phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks.
It currently has core PHP rules as well as Drupal 7 specific rules. Next planned CMS/framework is Symfony 2, which are also relevant to Moodle.
As a bonus set of rules, the tool also check for CVE issues and security advisories related to CMS/framework. You can use it in order to follow the versioning of components during static code analysis.
The main reasons of this project for being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems and to be able to find security bugs that are not detected with object oriented analysis (like in RIPS or PHPMD).
phpcs-security-audit is backed by Floe design + technologies and written by Jonathan Marcil.
- Install: https://moodle.org/plugins/local_codechecker
- Git clone above github project (phpcs-security-audit)
- Follow project’s README install instructions, and also…
- Copy https://github.com/FloeDesignTechnologies/phpcs-security-audit/tree/master/Security/Sniffs/BadFunctions folder into your Moodle local/codechecker/moodle/Sniffs
- Copy https://github.com/FloeDesignTechnologies/phpcs-security-audit/tree/master/Security/Sniffs/CVE folder into your Moodle local/codechecker/moodle/Sniffs
Working in a group of developers on a large open source project like Moodle, I get times where I need to dig in and find who made a specific change to the code and most importantly… WHY? getting the developer’s name can help get in contact with him/her to figure out why was that piece of code was introduced. And if he/she is not available, I can infer from the commit the issue id and use the development system (#Moodle uses Atlassian’s Jira – the Tracker) to find out what was the reason it was introduced.
Laziness above all… I tried the GUI tools first:
- phpStorm (138.379) – When viewing a source code file, I can click on git – show history, And get all the git commit logs of that specific file. I can click ctrl-d and compare each on with the current version. But no string search for a specific change in a specific file 🙁 and no easy way to find out what commit introduced a specific line of code (as far as I know). now way to git blame 🙁 (edit: after posting this, I found out that phpStorm can, amazingly, do it: Can Git show history for selected lines?)
- gitk – Using the search tool and setting it to “Find commit: adding/removing string:” and clicking the “down arrow” while viewing the code in patch mode, I can see the list of changes, BUT I have to read through a lot of code in each commit to find the line I am looking for. not easy 🙁
- git gui blame [file] – which was nice but no searching and only got me as far as the last committer. Same as what I got off the github.com blame view for that file.
Next, the internet…
Luck me, help was coming from the open source Moodle developer community. Tim hunt which is a long time respected UK Open University developer in the Moodle community started throwing pearls of digested wizdom at me which helped me figure out which commit was responsible for that specific piece of code (a string) that I was looking for and when it was initially introduced into the code. Here are those pearls:
One pearl was to:
git blame last-commit-hash^ path/filename | grep "string"
Looking at the results, I found out the one that seems relevant and:
git show "commit-hash"
Another pearl was:
git log -S 'string' path/filename
So, thank you Tim hunt and I hope it’s useful for anyone else doing archeological digging into open source projects using git.
The recording of our May 29th webinar with Maarten Balliauw and Mikhail Vink, PhpStorm Best Practices – The Perfect Workflow for PHP Developers, is now available on YouTube and JetBrains.tv.
In this webinar, we look at the most important everyday actions in PhpStorm IDE. Learn how to navigate between files, classes or other elements in our project, and see how we can use code autocompletion, PHPDoc, intentions and live templates to make our life as developers easier.
פורסם ב-Webinar Recording: PhpStorm Best Practices – The Perfect Workflow for PHP Developers | JetBrains PhpStorm Blog.
וגם עדכון מחברת JetBrains מפתחת סביבת הפיתוח האהובה עליי phpStorm, בנושא “Using GitHub without leaving PhpStorm”