Today I want to go through implementing a static analysis that generates the call-graph for a PHP web application. I create a repository for our little project and push all the source code related to this project. To generate a call-graph, we first need information about the defined functions and methods in the web application under analysis. In this post, I want to implement this section from scratch using php-parser library in Go.
The php-parser library parses the given PHP files and returns an abstract syntax tree to us. Abstract syntax tree (AST) is a tree representation of the source code under analysis. We need to iterate over the nodes of the AST and look for function and method definitions and record their information. First, let's start with writing the main function of our static analysis(SA). I will explain each section of the main function.
The main function of the SA takes the path to the PHP project as an argument. From line 3 to 15, We iterate over all the files exist in the project path, check for all the possible files that can have PHP code in them and add them to the list of files that needs to be analyzed.
In line 24, we ran the analysis on each of the files that we recorded in the previous section. The end of our main function prints out all the defined functions and methods in their respective files.
The next function to look at is method_def_anlaysis which is responsible for instantiating the parser from the php-parser library, parse each file and pass the AST to our static analysis.
In method_def_analysis, we instantiate a parser and parse each PHP file. From lines 3 to 6, we instantiate the parser and parse the given PHP file. Next, we point to the root node of the AST and invoke our analysis on the root node, which is called defvisit, and iterate over the nodes of the AST.
To implement our analysis, We need to implement a function called EnterNode, which will be invoked whenever the analysis encounters a new node while iterating over the AST of the PHP file.
In this analysis, we only want to record the name of defined functions and methods for the given PHP application. As a result, in this function, we implement a set of switch-case statements and check whether the encountered node is a function (“stmt.Function”) or a method (“stmt.ClassMethod”). When we encounter a function or a method, we record the names in their respective array. After finishing the analysis, the main function dumps the content of the arrays into two files.
The source-code for this analysis is available here:
