Published 17/02/2022 at 11:29pm

Static Analysis - Boring Name, Powerful Game

We can use some tools to fix our code; poorly formatted code, find code which is overly complex, check for duplicate code etc. This is really powerful, it will make code easier to understand and easier to maintain. Let's give our code the respect it deserves.

What is Static Analysis?

Analysis of software that is performed without executing the program or programs. This means that you take the source code, run tests and analysis on it and the analysis tool knows how to interpret the code.

Some examples you may already know

Having much experience with PHP I'll talk you through PHP examples.

  • phpmd (PHP Mess Detector)
  • phpcs (PHP Code Sniffer)
  • RIPS (Security Analysis)
  • PHAN (Many things)

How do I use them

  1. Choose the codebase
  2. Run the analysis tool
  3. Review the output
  4. Fix or patch it (some tools will do it for you)

Concentrating on Phan

As I write this article phan requires a version of PHP 7.1+

  • "Phan attempts to prove incorrectness rather than correctness"
  • It appears to have a lot of crossover with phpmd
  • Highlights some potential security problems
  • Highlights potentially misinterpreted statements
  • In the past was really helpful PHP 7/PHP 5 Backwards Compatibility although hopefully you don't need this now

Setting it Up

Installing system requirements

There are many ways to install it. This is a really easy setup but others such as composer are just as easy.

https://github.com/phan/phan/wiki/Getting-Started

I'm going to use guide through the brew method. Brew is a package manager - if you don’t have it then you can download it using the link below

https://brew.sh/

Then run these commands. Replace your PHP version as appropriate. e.g. PHP 7.2 would be php72

brew update
brew install php74 php74-ast phan
brew -h

A little note, incase you wondered what you were installing, ast stands for abstract syntax tree (i.e. the structure of the code) and is an intermediary structure in the compilation process.

Getting a list of files

Phan needs a list of files so let’s get all of the file which have PHP in them

grep -R -l "<?php" * > filelist.txt
sed -n "/vendor/\!p" filelist.txt > filelist_excluding_vendor.txt

Run PHAN

phan -f filelist_excluding_vendor.txt -o iaptus_phan_output.csv -b -p -m csv
  • -f = file list
  • -o = output file name
  • -b = backward compatibility checks
  • -p = progress bar
  • -m = output mode (I’ve chosen csv so I can import into a database and interrogate more easily but there are plenty more depending on the output you’d prefer)

Make Sense Of The Output

Further manipulation may be required in order to put the output in to a more queryable format. Consider grouping the same problem so that you can fix all of the same type rather than one by one. It make more sense to do it file by file if you want to limit the impact of the area of the system.

Fix Stuff

  • Once you found and fixed one, use the same method to fix the rest
  • Run the tool again to validate that problem has gone

Note: Use an IDE to fix the issues for you (e.g. PHPStorm has an option "Run inspection by name") which will work for some of the inspections. Have a play and see what it can do.

Recap & Taking it further

  • Run, review, fix, repeat
  • Strongly consider grouping the report output to work through the problems highlighted in a more efficient way
  • IDEs can do your work for you and if not it’ll at least find all occurrences
  • Install IDE extensions for phpmd and phpcs to highlight issues in the file you’re working on
  • Consider adding checks to your CI suite to avoid problems in the first place or to enforce a standard

Thanks and I hope you found it useful.

© Louis Rickman 2025