Psalm

• Overview
• Installation
• Usage
• Configuration
  • Plugins
• Code Issues
  • Ignoring issues
    • Generate a baseline
• Security analysis
• VsCode

Overview

Homepage: https://psalm.dev/ Requires:

• PHP >= 7.4
• Composer

Installation

1. Install via composer

composer require --dev vimeo/psalm

1. Generate config file.

./vendor/bin/psalm --init

Usage

• To scan files

vendor/bin/psalm

• To do a dry run of changes that can be fixed:

# Diff of fixable errors using psalter
vendor/bin/psalter --issues=all --dry-run
# Diff of fixable errors using psalm
vendor/bin/psalm --alter --issues=all --dry-run

• To fix errors, specify --issues=all to file all issues

# Fix issues with psalter
vendor/bin/psalter --issues=all
# Fix issues with Psalm's binary
psalm --alter --issues=all

Configuration

<?xml version="1.0"?>
<psalm>
    <projectFiles>
        <directory name="src" />
    </projectFiles>
</psalm>

Plugins

Plugins list: https://packagist.org/?type=psalm-plugin

• https://github.com/psalm/psalm-plugin-laravel
• https://github.com/psalm/psalm-plugin-phpunit
• https://github.com/mortenson/psalm-plugin-drupal
• https://github.com/LordSimal/cakephp-psalm
• https://github.com/BafS/psalm-typecov

Code Issues

• There are 8 levels (1-8), where 1 is most strict and 8 is least strict.
• Default is 2.

2 types of issues:

• error: Code is problematic. Psalm prints a message and returns a non-zero exit status.
• info: Psalm prints a message.
• suppress: Psalm ignores code issue

Ignoring issues

• Add docblock or directly before the code issue.

/**
 * @psalm-suppress InvalidReturnType
 */
function (int $a) : string {
  return $a;
}

• To ignore any error, comment as below:

/** @phpstan-ignore-next-line */
echo $foo;

echo $foo; /** @phpstan-ignore-line */

Generate a baseline

A baseline tells Psalm to ignore all current code issues. Commit the baseline for re-usability.

• Generate a baseline.

vendor/bin/psalm --set-baseline=psalm-baseline.xml

• Use baseline via CLI

vendor/bin/psalm --use-baseline=psalm-baseline.xml

• Or set baseline via configuration file.

<?xml version="1.0"?>
<psalm
       ...
       errorBaseline="./path/to/your-baseline.xml"
>
   ...
</psalm>

• After fixing errors, update the baseline to remove the error

vendor/bin/psalm --update-baseline

To ignore the current baseline:

vendor/bin/psalm --ignore-baseline

Security analysis

Psalm can scan your code for possible insecure vectors.

• Tainted input: untrusted data sources influenced by users ($_GET['id'], $_POST['email'] ...).
• Tainted sinks: output areas that should NOT receive untrusted data (HTML templates, PDO).

For example: Tainted HTML

<?php

class A {
    public function deleteUser(PDO $pdo) : void {
        $userId = self::getUserId();
        $pdo->exec("delete from users where user_id = " . $userId);
    }

    public static function getUserId() : string {
        return (string) $_GET["user_id"];
    }
}

@see https://psalm.dev/docs/security_analysis/

Run analysis:

vendor/bin/psalm --taint-analysis

If you are using a baseline, disable it or set a different baseline file:

# Disable baseline
vendor/bin/psalm --taint-analysis --ignore-baseline
# Use a different tainted baseline
vendor/bin/psalm --taint-analysis --set-baseline=psalm-tainted-baseline.xml

VsCode

Homepage: getpsalm.psalm-vscode-plugin

  "[php]": {
    "editor.formatOnSave": true,
    "editor.defaultFormatter": "getpsalm.psalm-vscode-plugin"
  },