#1574 - Update Composr CQC

By Chris Graham
Added 20th Feb 2014, 9:36 AM
36 views

Identifier	#1574
Issue type	Feature request or suggestion
Title	Update Composr CQC
Status	Closed (rejected)
Handling member	Chris Graham
Addon	General / Uncategorised
Description	Update the CQC to whatever the oldest security-supported version of PHP is. PHP 5.3 at the time of current writing. Make that our maintenance policy, we check against the oldest version that any webhost will legitimately have installed. Re-track Composr's minimum requirements explicitly against this moving target, rather than a minimum PHP version. Release the CQC as an independent project on github. Make sure we can check out into our main Composr repository easily, perhaps via git submodules: http://git-scm.com/book/en/Git-Tools-Submodules Tidy up the CQC API, so we have a clear way of defining rules (probably a simple .ini file) and allowing CLE parameters to choose the ruleset and make changes to that ruleset. Properly document the code annotation support (TODO's, marking files as not checked, and defining extra functions/classes that files assume are defined). Competing tools: - PHP_CodeSniffer - PHPMD - PhpStorm reporting - Zend Studio reporting - CodeLobster reporting - Compiler reports: - HHVM - Roadsend - Phalanger The CQC is different to these tools because: 1) it is not designed to be opinionated. It is expected you'll be able to maintain yourself at zero errors with it, so it shouldn't normally show unused variables etc which sometimes are there legitimately. 2) it does static type analysis 3) it has a particular focus on helping avoid security holes, with extra scanning options to show where to test 4) it does a full PHP parse. It does not rely on PHP's inbuilt tokenisation or do regexp matching, which most other tools do. Interesting potential integrations and frontends: - NetBeans plugin http://plugins.netbeans.org/plugin/42434/phpcsmd - Composer - Continuous Integration, e.g. Jenkins - Supported SimpleTest tests (like we use in Composr's test set) - Command line mode (we have this currently) - Java frontend (we have this currently) Realistically we're not going to have time for any of that (except maintaining our Java frontend and Command line mode), but maybe separate tracking issues for them.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 26th Nov 2014, 7:46 PM

Let's just put weight behind PhpStorm, which is really good. They're our partner now. The CQC can be for our basic internal compliance, for our own stricter set of rules, and we can forget about making it good for the wider public, because PhpStorm already do this extremely well.