(Added) Addition of Psalm Static Analysis (#25)

* Add Psalm and its PHPUnit plugin with corresponding test scripts

Added "vimeo/psalm" and "psalm/plugin-phpunit" as dependencies in composer.json. Corresponding test scripts "@test:psalm" and "test:psalm" have also been added to the scripts and scripts-description sections respectively. This update is part of an effort to improve code quality and error detection.

* Replace Phan with Vimeo Psalm and Psalm plugin PHPUnit in localTest.sh

The local testing script now uses Vimeo's Psalm for static analysis instead of Phan. Additionally, the Psalm PHPUnit plugin is also incorporated for more comprehensive testing and static analysis of the PHPUnit tests.

* Enable Psalm static analysis in GitHub workflow

Uncommented the section in the workflow file that runs static analysis with Psalm. This action is triggered once the Phan static analysis is successful. This modification allows for a more comprehensive code review process.

* Add new psalm.xml configuration file

The new psalm.xml file includes specific configurations for error level, schema location, unused baseline entry, unused code, and taint analysis. It also provides settings for project files, plugins, and handling of specific code issues.

* Suppress psalm warnings in Trace.php

We have added `@psalm-suppress PossiblyUnusedMethod` annotations in multiple function definitions within Trace.php. This is to disregard psalm warnings for methods which might seem unused but are actually necessary for the codebase.

* Add ForbiddenCode handler in Psalm configuration

The ForbiddenCode handler has been introduced to the Psalm configuration to enforce a project-wide prohibition of certain dangerous functions like eval(). This is aimed at enhancing the application's security and preventing accidental use of such potentially harmful functions.

* Update Psalm configuration for PossiblyUnusedMethod

The commit introduces a suppression rule in the Psalm configuration (psalm.xml) for the PossiblyUnusedMethod warning. This change eliminates the need for individual method-level suppression annotations in the code, leading to cleaner code and centralized management of suppression rules.

.github/workflows/php.yml

@@ -117,12 +117,12 @@ jobs:
         if: steps.phpstan.outcome == 'success'
         run: composer test:phan
 
-#       # This step runs static analysis with Psalm.
-#       - name: Run static analysis with psalm
-#         id: psalm
-#         if: steps.phan.outcome == 'success'
-#         run: composer test:psalm
-#
+      # This step runs static analysis with Psalm.
+      - name: Run static analysis with psalm
+        id: psalm
+        if: steps.phan.outcome == 'success'
+        run: composer test:psalm
+
 #       # This step runs Rector for code quality.
 #       - name: Run rector for code quality
 #         id: rector

composer.json

@@ -59,7 +59,9 @@
     "phpstan/phpstan": "^1.10",
     "phpstan/phpstan-phpunit": "^1.3",
     "phpunit/php-code-coverage": "^10|^11",
-    "phpunit/phpunit": "^10|^11"
+    "phpunit/phpunit": "^10|^11",
+    "psalm/plugin-phpunit": ">=0.18.4",
+    "vimeo/psalm": ">=5.22.2"
   },
   "scripts": {
     "post-update-cmd": [
@@ -74,7 +76,8 @@
       "@test:phpmd",
       "@test:infection",
       "@test:phpstan",
-      "@test:phan"
+      "@test:phan",
+      "@test:psalm"
     ],
     "test:code-style": "pint --test",
     "test:infection": "infection --min-msi=100 --min-covered-msi=100 --threads=4 --show-mutations --only-covered --formatter=progress",
@@ -83,6 +86,7 @@
     "test:phpmd": "phpmd src,tests text phpmd.xml",
     "test:phpstan": "php -d memory_limit=-1 ./vendor/bin/phpstan analyse --no-progress --no-interaction",
     "test:phpunit": "phpunit --no-coverage --no-logging",
+    "test:psalm": "psalm --no-cache --no-progress --show-info=false",
     "test:vulnerabilities-check": "php -d memory_limit=-1 ./vendor/bin/security-checker security:check"
   },
   "scripts-descriptions": {
@@ -93,6 +97,7 @@
     "test:phpmd": "Detect bugs and suboptimal code with PHP Mess Detector.",
     "test:phpstan": "Conduct PHPStan static analysis for identifying code quality issues.",
     "test:phpunit": "Execute PHPUnit tests to verify code functionality.",
+    "test:psalm": "Run Psalm to find errors and improve code quality.",
     "test:vulnerabilities-check": "Scan dependencies for known security vulnerabilities."
   }
 }

localTest.sh

@@ -23,7 +23,8 @@ for version in {81..83}; do
     rm -f composer.lock && \
     $DOCKER_CMD composer install && \
     $DOCKER_CMD composer update --with-all-dependencies && \
-    $DOCKER_CMD composer require --dev --with-all-dependencies "phan/phan":">=5.4.3"
+    $DOCKER_CMD composer require --dev --with-all-dependencies "vimeo/psalm":">=5.22.2" && \
+    $DOCKER_CMD composer require --dev --with-all-dependencies "psalm/plugin-phpunit":">=0.18.4"
 
     # Check for errors immediately after Composer commands
     if [ $? -ne 0 ]; then

psalm.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0"?>
+<psalm
+        errorLevel="1"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns="https://getpsalm.org/schema/config"
+        xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+        findUnusedBaselineEntry="true"
+        findUnusedCode="true"
+        taintAnalysis="true"
+>
+    <projectFiles>
+        <directory name="src"/>
+        <directory name="tests"/>
+        <ignoreFiles>
+            <directory name="vendor"/>
+        </ignoreFiles>
+    </projectFiles>
+    <plugins>
+        <pluginClass class="Psalm\PhpUnitPlugin\Plugin"/>
+    </plugins>
+    <issueHandlers>
+        <MissingParamType errorLevel="error"/>
+        <UnusedClass>
+            <errorLevel type="suppress">
+                <directory name="tests"/>
+            </errorLevel>
+        </UnusedClass>
+        <ForbiddenCode errorLevel="error"/>
+        <PossiblyUnusedMethod>
+            <errorLevel type="suppress">
+                <directory name="src"/>
+            </errorLevel>
+        </PossiblyUnusedMethod>
+    </issueHandlers>
+</psalm>