.. include:: ../../Includes.txt .. _extension-scanner: ================= Extension scanner ================= Introduction ------------ The extension scanner which has been introduced with TYPO3 core version 9 as part of the system management (formerly "install tool") provides an interactive interface to scan extension code for usage of TYPO3 core API which has been removed or deprecated. .. figure:: Images/ExtensionScanner.png :alt: Scan Extension Files in core 9.0 backend The Extension scanner in 9.0 The module can be a great help for extension developers and site maintainers when upgrading to new core versions. It can point out code places within extensions that need attention. However, the detection approach - based on static code analysis - is limited by concept: false positives/negatives are impossible to avoid. This document has been written to explain the design goals of the scanner, to point out what it can and can't do. The document should help extension and project developers to get the best out of the tool, and it should help core developers to add core patches which use the scanner. This module has been featured on the TYPO3 youtube channel: .. only:: html .. youtube:: UdIYDZgBrQU Goals and non goals ------------------- * Help extension authors quickly find code in extensions that may need attention when upgrading to newer core versions. * Extend the existing RST documentation files which are shown in the ``Upgrade Analysis`` section with additional information giving extension authors and site developers hints if they are affected by a specific change. * It is not a design goal to scan for every TYPO3 core API change. * It should later be possible to scan different languages - not only PHP - TypoScript or Fluid could be examples. * Core developers should be able to easily register and maintain matchers for new deprecations or breaking patches. * Implementation within the TYPO3 core backend has been primary goal. While it might be possible, integration into IDEs like PhpStorm has not been a design goal. Also, matcher configuration is bound to the core version, e.g. tests concerning v9 are not intended to be executed on v8. * Some of RST files that document a breaking change or deprecated API can be used to scan extensions. If those find no matches, the RST documentation files are tagged with a "no match" label telling integrators and project developers that they do not need to concern themselves with that particular change. * The extension scanner is not meant to be used on core extensions - it is not a core development helper. Limits ------ The extension scanner is based on `static code analysis `__. "Understanding and analyzing" code flow from within code itself (dynamic code analysis) is not performed. This means the scanner is basically not much more clever than a simple string search paired with some additional analysis to reduce false positives/negatives. Let's explain this by example. Suppose a static method was deprecated: .. code-block:: php [ 'numberOfMandatoryArguments' => 0, 'maximumNumberOfArguments' => 1, 'restFiles' => [ 'Deprecation-12345-DeprecateSomeMethod.rst', ], ], The array key is the class name plus method name, :php:`numberOfMandatoryArguments` is the number of arguments that must be passed to the method, :php:`maximumNumberOfArguments` is the maximum number of arguments the method accepts. The :php:`restFiles` array contains file names of :php:`.rst` file(s) that explain details of the deprecation. Now let's look at a theoretical class of an extension that uses this deprecated method: .. code-block:: php someMethod(); // No match: The method is called with too many arguments SomeUtility::someMethod('foo', 'bar'); // No match: A different method is called SomeUtility::someOtherMethod(); } } The first three method calls are classified as strong matches: the full class name is used and the method name matches including the argument restrictions. The fourth call :php:`$foo::someMethod();` is classified as a weak match and is a false positive: Class :php:`SomeOtherUtility` is called instead of :php:`SomeUtility`. The sixth method call :php:`SomeUtility::someMethod('foo', 'bar')` does not match because the method is called with two arguments instead of one argument. The "too many arguments" restriction is a measure to suppress false positives: If a method with the same name exists which accepts a different number of arguments, valid calls to the other method may be reported as false positives depending on the number of arguments used in the call. As you can see, depending on given extension code, the scanner may find false positives and it may not find matches if for instance the number of arguments is not within a specified range. The example above looks for static method calls, which are relatively reliable to match. For dynamic :php:`->` method call, a strong match on the class name is almost never achieved, which means almost all matches for such cases will be weak matches. Additionally, an extension may already have a version check around a function call to run one function on one core version and a different one on another core version. The extension scanner does not understand these constructs and would still show the deprecated call as a match, even if it was wrapped in a core version check. Extension authors ----------------- Even though the extension scanner can be a great help to quickly see which places of an extension may need attention when upgrading to a newer core version, the following points should be considered: * It should not be a goal to always have a green output of the extension scanner, especially if the extension scanner shows a false positive. * A green output when scanning an extension does *not* imply that the extension actually works with that core version: Some deprecations or breaking changes are not scanned (for example those causing too many false positives) and the scanner does not support all script/markup languages. * The breaking change / deprecation RST files shipped with a core version are still relevant and should be read. * If the extension scanner shows one or more false positives the extension author has the following options: * Ignore the false positive * Suppress a single match with an inline comment: .. code-block:: php // @extensionScannerIgnoreLine $foo->someFalsePositiveMatch('foo'); * Suppress all matches in an entire file with a comment. This is especially useful for dedicated classes which act as proxies for core API: .. code-block:: php `__. This library creates an `abstract syntax tree `__ from any given compilable PHP file. It comes with a traverser for recursive iteration over the tree that implements a visitor pattern, own visitors can be added. A single "matcher" is a visitor added to the traverser. A default visitor resolves all shortened namespaced class usages to their fully qualified name, which is a great help for our matchers. This basically means: The whole AST is traversed exactly once for each PHP file and all matchers are called for each node. Matches can then decide if they match a configured deprecation or breaking scenario. All matchers are covered by unit tests and a fixture that shows what exactly is matched. Studying the fixture can be a good way to understand the matcher. Matchers are systematically named: for method calls there is a usually one variant for dynamic and one for static calls. If for example a static method changed its argument signature by removing an argument then the according matcher class is :php:`TYPO3\CMS\Install\ExtensionScanner\Php\MethodArgumentDroppedStaticMatcher`. Single matcher configurations are pretty obvious, new ones should be added at the end. When adding matcher configurations it should be verified the match it is not already covered by some other matcher (possibly in another RST file).