N°6644 - Tests: Add static analysis for PHP (#536)

tests/php-static-analysis/config/README.md

@@ -0,0 +1,29 @@
+## Disclaimer
+DON'T modify the following files without knowledge and discussing with the team:
+- base.dist.neon
+- for-package.dist.neon
+- for-module.dist.neon
+
+## Purpose of these files
+### base.dist.neon
+This configuration file contains the common parameters for all analysis, whereas it is a package, a module or something specific. Among others:
+- Rules level for analysis
+- PHP version to compare
+- Necessary files for autoloaders discovery and such
+- ...
+
+This file should not be modified for your specific needs, you should always include it and override the desired parameters. \
+See how it is done in `for-package.dist.neon` and `for-module.dist.neon` or on the documentation [here](https://phpstan.org/config-reference#multiple-files).
+
+### for-package.dist.neon
+This configuration file contains the parameters to analyse a package (iTop core, modules, third-party libs).
+
+### for-module.dist.neon
+This configuration file contains the parameters to analyse one or more modules only.
+
+## How / when can I modify these files?
+**You CAN'T!** \
+Well, unless there is a good reason and you talked about it with the team. But you should never modify them for a specific need on your local environment.
+
+- If you have a particular need for your local environment (eg. increase memory limit, change rules levels, analyse only a specific folder), check the [Configuration section](../#configuration) of the main README.md.
+- If you feel like there is need for an adjustment in the default configurations, discuss it with th team and make a PR.

tests/php-static-analysis/config/base.dist.neon

@@ -0,0 +1,32 @@
+includes:
+    - php-includes/set-php-version-from-process.php # Workaround to set PHP version to the on running the CLI
+    # for an explanation of the baseline concept, see: https://phpstan.org/user-guide/baseline
+    #baseline HERE DO NOT REMOVE FOR CI 
+
+parameters:
+    level: 0
+    #phpVersion: null                   # Explicitly commented as we rather use the detected version from the above include (`php-includes/target-php-version.php`)
+    editorUrl: 'phpstorm://open?file=%%file%%&line=%%line%%'    # Open in PHPStorm asit is Combodo's default IDE
+    bootstrapFiles:
+        - ../../../approot.inc.php
+        - ../../../bootstrap.inc.php
+
+    scanFiles:
+        # Files necessary as they contain some declarations (constants, classes, functions, ...)
+        - ../../../approot.inc.php
+        - ../../../bootstrap.inc.php
+    excludePaths:
+        analyse:
+            # For third-party libs we should analyse them in a dedicated configuration as we can't improve / clean them which would
+            # prevent us from raising the rules level as we improve / clean our codebase
+            - ../../../lib              # Irrelevant as we only want to analyze our codebase
+            - ../../../node_modules     # Irrelevant as we only want to analyze our codebase
+        analyseAndScan:
+            #- ../../../data            # Left and commented on purpose to show that we want to analyse the generated cache files
+            # Note 1: We can analyse these folders as if a PHP file requires another PHP element declared in an XML file, it won't find it. So we rely only on `env-production`
+            # Note 2: Only the options selected during the setup will be analysed correctly in `env-production`. For unselected options, we still want to ignore them during the analysis as they would only give a false sentiment of security as their XML PHP classes / snippets / etc would not be tested.
+            - ../../../data/production-modules  # Irrelevent as it will already be in `env-production` (for local run only, not useful in the CI)
+            - ../../../datamodels       # Irrelevent as it will already be in `env-production`
+            - ../../../extensions       # Irrelevent as it will already be in `env-production` (for local run only, not useful in the CI)
+            - ../../../tests            # Exclude tests for now
+            - ../../../toolkit          # Exlclude toolkit for now

tests/php-static-analysis/config/for-module.dist.neon

@@ -0,0 +1,15 @@
+includes:
+    - base.dist.neon
+
+parameters:
+    paths:
+        # We just want to analyse the module folder(s), either:
+        # - Create your own `for-module.neon` file, include this one and override this parameter (see https://phpstan.org/config-reference#multiple-files)
+        # - Pass the module folder(s) in the commande line (see https://phpstan.org/config-reference#analysed-files)
+    scanDirectories:
+        # Unlike for `for-package.dist.neon`, here we need to scan all the folders to discover symbols, but we only want to analyse the module folder.
+        # We initially thought of doing it through the `excludePaths` param. by excluding everything but the module folder, but it doesn't seem to be possible, because it uses the `fnmatch()` function.
+        # As a workaround, we list here all the folders to scan.
+        #
+        # Scan the whole project and rely on the `excludePaths` param. to filter the unnecessary
+        - ../../..

tests/php-static-analysis/config/for-package.dist.neon

@@ -0,0 +1,7 @@
+includes:
+    - base.dist.neon
+
+parameters:
+    paths:
+        # We want to analyse almost the whole project, so we do a negative selection between the `paths` and `excludePaths` (see base.dist.neon) parameters
+        - ../../../

tests/php-static-analysis/config/php-includes/set-php-version-from-process.php

@@ -0,0 +1,24 @@
+<?php
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */
+
+declare(strict_types = 1);
+
+/**
+ * This file is only here to allow setting a specific PHP version to run the analysis for without
+ * having to explicitly set it in the .neon file. This is the best way we found so far.
+ *
+ * @link https://phpstan.org/config-reference#phpversion
+ *
+ * Usage: Uses the CLI PHP version by default, which would work fine for
+ *   - The CI as the docker image has the target PHP version in both CLI and web
+ *   - The developer's IDE as PHPStorm also has a default PHP version configured which can be changed on the fly
+ */
+
+// Default PHP version to analyse is the one running in CLI
+$config = [];
+$config['parameters']['phpVersion'] = PHP_VERSION_ID;
+
+return $config;