Analysis of-quality-of-pkgs-in-packagist-univ-20171024

© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
An Analysis of the
Quality of Libraries
in the Packagist
Universe
Clark Everetts
Sr. Professional Services Consultant
24 October 2017

Slides, Joind.in, and Stuff
• Rate & comment: https://joind.in/talk/377ec
• Slides: https://www.slideshare.net/clarkphp
• Tweets: #zendcon2017
• Twitter: @clarkphp

INTRODUCTION/
BACKGROUND

As you know, Composer is…
• Knows what packages your application or library
depends upon
• Obtains those packages, and all of their
dependencies, and installs appropriate versions of
them into your project (and local cache)
• When requested, checks for updates compatible
with your project, and downloads them into your
project (and local cache)
• Allows you to pin multiple applications/libraries to
the same or different versions of the packages they
use.
Composer makes it
easier to manage
application
dependencies.
… a per-project
PHP dependency
manager

Packagist.org Repository
Package Archivist
Just a Composer (“type”) Repository…
• … but it is the primary repository for open source packages
• Best Practice for Open Source Projects: register it at packagist.org
• Searchable / Browsable
• Less work for people to find and use your package.
• Many, many, many packages available. There is duplication
in functionality and – I suspect - a wide range of quality.

https://packagist.org/

Questions of interest to me
• Composer & Packagist are GREAT!
• Easy to consume 3rd party libraries
• Easy to publish libraries
How to find libraries that are
• Reliable
• Well-built
• Tested
• Secure
How many projects available via Packagist?

Why so important?
Your Project Project == Application == Library
DEPENDENCIES,
PACKAGES,
LIBRARIES
needs
A, B, C, D
A B C D
needs E
E F
needs E
You are responsible for the
application, and for the
choice in which
dependencies you use.
HG
needs G, H

No, really! Consumer-only. Why important?
Higher quality libraries are
• Easier to understand
• Easier to maintain
• Easier to test
• Get updated sooner
• Bugfixes
• New features
• Don’t break as easily or as often
• Greater interest/participation from dev team and users
*Campbell County Kentucky Public Library

SECURITY

Security – Known Vulnerabilities

"conflict": {
"adodb/adodb-php": "<5.20.6",
"amphp/artax": ">=2,<2.0.6|<1.0.6",
"aws/aws-sdk-php": ">=3,<3.2.1",
"bugsnag/bugsnag-laravel": ">=2,<2.0.2",
"cakephp/cakephp": ">=3,<3.0.15|>=2,<2.4.99|>=2.5,<2.5.99|>=2.6,<2.6.12|>=1.3,<1.3.18|>=2.7,<2.7.6|>=3.1,<3.1.4",
"cart2quote/module-quotation": ">=4.1.6,<=4.4.5|>=5,<5.4.4",
"cartalyst/sentry": "<2.1",
"codeigniter/framework": "<=3.0.6",
"composer/composer": "<=1.0.0-alpha11",
"contao-components/mediaelement": ">=2.14.2,<2.21.1",
"contao/core": ">=2,<3.5.28",
"contao/core-bundle": ">=4,<4.4.1",
"doctrine/annotations": ">=1,<1.2.7",
"doctrine/cache": ">=1,<1.3.2|>=1.4,<1.4.2",
"doctrine/common": ">=2,<2.4.3|>=2.5,<2.5.1",
"doctrine/dbal": ">=2,<2.0.8|>=2.1,<2.1.2",
"doctrine/doctrine-bundle": "<1.5.2",
"doctrine/doctrine-module": "<=0.7.1",
"doctrine/mongodb-odm": ">=1,<1.0.2",
"doctrine/mongodb-odm-bundle": ">=2,<3.0.1",
"doctrine/orm": ">=2,<2.4.8|>=2.5,<2.5.1",
"dompdf/dompdf": ">=0.6,<0.6.2",
"drupal/core": ">=8,<8.3.7",
"drupal/drupal": ">=8,<8.3.7", etc., etc.
Avoiding packages with known vulnerabilities

Security – The Unknown Vulnerabilities
• OWASP Discussion on Source Code Analysis Tools
– https://www.owasp.org/index.php/Source_Code_Analysis_Tools
• Static Application Security Testing
– Security flaws are currently better than the tools
– IDEs, catch potential vulnerable code during development
• Strengths
– Scalability
– Reliable for buffer overflow, SQL injection
• Weaknesses
– Configuration affects security
– False positives
– Many flaws not amenable to automatic discovery
• Authentication/Access Control
• Poor use of crypto

