SlideShare une entreprise Scribd logo

Automated code audits

Damien Seguy
Damien Seguy

Even nowadays, PHP code is mostly manually audited. Expert pore over actual code, in search for bugs or code smells. Actually, it is possible to have PHP do this work itself ! Strengthened with the internal Tokenizer, bolstered by the manual, it is able to scan thousands of lines of code, without getting bored, and bringing pragmatic pieces of wisdom: official manual recommendations, version migration, code pruning and security. In the end, it deliver a global overview of the code, without reading it.

Technologie
1  sur  25
Télécharger pour lire hors ligne
Automatic code audits Rotterdam, Nederland, October 9th 010PHP
Definition A kind of code analysis where the code is reviewed without running it. Just like we would do ourselves!
Who is speaking? Damien Seguy CTO at exakat Phather of the plush toy elePHPant Back from China Stepping up automated code audit services
Internals Code AST Analyze Report
<?php! function x($a) { return $a; } x(1, 2); ?>
Found Dead code Undefined structures Unused structures Illogical exp. Slow code Bad practices Unsafe code Maintainability Bug issue Ancient style Uninitialized vars Taint propagation
<?php switch ($this->consume()) { case "x09": case "x0A": case "x0B": case "x0B": case "x0C": case "x20": case "x3C": case "x26": case false: break; case "x23": switch ($this->consume()) { case "x78": case "x58": $range = '0123456789ABCDEFabcdef'; $hex = true; break; } }{ ?>
protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }
Spot bugs early Code Test PreProd Production Run it at commit Run it as audit
Static audit vs Unit test No running 100% of the code Symbolic testing Little configuration Has false positive Mostly internal Needs dedicated servers Will only scan a part Test only provided data Write scenario Has false negative Can be handed to users
When does it help Help port to a new system Search for weak code fragments Audit external libraries Hint at refactoring
Report Bugs Useless code Suggestions
Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !
Useless code <?php! ! // inside a legit class $this->module->xmlRequest; $_G['setting']['debug']; $post['usesig'] ? ($_G['setting']['sigviewcond'] ? (strlen($post['message']) > $_G['setting']['sigviewcond'] ?! ! ! ! ! $post['signature'] : '') ! ! ! ! ! ! : $post['signature']) : ''; ?> !
Suggestions <?php ! // Nested ternary should be turned into if then structures $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)) // Multiply by one is useless SetCache($prefix, $key, $row, 60*60*1); // Portable syntax $bits = split('.', $string); $y = $bits[0]; ! // Modern syntax $y = split('.', $string)[0]; ?> !
Where it doesn’t help Unit tests Architecture Old traditions that won’t change Semantic errors
Architecture No framework context Conception is done before coding Of course! Static audit will report standards, not norms
Old traditions <?php $pna = explode(')(', $pn); while (list($k, $v) = each($pna)) { $lst = explode('"', $v); if (isset($lst[3])) { $pn[$lst[1]] = $lst[3]; } else { $pn[$lst[1]] = ''; } } ?> 10 % of current applications uses this instead of foreach()
Semantic errors <?php $babycarriage = new carriage(); $wheel1 = new Racingwheel(); $wheel2 = new Racingwheel(); $wheel3 = new Racingwheel(); $wheel4 = new Rhinoceros(); $babycarriage->installWheels($wheel1, # # # # # # # # # # # # # $wheel2, # # # # # # # # # # # $wheel3, # # # # # # # # # # # $wheel4); ?> Undefined classes : Vehicle, Racingwheel, Rhinoceros
Semantic errors
Available analyzers PHP code sniffer PHP MD Scrutinizer-ci Fortify insight from Sensio
damien.seguy@ gmail.com http://www.slideshare.net/ dseguy
THE END http://010php.nl/ http://www.meetup.com/010PHP/

Recommandé

PHPSpec BDD Framework
PHPSpec BDD FrameworkPHPSpec BDD Framework
PHPSpec BDD Framework
Marcello Duarte
 
The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)
Michiel Rook
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
chartjes
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnit
Jace Ju
 
Testing in Laravel
Testing in LaravelTesting in Laravel
Testing in Laravel
Ahmed Yahia
 
