I'm using Scrutinizer-CI's static analysis functions to provide feedback on my PHP code. Per their documentation, I have a .scrutinizer.yml file in the root of my project that seems to be successfully configuring Scrutinizer's options the way I want them to be. Almost.
One of those options is dependency_paths, which allows me to specify a path that contains a dependency. According to someone I communicated with at Scrutinizer...
"The paths listed in dependencies are different from entirely excluded paths in that we look at them to find classes or functions that they define to make the analysis of your other files more accurate. We will however not look for any issues in these files."
Unfortunately, that doesn't seem to be working for me. I'm using SAML for authentication, and therefore have a simplesamlphp folder in with my source code. (You can't just include simplesamlphp via something like composer because you have to edit some of the config files and such based on how you're using it).
The relevant part of my .scrutinizer.yml file looks like this:
filter:
paths:
- application/*
tools:
php_analyzer:
dependency_paths:
- application/simplesamlphp/*
(The application folder is a root level folder in my source code).
This does seem to prevent any issues found in the simplesamlphp folder from affecting my code's score in Scrutinizer. However, Scrutinizer is still reporting thousands of issues with the code found in that simplesamlphp folder, making it hard to find the issues that are actually about the code I wrote.
Am I using the dependency_paths setting wrong? It sure seems like it isn't working the way I was told it would... leaving me rather confused.
EDIT: To give a little more information, I am able to fully exclude the simplesamlephp folder using the excluded_paths option. The challenge is to let Scrutinizer look at the classes and such in my dependencies (in order to better understand my code) but not report any issues found in the dependencies.
EDIT 2: Well, this is interesting. I experimented with several versions of (the relevant parts of) my .scrutinizer.yml file and saw the following results.
First, I had simply told Scrutinizer to fully exclude the simplesamlphp folder:
filter:
paths:
- application/*
excluded_paths:
- application/simplesamlphp/*
tools:
php_analyzer:
dependency_paths:
- application/simplesamlphp/*
That enabled me to see the issues with my own code and fix them. At this point, my project's score on Scrutinizer is 9.54. I then stopped excluding simplesamlphp:
filter:
paths:
- application/*
tools:
php_analyzer:
dependency_paths:
- application/simplesamlphp/*
This change introduced 7756 issues in Scrutinizer's analysis, but left my project's score at 9.54 (meaning that issues in simplesamlphp were being reported, but not counted against me). I then tried removing the trailing slash and asterisk from the path:
filter:
paths:
- application/*
tools:
php_analyzer:
dependency_paths:
- application/simplesamlphp
This change introduced 2002 issues and fixed 3198 issues, all of them (both introduced and fixed) being in the simplesamlphp folder. I hadn't expected that kind of effect at all. This also lowered my project's score on Scrutinizer down to 7.47, meaning that issues in the simplesamlphp folder were now being counted against me. I then tried changing to the single-line array syntax for the dependency_paths:
filter:
paths:
- application/*
tools:
php_analyzer:
dependency_paths: [application/simplesamlphp]
This had no effect. For the sake of thoroughness I then added the trailing /* to this array syntax:
filter:
paths:
- application/*
tools:
php_analyzer:
dependency_paths: [application/simplesamlphp/*]
These results also surprised me. This change fixed 2002 issues and brought my score back up to 9.54. Both the fixed issues and the remaining 4519 issues were all in the simplesamlphp folder. While this seems to get me closer to the goal, it still leaves thousands of issues from the code in my dependency_paths. I'm not sure what else to try at this point, so I'll probably go back to simply excluding the simplesamlphp folder completely.