canvural / larastan-strict-rules Goto Github PK

Seems like the package is missing a gitattributes files for not including the test folder 👍

Hire there 👋 ,

In one of our projects we use wherePivot in some cases and they appear to be flagged as "Dynamic method call"

Dynamic where method 'wherePivot' should not be used.

While wherePivot is an actual method and not a dynamic call.

I'll give it another look later but first clue would be this method

NoDynamicWhereRule wrongly identify model scopes starting with where to be a dynamic rule

Ref the suggestion to Laravel core for Addressing SQL Injection Vulnerabilities with Raw Methods.

I'm happy to create a PR, where I've created this issue to discuss the implementation.

I note that you're currently using Rules, but this one might be easier to implement with Stubs; if so, I assume new folders /src/Stubs/ and /tests/Stubs/?

Also, I might need some guidance on how you would like to conditionally include these Stubs... I've only done this bit once before, using a StubFilesExtension class to conditionally getFiles().

This is something we've been experiencing for a while, but have tended to just baseline the errors.

The issue is as mentioned to you. I've attached an example below, to demonstrate the issue:

class Account extends Model
{
    public function actions(): HasMany
    {
        return $this->hasMany(AccountAction::class);
    }

    public function hasActiveActions(): bool
    {
        // There will be a failure here, as it appears to be checking for `scopeWhereActive()` on this class, rather than on the relationship model.
        return $this->actions()->whereActive()->exists();
    }
}

class AccountAction extends Model
{
    public function scopeWhereActive(Builder $query): Builder
    {
        return $query->where('is_active', true);
    }
}

Hello Can,
awesome package! I have a suggestion for you: I don't really like when people copy-paste a class name from a package and put it in their own phpstan.neon. Because it ties the maintainer's hands - you can't change the class name, you can't add constructor arguments to it.

Instead of this:

services:
    -
        class: Vural\LarastanStrictRules\Rules\NoDynamicWhereRule
        tags:
            - phpstan.rules.rule
    -
        class: Vural\LarastanStrictRules\Rules\NoFacadeRule
        tags:
            - phpstan.rules.rule

You could provide parameters so that this is possible instead:

parameters:
    larastanStrictRules:
        noDynamicWhere: true
        noFacade: true

See how it's done with conditionalTags in phpstan-strict-rules: https://github.com/phpstan/phpstan-strict-rules/blob/5c143aa605bbf392a90630773618eeaeeac7a49b/rules.neon#L50-L52