides Static analysis and that's actually very useful. You have users when you provide them with okay manual So they have to read the manual understand it and use it if you have a set of good recommendations You know best practices recommendation thing like that You could actually rely on static analysis to review beginner's code or customers code and say, okay I can review that I give you an audit of the code and say they're on there And there you should do that the other way the way we recommend is this way Take a look at the WordPress Documentation I Actually have to say it's there. They are recommendation. It's just scattered all across the the documentations They usually recommend that you should not use all their Globals than the one they provide and They you should not modify them. Okay, that kind of things can be test technically checked We can look in the code and say oh, yeah at that point you have made some modification. That should not be done that going to help in terms of consistency Across your users and in terms of efficacy efficiency So anytime you have like modules or partnerships that's providing some code and you send them to a marketplace You can review that before being being being produced been published. That's an interesting one. So If you're editing a framework, I'm interested to talk with you about that, but in general class diagram extractors if you really want to have a UML from the code that exists could be interesting What that oh, yeah 40% of every code is basically static That's actually by reading so much code You realize that most of the code itself Less than half of page we could is static now. Let me let me think about that Imagine that you have a property that will all the number of versions. Okay, this is not going to change during the execution Okay, but since it's an array And you're not aware that PHP 7 accept arrays as constants, then you probably push that into a new into property Now it looks like you have dynamic code, right? Because you're manipulating a property that's change that should be changing but this property is never accessed for modification It's it's really a constant. It doesn't look like a constant but that still makes a large part of to code all the same because Any loops there is on this array will actually be just read something that's never changed So it's actually a constant and the wall of it is a constant. It looks like some, you know macro we would do in C and We would probably make the code look very different if we understand which of those constants are really constant and then have to look like constant Anyway, that's not done yet Coding references or so that may be in-house on that may be something you take from outside There are lots of people who try to say okay if you want to go be a good programmer do like this Do like that do like this. Okay And if we'd like two of them in the same room that's going to be an endless war, right? I would put that in argument but But usually I'm I think it's important that every team has its own list of them. Okay currently in Exocat I have around 300 different analysis. Don't try to trust them all at the same time Okay, that's too much Choose at least 10 of them and I don't have all of them. I have a to-do list of 2009 So I'm completely far away from from from the end So just select 10 of them stand that are important that may be specific of your application or your team and the way you work You don't want to hear about globals. Okay, make it one rule and statically enforce that You don't need to review that yourself. Just run the test one line appears to get blame and we talk about it That's all you don't need to do 300 test at the same time So to finish Please never code alone again Because with that scan of tool you're actually inviting experts in your own Programmation, okay, even as a site project you want to review the code and not be the only one checking it Then static analyzer will give you a feedback and then you can deal with it And believe me when you write on a static analyzer yourself you learn how to be humble How many times do I look at site and say oh, hey, this is too because they should not be done like try order ever try ever seen that You know people try try block and they say do something catch. Okay. Do something They really want to try So you look at that. It's like oh, that's stupid, but then you check on your own corner realize. Oh, I'm doing the same So let's let's fix that first and then we publish that So if you're working even alone or in a team that could be interesting to be not the only one you can you can import Experience from outside and and have some feedback on your code even without asking and and even doing that You know on your own cubicle and not sharing that so if if you feel like you're ashamed of it No one will know No one will know other thing You can prepare for the future with that. Okay, as I mentioned for example, we can prepare for PHP 7 2 We don't know what goes we don't know why When but we have already a number of things that when we can prepare now So tactic analysis for that is interesting. You don't have to wait for the version to be ready. Just prepare for the future Otherwise, well, you will learn Maybe select one rule one of the number rules and numerous rules that are available fix them all and when you're done Then consider it's a rule a static fixed rule and then move on learn something else. Don't try to be Don't try to learn all of them at the same time because that's not going to work and that will be it Often do you run do you analyze your code like? Automating it with a commit hook or is it something you're manually doing and that's a good one I would say two different experiences. For example, PHP Stan is going to run on my code on a few minutes So I can do that anytime I want My own code will run in 20 minutes on my on my world code So I don't do that all the time. Okay, the other thing I know is that even with a long rapper a report and a number of break on broken down Section I can usually keep the report Viable for a whole week meaning I run it on Monday By Friday, I will end up with a number of no problems with lines But the the insights the fact that I should take a look at part of that part of the code is still valid So I don't need more than that Okay, so the different tools will be available for a good hook if you want to run something very fast like pitch-pillings Yeah, please do that on the good hook. That's that's a good thing There are other tools that will not fit because it means that you have to understand the code a lot more It will run for much longer time So I would say there are there are tools. Yeah, depending on what you want to find. There are different tools Well, okay, I guess it's social time now Thank you