Security – Some Tools for PHP
• RIPS
– http://sourceforge.net/projects/rips-scanner/
• phpcs-security-audit
– PHP_CodeSniffer sniffs for core PHP and Drupal 7
– https://github.com/FloeDesignTechnologies/phpcs-security-audit
• VisualCodeGrepper (VCG)
– C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for
comments indicative of insecure code
– http://sourceforge.net/projects/visualcodegrepp/
• (Plug for KlocWork from Rogue Wave, for C, C++, Java, C#)
– https://www.roguewave.com/capabilities/static-code-analysis

OTHER TOOLS

Some static analysis tools for PHP
• PHPLOC – size metrics, complexity, dependencies, structure
– https://github.com/sebastianbergmann/phploc
• Copy/Paste Detector – finds duplicated code (exact dups)
– https://github.com/sebastianbergmann/phpcpd
• PHP Depend -
– https://pdepend.org/
• PHP Mess Detector
– https://phpmd.org/
• Phan
– https://github.com/phan/phan
• Exakat
– https://www.exakat.io/
• PHPMetrics
– http://www.phpmetrics.org/

WHAT MEAN QUALI-TAY?

What do we mean by “quality”?
Concepts/words
• Reliable, well-built, tested, secure
What “observables” indicate higher quality?
Quantifiable vs. Non- Quantifiable
Download totals indicate popularity, but download trend would be more indicative.
Download totals also show developers trying out a package, not necessarily continued
usage.
Stars or Likes or ratings

Identifying a quality package
• Does it do what we think it does/expect it do to, and at what level of confidence?
• How many defects are known to exist, or have existed, in it?
– Relative to size of the package codebase (defect density)?
• How many defects are known to have been corrected, and at what level of
confidence?
• What is the rate of defect discovery? Of defect removal?
• What are the densities of various severity levels of defects?

Context!
Critical Programming errors can lead to catastrophic outages or performance
degradations that make a system unusable. Such programming errors at the system
level are 90% of production issues.
Such errors at the unit level, though far more numerous, are less than 10% of
production issues.

A SIMPLE ONE-STOP
ANALYSIS SCRIPT

A PHP script to run some QA tools
$ cat analyse-codebase.php
<?php
// analyse-codebase.php
// Runs several PHP static analysis tools; assumes *.phar names
// This could be done with a shell/batch script, instead of php.
// If running under Windows, use paths like 'C:desiredpathtofile'
// If running under *nix, use paths like '/desired/path/to/file'
// If PHP binary is not in your command path, you need to specify path to it.
// const PHP_EXE = '/the/path/to/your/PHP/executable';
const PHP_EXE = 'php';
// the location where the QA tools reside (anywhere you like)
// const QATOOLS = '/a/folder/containing/this/analyse-codebase.php/script';
const QATOOLS = 'C:Usersclark.ePHP-QA-Tools’;

PHP QA tools script: setup continued
// the directory (folder) ENCLOSING the code you wish to analyze
// const CODEBASE_ROOT = '/path/to/parent/of/your/source/code/appname';
const CODEBASE_ROOT = 'C:Usersclark.escratchpadqasamples';
// where to write the analyses OUTPUT files
const OUTPUT_DIR = 'C:Usersclark.escratchpadqa';
// used to give a name to the output files
$appName = 'samples';
// this is a folder containing the code to analyze.
// It is APPENDED to CODEBASE_ROOT, allowing for analysis of
// a particular folder within CODEBASE_ROOT), if needed.
$codebaseLocation = '';

PHP QA tools script: setup continued
// list of subfolders to exclude from counting (can be empty, but you often
should exclude some folders)
// PLEASE check this list and edit accordingly, BEFORE running the script.
// Note, for PHPLOC, any directory in the tree with a name in this array is
ignored, not just the top-level dirs.
$excludeDirs = [
'cache',
'config',
'documents',
'logs',
'public',
'sql_source',
'third_party',
'test',
'vendor',
'views',
];

PHP QA tools script: calling the tools
// becomes part of the output file names
$timestamp = date('YmdHis');
$targetPhpVersion = '7.1';
print phpLoc($appName, $timestamp, $excludeDirs, $codebaseLocation) . PHP_EOL;
print copyPasteDetector($appName, $timestamp, $excludeDirs, $codebaseLocation)
. PHP_EOL;
print pDepend($appName, $timestamp, $excludeDirs, $codebaseLocation) .
PHP_EOL;
print messDetector($appName, $timestamp, $excludeDirs, $codebaseLocation) .
PHP_EOL;
//print phpCompatibility($appName, $timestamp, $excludeDirs,
$codebaseLocation, $targetPhpVersion) . PHP_EOL;

