phpcs-security-audit > Add Security ruleset to phpcs #345

mihai-stancu · 2021-02-14T02:04:09Z

Hello,

I'd like to propose the addition of a phpcs security ruleset provided by FloeDesignTechnologies here.

Approach

Since it's a phpcs ruleset it's not a standalone command so it cannot be installed via phar-download or composer-bin-plugin so I used composer-global-install which incidentally also installs squizlabs/PHP_CodeSniffer as a dependency.

Drawbacks

The package also requires dealerdirect/phpcodesniffer-composer-installer which normally would configure phpcs to recognize the new ruleset but since it does that by discovering where phpcs is installed via composer it will not discover the correct phpcs binary (from /tools). So I also executed a sh line to correcly configure phpcs.

There seem to be a lot of drawbacks to this approach. The only alternative I see would be downloading rulesets separately. Please advise.

jakzal · 2021-02-16T13:59:04Z

Since it's a phpcs ruleset it's not a standalone command so it cannot be installed via phar-download or composer-bin-plugin so I used composer-global-install which incidentally also installs squizlabs/PHP_CodeSniffer as a dependency.

Why composer-bin-plugin cannot be used?

mihai-stancu · 2021-02-16T21:18:52Z

Since it's a phpcs ruleset it's not a standalone command so it cannot be installed via phar-download or composer-bin-plugin so I used composer-global-install which incidentally also installs squizlabs/PHP_CodeSniffer as a dependency.

Why composer-bin-plugin cannot be used?

Apologies, I didn't fully understand how composer-bin-plugin worked and made some wrong assumptions. It can be done via composer-bin-plugin, I'll update the PR.

I could also change phpcs from phar-download to composer-bin-plugin so that:

they share the same namespace
phpcs only gets installed once
the dealerdirect/phpcodesniffer-composer-installer autodiscovery would work
we would not need to use the sh configuration thing

jakzal · 2021-02-16T21:20:13Z

I could also change phpcs from phar-download to composer-bin-plugin

Please, do that. Thanks!

mihai-stancu · 2021-02-16T22:17:37Z

Note: phpcs is actually already installed as a dependency of phpinsights but I think it's just using phpcs, not integrating with it.

Should the namespace I'm adding be phpcs because I'm adding phpcs + some rulesets?

mihai-stancu · 2021-02-16T22:19:01Z

I'm having a bit of trouble after running composer global bin phpcs require pheromone/phpcs-security-audit manually, it doesn't have dealerdirect/phpcodesniffer-composer-install inside the namespace although it's a dependency.

mihai-stancu · 2021-02-16T22:39:35Z

My bad, v2.0.1 doesn't actually require dealerdirect/phpcodesniffer-composer-install which is why it was never installed / triggered.

jakzal · 2021-02-17T11:13:00Z

Looks good. Ready?

jakzal · 2021-02-17T11:14:03Z

@mihai-stancu you might want to clean up your branch. Perhaps rebase?

Also, it seems that your commiter email address is not connected to your github account.

mihai-stancu · 2021-02-17T15:37:07Z

Hey,

I experimented a bit last night and was waiting for the Scrutinizer check to pass in the morning.

I'll rebase soon. 10ks.

mihai-stancu · 2021-02-17T19:36:42Z

The PR looks clean now after the rebase. All good?

jakzal · 2021-02-18T09:48:07Z

@mihai-stancu can you do one more thing for me and run bin/devkit.php update:readme and commit changes please?

mihai-stancu · 2021-02-18T10:41:03Z

I've done that, but there's a catch -- by adding the phpcodesniffer-composer-install plugin explicitly as a tool in the phpcs.json file it gets automatically added to the README.

Is there a way to specify that it shouldn't?

jakzal · 2021-02-18T11:20:38Z

That's fine. Keep it simple.

mihai-stancu · 2021-02-18T13:13:21Z

So should we let the phpcodesniffer-composer-install line appear in the README (i.e.: should I rerun the devkit and update the README)?

jakzal · 2021-02-18T13:26:30Z

Yes, please. Let's not make exceptions. We already list other "pre-installation" type of tools.

jakzal · 2021-02-18T14:55:08Z

Thank you @mihai-stancu 🍺

@mihai-stancu

**Breaking changes**: * Install larastan in a separate namespace with its own phpstan installation. Phpstan installation with larastan is available as . jakzal/toolbox#349 Updates: * psalm (4.6.0 -> 4.6.1) jakzal/toolbox#351 New tools: * phpcs-security-audit - [Finds vulnerabilities and weaknesses related to security in PHP code](https://github.com/FloeDesignTechnologies/phpcs-security-audit) jakzal/toolbox#345 (thank you @mihai-stancu) * phpcodesniffer-composer-install - [Easy installation of PHP_CodeSniffer coding standards (rulesets).](https://github.com/Dealerdirect/phpcodesniffer-composer-installer) jakzal/toolbox#345 (thank you @mihai-stancu)

jakzal approved these changes Feb 17, 2021

View reviewed changes

phpcs-security-audit > Add Security ruleset to phpcs

8d77599

jakzal merged commit b2e622a into jakzal:master Feb 18, 2021

jakzal mentioned this pull request Feb 19, 2021

Update toolbox 1.40.1 -> 1.41.0 jakzal/phpqa#284

Merged

Uh oh!

phpcs-security-audit > Add Security ruleset to phpcs #345

phpcs-security-audit > Add Security ruleset to phpcs #345

Uh oh!

Conversation

mihai-stancu commented Feb 14, 2021

Approach

Drawbacks

Uh oh!

jakzal commented Feb 16, 2021

Uh oh!

mihai-stancu commented Feb 16, 2021

Uh oh!

jakzal commented Feb 16, 2021

Uh oh!

mihai-stancu commented Feb 16, 2021

Uh oh!

mihai-stancu commented Feb 16, 2021

Uh oh!

mihai-stancu commented Feb 16, 2021

Uh oh!

jakzal commented Feb 17, 2021

Uh oh!

jakzal commented Feb 17, 2021

Uh oh!

mihai-stancu commented Feb 17, 2021

Uh oh!

mihai-stancu commented Feb 17, 2021

Uh oh!

jakzal commented Feb 18, 2021

Uh oh!

mihai-stancu commented Feb 18, 2021

Uh oh!

jakzal commented Feb 18, 2021

Uh oh!

mihai-stancu commented Feb 18, 2021

Uh oh!

jakzal commented Feb 18, 2021

Uh oh!

jakzal commented Feb 18, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants