Adding more tools

[dmolineus]

I'd love to see more tools which I came across during the last months being added to phpcq:

• Security check
  We should provide a tool to check against the database of known security vulnerabilities. I prefer using
  https://github.com/sensiolabs/security-checker instead of https://github.com/Ocramius/security-advisories
  here as the last mentioned causes randomly some issues on composer update.
• PHPStan
  PHPStan focuses on finding errors in your code without actually running it. It catches whole classes of bugs even before you write tests for the code.
  https://github.com/phpstan/phpstan
• Backward Compatibility Check
  The backward compatibility check would help to detect bc breaks in userland code.
  https://github.com/Roave/BackwardCompatibilityCheck
• Composer require checker
  A CLI tool to analyze composer dependencies and verify that no unknown symbols are used in the sources of a package. This will prevent you from using "soft" dependencies that are not defined within your composer.json require section.https://github.com/maglnet/ComposerRequireChecker

We should check how we could add this tools to our chain. The last one, f.e. is not installable by composer. But I think it would inc

[discordier]

I agree, having more tools in the chain would be very nice.

However, I think we must reconsider our concept of the all-tasks repository then or the entire infrastructure, as we then would use tools not installable via composer or slowly end up in dependency hell (as we are almost already by being compatible with phpunit in all majors and the like).

We might have to pack phar binaries of all tools in the all-tasks and distribute them along then.

[dmolineus]

I fully agree that we're close to dependency hell right now. I propose to use phive to install the phars instead of shipping them with our tool. Maybe there could be an ant task to install the required phars.

[discordier]

phive is fine for me, however we need some way to distribute it automatically and install it from within the build process if not found.
So maybe we would have at least to redistribute that one with phpcq/phpcq.

[discordier]

Sorry for closing, wrong button. 😞

[dmolineus]

My Idea was to use the composer plugin of phive to provide phive integration (It provides to commands to access phive). However, after playing with it, it seems to be not ready for production yet.

1. Dependencies are not stable yet
2. The main command phive run does not work on my system

So maybe we have to redistribute it (or download it everytime).

Another thing phive doesn't handle is versions. It seems that you have to provide a specific url if you want to enforce a specific version of the tool

[discordier]

We could use the build.default.properties for specifying/overriding default version values, however the installation must be done by bundling at least phive.

[discordier]

On a side note, when we are already starting to modernize, we might try to switch to consolidation/Robo.
It appears to be more stable than phing(which we already discussed in phpcq/phpcq#2) and would also remove our dependency on ant.

[discordier]

New tool information should get added to https://github.com/phpcq/repository for version 2.0.0.

@dmolineus as you already added most mentioned above in the repo, you might want to add the missing ones and we can then close this issue?