Getting Testy With Perl6
Getting Testy With Perl6Getting Testy With Perl6
Getting Testy With Perl6
Workhorse Computing
 

Recommandé

PHPSpec BDD Framework
PHPSpec BDD FrameworkPHPSpec BDD Framework
PHPSpec BDD Framework
Marcello Duarte
 
The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)The road to continuous deployment (PHPCon Poland 2016)
The road to continuous deployment (PHPCon Poland 2016)
Michiel Rook
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
mfrost503
 
Building Testable PHP Applications
Building Testable PHP ApplicationsBuilding Testable PHP Applications
Building Testable PHP Applications
chartjes
 
Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12Workshop quality assurance for php projects tek12
Workshop quality assurance for php projects tek12
Michelangelo van Dam
 
Beginning PHPUnit
Beginning PHPUnitBeginning PHPUnit
Beginning PHPUnit
Jace Ju
 
Testing in Laravel
Testing in LaravelTesting in Laravel
Testing in Laravel
Ahmed Yahia
 
Getting Testy With Perl6
Getting Testy With Perl6Getting Testy With Perl6
Getting Testy With Perl6
Workhorse Computing
 
Practical Ext JS Debugging
Practical Ext JS DebuggingPractical Ext JS Debugging
Practical Ext JS Debugging
Shea Frederick
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
n|u - The Open Security Community
 
Debugging Your Ext JS Code
Debugging Your Ext JS CodeDebugging Your Ext JS Code
Debugging Your Ext JS Code
Sencha
 
PhpUnit Best Practices
PhpUnit Best PracticesPhpUnit Best Practices
PhpUnit Best Practices
Edorian
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
Testing JavaScript Applications
Testing JavaScript ApplicationsTesting JavaScript Applications
Testing JavaScript Applications
The Rolling Scopes
 
Rails is not just Ruby
Rails is not just RubyRails is not just Ruby
Rails is not just Ruby
Marco Otte-Witte
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
Sam Thomas
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
Michelangelo van Dam
 
Jasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishyJasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishy
Igor Napierala
 
Testing Code and Assuring Quality
Testing Code and Assuring QualityTesting Code and Assuring Quality
Testing Code and Assuring Quality
Kent Cowgill
 
RSpec
RSpecRSpec
RSpec
Marco Otte-Witte
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
Jeffrey Kemp
 
Excellent
ExcellentExcellent
Excellent
Marco Otte-Witte
 
PHPUnit best practices presentation
PHPUnit best practices presentationPHPUnit best practices presentation
PHPUnit best practices presentation
Thanh Robi
 
Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6
Visual Engineering
 
Unit testing with mocha
Unit testing with mochaUnit testing with mocha
Unit testing with mocha
Revath S Kumar
 
Unit Testing in SilverStripe
Unit Testing in SilverStripeUnit Testing in SilverStripe
Unit Testing in SilverStripe
Ingo Schommer
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle Versions
Jeffrey Kemp
 
Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept
som | smart online marketing
 
Tips & tools for (starting) sourcers
Tips & tools for (starting) sourcersTips & tools for (starting) sourcers
Tips & tools for (starting) sourcers
René Bolier
 

Contenu connexe

Tendances

Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
Michelangelo van Dam
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
Michelangelo van Dam
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
Michelangelo van Dam
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle Versions
Jeffrey Kemp
 

Tendances (20)

Practical Ext JS Debugging
Practical Ext JS DebuggingPractical Ext JS Debugging
Practical Ext JS Debugging
 
null Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injectionnull Pune meet - Application Security: Code injection
null Pune meet - Application Security: Code injection
 
Debugging Your Ext JS Code
Debugging Your Ext JS CodeDebugging Your Ext JS Code
Debugging Your Ext JS Code
 
PhpUnit Best Practices
PhpUnit Best PracticesPhpUnit Best Practices
PhpUnit Best Practices
 
Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013Workshop quality assurance for php projects - ZendCon 2013
Workshop quality assurance for php projects - ZendCon 2013
 
Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012Quality Assurance for PHP projects - ZendCon 2012
Quality Assurance for PHP projects - ZendCon 2012
 
Testing JavaScript Applications
Testing JavaScript ApplicationsTesting JavaScript Applications
Testing JavaScript Applications
 
