Contrib.social

[1.0.x] PHP Compatibility Scanner [D10]

Open on Drupal.org โ†’
Created on 28 June 2025, 15 days ago

## Project Description

**Project:** PHP Compatibility Scanner
**Project page:** https://www.drupal.org/project/php_scanner โ†’
**Branch applying for:** 1.0.x

### What this project does

The PHP Compatibility Scanner module helps Drupal 10 site administrators proactively identify PHP version compatibility issues before upgrading their PHP version. This is particularly useful for sites with many custom and contributed modules that might use deprecated or removed PHP functions.

The module automatically detects the current PHP version and scans for compatibility with the next version (e.g., from PHP 8.1 to PHP 8.2). It provides a simple one-click interface for scanning contributed modules, custom modules, or both.

### How it differs from similar projects

This module is unique in the Drupal ecosystem as there are no other modules that specifically focus on PHP version compatibility scanning. While the Upgrade Status module helps with Drupal version upgrades, this module specifically addresses PHP version compatibility - a different but equally important concern for site maintenance.

### Key features

- **Automatic PHP version detection** - Detects current version and targets next available version
- **Module type selection** - Allows scanning contributed modules, custom modules, or both
- **Batch processing** - Uses Drupal's Batch API to handle large codebases without timeouts
- **Detailed reporting** - Shows file-specific issues with line numbers and descriptions
- **Industry-standard tools** - Uses PHP_CodeSniffer with PHPCompatibility rules for accurate detection
- **User-friendly interface** - Clean admin interface with modal dialogs for detailed issue viewing

### Technical implementation

The module uses established, industry-standard tools (PHP_CodeSniffer with PHPCompatibility ruleset) rather than implementing custom PHP parsing. This ensures accuracy and maintains compatibility with PHP ecosystem standards.

### Security measures implemented

- **Access control**: Requires "administer site configuration" permission for all functionality
- **Input validation**: All form inputs validated through Drupal's Form API, module names sanitized
- **Command execution security**: Shell commands use escapeshellarg() for all arguments, no user input directly in commands
- **File system access**: Limited to module directories within Drupal installation, uses FileSystemInterface::realpath() for path validation
- **Output escaping**: All dynamic output properly escaped in Twig templates, no raw HTML output
- **No elevated privileges**: External tools (PHP_CodeSniffer) run with same privileges as web server
- **State management**: Uses Drupal's State API for secure data storage, no sensitive data in plain text

### Potential security considerations addressed

The module executes shell commands to run PHP_CodeSniffer, but implements these protections:
- All command arguments are escaped using escapeshellarg()
- No user input is directly passed to shell commands
- Commands are constructed safely with validated, internal parameters only
- File system access is limited to module directories within the Drupal installation
- No file uploads or arbitrary file access outside the module scan scope

### Code quality

- Follows Drupal coding standards (validated by automated CI pipeline)
- Comprehensive unit and functional tests
- Uses dependency injection and proper service architecture
- GitLab CI pipeline for automated validation
- Proper error handling and user feedback

## Additional Information

This is my first module contribution to the Drupal community. The module addresses a real need I encountered managing multiple Drupal sites through PHP upgrades. I'm committed to maintaining this module long-term and responding promptly to security issues.

The module has been thoroughly tested and includes automated CI validation. I welcome feedback from the security review process and am prepared to make any necessary changes promptly.

๐Ÿ“Œ Task
Status

Needs review

Component

module

Created by

๐Ÿ‡ต๐Ÿ‡นPortugal Fernando_Silva

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Fernando_Silva
  • Comment 15 days ago โ†’
    ๐Ÿ‡ต๐Ÿ‡นPortugal Fernando_Silva
  • Comment 15 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai

    Thank you for applying!

    Please read Review process for security advisory coverage: What to expect โ†’ for more details and Security advisory coverage application checklist โ†’ to understand what reviewers look for. Tips for ensuring a smooth review โ†’ gives some hints for a smoother review.

    The important notes are the following.

    • If you have not done it yet, you should enable GitLab CI for the project and fix the PHP_CodeSniffer errors/warnings it reports.
    • For the time this application is open, only your commits are allowed.
    • The purpose of this application is giving you a new drupal.org role that allows you to opt projects into security advisory coverage, either projects you already created, or projects you will create. The project status will not be changed by this application; once this application is closed, you will be able to change the project status from Not covered to Opt into security advisory coverage. This is possible only 14 days after the project is created.

      Keep in mind that once the project is opted into security advisory coverage, only Security Team members may change coverage.
    • Only the person who created the application will get the permission to opt projects into security advisory coverage. No other person will get the same permission from the same application; that applies also to co-maintainers/maintainers of the project used for the application.
    • We only accept an application per user. If you change your mind about the project to use for this application, or it is necessary to use a different project for the application, please update the issue summary with the link to the correct project and the issue title with the project name and the branch to review.

    To the reviewers

    Please read How to review security advisory coverage applications โ†’ , Application workflow โ†’ , What to cover in an application review โ†’ , and Tools to use for reviews โ†’ .

    The important notes are the following.

    • It is preferable to wait for a project moderator before posting the first comment on newly created applications. Project moderators will do some preliminary checks that are necessary before any change on the project files is suggested.
    • Reviewers should show the output of a CLI tool โ†’ only once per application.
    • It may be best to have the applicant fix things before further review.

    For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues โ†’ .

  • Comment 15 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai
  • Comment 14 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai

    1. main is a wrong name for a branch. Release branch names always end with the literal .x as described in Release branches โ†’ . The only exception is for the main branch, which is actually not fully supported on drupal.org and should be avoided.

    2. FILE: php_compatibility_scanner.module

    /**
 * @file
 * PHP Compatibility Scanner module.
 */

    The usual description for a .module file is โ€œHook implementations for the [module name] moduleโ€, where [module name] is the module name given in the .info.yml file.

  • Comment 13 days ago โ†’
    ๐Ÿ‡ต๐Ÿ‡นPortugal Fernando_Silva

    Thank you for the review! I've addressed the primary feedback:

    1. Branch naming: Created proper 1.0.x release branch as requested.

    2. Module file documentation: Fixed the @file comment to follow Drupal standards.

  • Comment 12 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai

    Remember to change status, when the project is ready to be reviewed. In this queue, projects are only reviewed when the status is Needs review.

  • Comment 12 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia vishal.kadam Mumbai

    Rest seems fine to me.

    Please wait for other reviewers and Project Moderator to take a look and if everything goes fine, you will get the role.

  • Comment 12 days ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡นItaly apaderno Brescia, ๐Ÿ‡ฎ๐Ÿ‡น

    Project moderators are not yet involved with this issue.
    Other reviewers need to check the project files, and report what they find should be changed, or ask questions about the project itself. This does not require just verifying the code follows the Drupal coding standards.

    For example, I could not understand why people would install this module, when they can use PHP_CodeSniffer or PHPStan, or use an existing module that checks for compatibilities between a module and Drupal 10/11. I am not sure in which way a module that uses simple regular expressions to parse PHP could correctly parse PHP code.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024