Evaluate Tide, Psalm, PHPStan, etc

[iandunn]

Writing custom sniffs for PHPCS seems relatively difficult, and there are some modern tools like Tide, Psalm and PHPStan.

Would sniff development be easier in those? Maybe for some things like security, but not others? If it is better, it may not be worth migrating existing sniffs, but it could be a good option for future sniffs.

xref https://make.wordpress.org/meta/2021/04/27/automatically-catching-bugs-in-plugins/#comment-9144, https://make.wordpress.org/meta/2021/04/27/automatically-catching-bugs-in-plugins/#comment-9150

[iandunn]

Even if we don't use them for custom sniffs, they may be useful for other things, like detecting code that's likely to produce a run-time fatal.

[iandunn]

Also PHP-Parallel-Lint and php -l (although the latter is already in use by an SVN pre-commit hook, IIRC)

[iandunn]

WP extensions for tools:

• https://github.com/humanmade/psalm-plugin-wordpress/
• https://github.com/szepeviktor/phpstan-wordpress/
• https://github.com/php-stubs/wordpress-globals
• https://github.com/johnbillion/wp-hooks

[iandunn]

https://github.com/phan/phan has similar philosophy to this project, but doesn't seem to have any security-focused stuff.

https://github.com/webarx-security/wpbullet is specific for WP and security, but doesn't look active since the initial release.

[iandunn]

I got Psalm roughly working in the psalm branch, and it catches some things, but not as many as I expected. Unless I've got it setup wrong, it's not catching anything in our sample .inc files, or WPCS'.

Security analysis is a secondary concern for them, so we may be better off w/ a security-focused tool like sonarqube ?

There's no WP integration, though, and it could be a lot of work to create one (hi @dingo-d!). If we did though, the underlying SAST seems like it might be the most sophisticated and well-supported out there.

There may be other folks in the community who'd also benefit, and we might be able to share the workload. Core could also benefit (cc @whyisjake). They acquired RIPS last year, who've contributed a lot to WP security in the past. They also ran CodeRisk (now offline), which had some very similar functionality to what we're trying to build here.

[iandunn]

https://github.com/exakat/php-static-analysis-tools lists a ton of tools

[iandunn]

I played around w/ sonarqube in the sonarqube branch. it feels more promising than Psalm, but I also wasn't able to get it to detect a lot of things it should.

it might be that we'd have to write an extension (in Java) for it to understand that, e.g., add_action( 'foo', 'bar' ) results in bar() being executed.

[dingo-d]

I had tons of duplications on the text-domain strings, which you just cannot replace with a variable or a constant.

SQ would benefit from a WP ruleset, but I never got the time to play around with it (and I don't know java 😂)