Rails is not just Ruby
Rails is not just RubyRails is not just Ruby
Rails is not just Ruby
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013UA testing with Selenium and PHPUnit - PFCongres 2013
UA testing with Selenium and PHPUnit - PFCongres 2013
 
Jasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishyJasmine - why JS tests don't smell fishy
Jasmine - why JS tests don't smell fishy
 
Testing Code and Assuring Quality
Testing Code and Assuring QualityTesting Code and Assuring Quality
Testing Code and Assuring Quality
 
RSpec
RSpecRSpec
RSpec
 
Building Maintainable Applications in Apex
Building Maintainable Applications in ApexBuilding Maintainable Applications in Apex
Building Maintainable Applications in Apex
 
Excellent
ExcellentExcellent
Excellent
 
PHPUnit best practices presentation
PHPUnit best practices presentationPHPUnit best practices presentation
PHPUnit best practices presentation
 
Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6Workshop 10: ECMAScript 6
Workshop 10: ECMAScript 6
 
Unit testing with mocha
Unit testing with mochaUnit testing with mocha
Unit testing with mocha
 
Unit Testing in SilverStripe
Unit Testing in SilverStripeUnit Testing in SilverStripe
Unit Testing in SilverStripe
 
Old Oracle Versions
Old Oracle VersionsOld Oracle Versions
Old Oracle Versions
 

En vedette

Ian walden - data protection in cloud computing
Ian walden - data protection in cloud computingIan walden - data protection in cloud computing
Ian walden - data protection in cloud computing
oiisdp
 

En vedette (19)

Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept Beeckestijn masterclass e village 19 sept
Beeckestijn masterclass e village 19 sept
 
Tips & tools for (starting) sourcers
Tips & tools for (starting) sourcersTips & tools for (starting) sourcers
Tips & tools for (starting) sourcers
 
Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013Beste-werkgevers-onderzoek-2013
Beste-werkgevers-onderzoek-2013
 
20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem20120927 voordracht bij marnixring waregem
20120927 voordracht bij marnixring waregem
 
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & IntermediairBeste Werkgeversonderzoek 2013 - Effectory & Intermediair
Beste Werkgeversonderzoek 2013 - Effectory & Intermediair
 
Girls of Promise-Schedule B
Girls of Promise-Schedule BGirls of Promise-Schedule B
Girls of Promise-Schedule B
 
130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet130131 marketing mogelijkheden liquid internet
130131 marketing mogelijkheden liquid internet
 
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburgOntwikkelen CRM / Marketing 2.0 bij schouwburg
Ontwikkelen CRM / Marketing 2.0 bij schouwburg
 
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha ReedijkMobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
Mobile Convention Amsterdam 2015 / Vebego - Niels Sascha Reedijk
 
Tradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman MaesTradetracker affiliate day - Presentatie Herman Maes
Tradetracker affiliate day - Presentatie Herman Maes
 
Online Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met CanicasOnline Fundrasing Congres sept 2009 Maarssen met Canicas
Online Fundrasing Congres sept 2009 Maarssen met Canicas
 
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo QuaintanceMobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
Mobile Convention Amsterdam 2015 - University GFAF - Kimo Quaintance
 
Ian walden - data protection in cloud computing
Ian walden - data protection in cloud computingIan walden - data protection in cloud computing
Ian walden - data protection in cloud computing
 
090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare090512 Pre Canicas Slideshare
090512 Pre Canicas Slideshare
 
140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth140221 Windesheim SATC gastcollege Hans Drenth
140221 Windesheim SATC gastcollege Hans Drenth
 
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel KalseMobile Convention Amsterdam 2015 - Knab - Marcel Kalse
Mobile Convention Amsterdam 2015 - Knab - Marcel Kalse
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011Samenvatting Beeckestijn Gastcollege Sex & The City 2011
Samenvatting Beeckestijn Gastcollege Sex & The City 2011
 
introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014 introductie YouTube marketing in boekensector- boekenbeurs 2014
introductie YouTube marketing in boekensector- boekenbeurs 2014
 

Similaire à Automated code audits

Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
archwisp
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
dantleech
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfast
Michelangelo van Dam
 

Similaire à Automated code audits (20)

Automated code audits
Automated code auditsAutomated code audits
Automated code audits
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
 
Unit testing with zend framework tek11
Unit testing with zend framework tek11Unit testing with zend framework tek11
Unit testing with zend framework tek11
 
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
Building and Incredible Machine with Pipelines and Generators in PHP (IPC Ber...
 
Zend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample QuestionsZend Certification PHP 5 Sample Questions
Zend Certification PHP 5 Sample Questions
 
Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017Review unknown code with static analysis Zend con 2017
Review unknown code with static analysis Zend con 2017
 
Unit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBeneluxUnit testing with zend framework PHPBenelux
Unit testing with zend framework PHPBenelux
 
99% is not enough
99% is not enough99% is not enough
99% is not enough
 
Clear php reference
Clear php referenceClear php reference
Clear php reference
 
Review unknown code with static analysis
Review unknown code with static analysisReview unknown code with static analysis
Review unknown code with static analysis
 
Top 10 php classic traps confoo
Top 10 php classic traps confooTop 10 php classic traps confoo
Top 10 php classic traps confoo
 
Workshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfastWorkshop quality assurance for php projects - phpbelfast
Workshop quality assurance for php projects - phpbelfast
 
PHPSpec BDD for PHP
PHPSpec BDD for PHPPHPSpec BDD for PHP
PHPSpec BDD for PHP
 
Api Design
Api DesignApi Design
Api Design
 
Bonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node jsBonnes pratiques de développement avec Node js
Bonnes pratiques de développement avec Node js
 
Automated Frontend Testing
Automated Frontend TestingAutomated Frontend Testing
Automated Frontend Testing
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018Review unknown code with static analysis php ce 2018
Review unknown code with static analysis php ce 2018
 

Plus de Damien Seguy

Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
Damien Seguy
 

Plus de Damien Seguy (20)

Strong typing @ php leeds
Strong typing @ php leedsStrong typing @ php leeds
Strong typing @ php leeds
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
Qui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le codeQui a laissé son mot de passe dans le code
Qui a laissé son mot de passe dans le code
 
Analyse statique et applications
Analyse statique et applicationsAnalyse statique et applications
Analyse statique et applications
 
Top 10 pieges php afup limoges
Top 10 pieges php afup limogesTop 10 pieges php afup limoges
Top 10 pieges php afup limoges
 
Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020Top 10 php classic traps DPC 2020
Top 10 php classic traps DPC 2020
 
Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)Meilleur du typage fort (AFUP Day, 2020)
Meilleur du typage fort (AFUP Day, 2020)
 
Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4Tout pour se préparer à PHP 7.4
Tout pour se préparer à PHP 7.4
 
Top 10 php classic traps php serbia
Top 10 php classic traps php serbiaTop 10 php classic traps php serbia
Top 10 php classic traps php serbia
 
Top 10 php classic traps
Top 10 php classic trapsTop 10 php classic traps
Top 10 php classic traps
 
Top 10 chausse trappes
Top 10 chausse trappesTop 10 chausse trappes
Top 10 chausse trappes
 
Code review workshop
Code review workshopCode review workshop
Code review workshop
 
Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018Understanding static analysis php amsterdam 2018
Understanding static analysis php amsterdam 2018
 
Everything new with PHP 7.3
Everything new with PHP 7.3Everything new with PHP 7.3
Everything new with PHP 7.3
 
Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)Php 7.3 et ses RFC (AFUP Toulouse)
Php 7.3 et ses RFC (AFUP Toulouse)
 
Tout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFCTout sur PHP 7.3 et ses RFC
Tout sur PHP 7.3 et ses RFC
 
Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018Review unknown code with static analysis php ipc 2018
Review unknown code with static analysis php ipc 2018
 
Code review for busy people
Code review for busy peopleCode review for busy people
Code review for busy people
 
Static analysis saved my code tonight
Static analysis saved my code tonightStatic analysis saved my code tonight
Static analysis saved my code tonight
 
Machine learning in php las vegas
Machine learning in php las vegasMachine learning in php las vegas
Machine learning in php las vegas
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

