I spent a portion of the day today exploring static code analyzers at work. Our primary language is PHP. Last night I spent some time searching (not exhaustively, but I did invest some time) for analysis programs. I found RATS (here) and Yasca (here). Both are multi-language scanners; I did not find one specifically for PHP. Also, RATS is geared towards security rather than general bugs.
I downloaded Yasca (version 1.2) last night, and RATS over the course of the day today. I installed both on my Macbook Pro and attacked one of the apps I am currently testing.
And immediately I'm hit with one of my Mac frustrations: since OS X is not Windows and it's not Linux, it's not always targeted for development by the open source projects. Neither of these projects are really targeted towards OS X. I got them both to run; I got real results from both of them. But I had to tweak and mess with them. I wanted a scanner for a development project, NOT another development project.
So I cranked up the Windows VMWare VM and voila, Yasca works without complaint or question. Except...well, they released 1.3 since I downloaded 1.2. Ok, here we go with the downloads again. And ..well.. it doesn't seem to recognize the switch statement, or is that a dependency? Yes, that's a dependency: PHPLint is spitting out some messages that aren't quite right. Ok, muck around with that and....ARRGGH.
At this point I ran RATS. It found a couple of security complaints. That's it. It was fast, but it didn't do what I wanted. And again, to be fair, it wasn't DESIGNED to do what I was actually looking for....
For the sake of clarity, I'm not knocking either of these products. I'm sure that after investing a little more time to the installations and configurations, both would provide me with solid, useful information. Rats found legitimate security issues. Yet Another Static Code Analyzer has an extensible framework that handles multiple plug-ins and languages and appears very flexible. Yasca also reported on several best practices issues in our code that deserve closer inspection.
My issue is that, for such a widely deployed language, there appears to be very few products to inspect PHP code. After about a couple of hours of repeated and occasionally recursive frustration, I dropped back to PHPXref, a cross-referencing documenting application for PHP. It creates a fairly detailed report of the source code, methods in classes, linked source code, etc.
I'm starting to look forward to my eventual migration to Java/Groovy for some of the bigger applications we need to do.