PHP QA tools script: Lines of Code
function phpLoc($appName, $timestamp, $excludeDirs, $codebaseLocation)
{
$tool = 'phploc';
$options = '--log-xml=' . OUTPUT_DIR . "/$appName-$tool-$timestamp.xml"
. ' --log-csv=' . OUTPUT_DIR . "/$appName-$tool-$timestamp.csv"
. ' --exclude ' . implode(' --exclude ', $excludeDirs);
$output = shell_exec('php ' . QATOOLS . "/$tool.phar $options "
. CODEBASE_ROOT . "/$codebaseLocation"
. ' > ' . OUTPUT_DIR . "/$appName-$tool-$timestamp.out");
return $output;
}

PHP QA tools script: Copy/Paste Detector
function copyPasteDetector($appName, $timestamp, $excludeDirs,
$codebaseLocation)
{
$tool = 'phpcpd';
$options = '--log-pmd=' . OUTPUT_DIR . "/$appName-$tool-$timestamp.xml"
. ' --no-ansi'
. ' --no-interaction'
. ' --exclude ' . implode(' --exclude ', $excludeDirs);
return $output;
}

PHP QA tools script: PHP Depend
function pDepend($appName, $timestamp, $excludeDirs, $codebaseLocation)
{
$tool = 'pdepend';
$options = '--dependency-xml=' . OUTPUT_DIR . "/$appName-$tool-$timestamp-
dependencies.xml"
. ' --jdepend-chart=' . OUTPUT_DIR . "/$appName-$tool-$timestamp.svg"
. ' --jdepend-xml=' . OUTPUT_DIR . "/$appName-$tool-$timestamp.xml"
. ' --overview-pyramid=' . OUTPUT_DIR . "/$appName-$tool-$timestamp-
overview-pyramid.svg"
. ' --summary-xml=' . OUTPUT_DIR . "/$appName-$tool-$timestamp-
summary.xml"
. ' --coderank-mode=inheritance'
// how is this used? . ' --coverage-report=' . OUTPUT_DIR . "$appName-
$tool-$timestamp-coverage.xml"
. ' --ignore=' . implode(',', $excludeDirs);

PHP QA tools script: PHP Depend
return $output;
}

PHP QA tools script: PHP Mess Detector
function messDetector($appName, $timestamp, $excludeDirs, $codebaseLocation)
{
$tool = 'phpmd';
$ruleSets = ['cleancode', 'codesize', 'controversial', 'design', 'naming',
'unusedcode'];
foreach ($ruleSets as $ruleSet) {
$options = "text $ruleSet --reportfile "
. OUTPUT_DIR . "/$appName-$tool-$timestamp-$ruleSet.out"
. ' --exclude ' . implode(',', $excludeDirs);
// --strict: also report those nodes with a @SuppressWarnings annotation
shell_exec('php ' . QATOOLS . "/$tool.phar " . CODEBASE_ROOT .
"/$codebaseLocation $options");
print $ruleSet . PHP_EOL;
}
}

Other Resources
• PHP The Right Way - http://www.phptherightway.com/
• OWASP Tools -
https://www.owasp.org/index.php/Source_Code_Analysis_Tools
• Survive the Deep End: PHP Security (2013, but relevant) -
http://phpsecurity.readthedocs.io/en/latest/
• SonarQube – “Water Leak” approach to code quality
– https://www.sonarqube.org/

So, who is this guy?
Clark Everetts, ZCE
• Rogue Wave Software (acquired Zend October 2015)
• PHP since 2005
• Professional Services Consultant
– Architecture and Performance Audits
– PHP, Zend Framework Training
– Application Development, Best Practices, etc.
– IBM i
• clark.everetts@roguewave.com @clarkphp +ClarkEveretts

THANK-YOU
clark.everetts@roguewave.com
@clarkphp
+ClarkEveretts
Tweet: #zendcon2017
Rate, comment, get slides
https://joind.in/talk/377ec
Your feedback is invaluable!

Analysis of-quality-of-pkgs-in-packagist-univ-20171024

More Related Content

What's hot (20)

Similar to Analysis of-quality-of-pkgs-in-packagist-univ-20171024 (20)

Recently uploaded (20)

Analysis of-quality-of-pkgs-in-packagist-univ-20171024