Automated code audits

  • 1. Automatic code audits Rotterdam, Nederland, October 9th 010PHP
  • 2. Definition A kind of code analysis where the code is reviewed without running it. Just like we would do ourselves!
  • 3. Who is speaking? Damien Seguy CTO at exakat Phather of the plush toy elePHPant Back from China Stepping up automated code audit services
  • 4.
  • 5. Internals Code AST Analyze Report
  • 6.
  • 7. <?php! function x($a) { return $a; } x(1, 2); ?>
  • 8. Found Dead code Undefined structures Unused structures Illogical exp. Slow code Bad practices Unsafe code Maintainability Bug issue Ancient style Uninitialized vars Taint propagation
  • 9. <?php switch ($this->consume()) { case "x09": case "x0A": case "x0B": case "x0B": case "x0C": case "x20": case "x3C": case "x26": case false: break; case "x23": switch ($this->consume()) { case "x78": case "x58": $range = '0123456789ABCDEFabcdef'; $hex = true; break; } }{ ?>
  • 10. protected function openString($end, &$out=null, $nestingOpen, $rejectStrs = null) $nestingLevel = $count = 0; $content = array(); while ($this->match($patt, $m, false)) { $tok = $m[2]; if ($tok == "@{" && $this->interpolation($inter)) { $content[] = $inter; continue; } if (!empty($rejectStrs) && in_array($tok, $rejectStrs)) { $ount = null; break; } $content[] = $tok; $count += strlen($tok); } $this->eatWhiteDefault = $oldWhite; if (count($content) == 0) return false; $out = array("string", "", $content); return true; }
  • 11. Spot bugs early Code Test PreProd Production Run it at commit Run it as audit
  • 12. Static audit vs Unit test No running 100% of the code Symbolic testing Little configuration Has false positive Mostly internal Needs dedicated servers Will only scan a part Test only provided data Write scenario Has false negative Can be handed to users
  • 13. When does it help Help port to a new system Search for weak code fragments Audit external libraries Hint at refactoring
  • 14. Report Bugs Useless code Suggestions
  • 15. Bugs <?php ! ! if($content = file_get_contents($file)) { $content = trim($content); $content = substr($content, -2) == '?>' ? substr($content, 0, -2) : $content; } ! return true;! ?> !
  • 16. Useless code <?php! ! // inside a legit class $this->module->xmlRequest; $_G['setting']['debug']; $post['usesig'] ? ($_G['setting']['sigviewcond'] ? (strlen($post['message']) > $_G['setting']['sigviewcond'] ?! ! ! ! ! $post['signature'] : '') ! ! ! ! ! ! : $post['signature']) : ''; ?> !
  • 17. Suggestions <?php ! // Nested ternary should be turned into if then structures $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time( ) : 0) . substr(($string . $egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)) // Multiply by one is useless SetCache($prefix, $key, $row, 60*60*1); // Portable syntax $bits = split('.', $string); $y = $bits[0]; ! // Modern syntax $y = split('.', $string)[0]; ?> !
  • 18. Where it doesn’t help Unit tests Architecture Old traditions that won’t change Semantic errors
  • 19. Architecture No framework context Conception is done before coding Of course! Static audit will report standards, not norms
  • 20. Old traditions <?php $pna = explode(')(', $pn); while (list($k, $v) = each($pna)) { $lst = explode('"', $v); if (isset($lst[3])) { $pn[$lst[1]] = $lst[3]; } else { $pn[$lst[1]] = ''; } } ?> 10 % of current applications uses this instead of foreach()
  • 21. Semantic errors <?php $babycarriage = new carriage(); $wheel1 = new Racingwheel(); $wheel2 = new Racingwheel(); $wheel3 = new Racingwheel(); $wheel4 = new Rhinoceros(); $babycarriage->installWheels($wheel1, # # # # # # # # # # # # # $wheel2, # # # # # # # # # # # $wheel3, # # # # # # # # # # # $wheel4); ?> Undefined classes : Vehicle, Racingwheel, Rhinoceros
  • 23. Available analyzers PHP code sniffer PHP MD Scrutinizer-ci Fortify insight from Sensio
  • 25. THE END http://010php.nl/ http://www.meetup.com/010PHP/