docs: SAST complexity refactors can drop uncovered branches#65
Conversation
Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Code Review
This pull request adds a new section to the static analysis tools documentation, warning about the risks of silently dropping branches during SAST maintainability refactors. The feedback suggests refining the advice on diffing control-flow branches to focus on tracing logical paths rather than counting return statements, as reducing return statements is often the goal of such refactors.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…actors Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|



Summary
Adds one learning from a cross-session retrospective (2026-06-27) to
references/static-analysis-tools.md: SAST maintainability/complexity findings — SonarCloudS3776(cognitive complexity) andS1142(too many returns) — whose fix extracts or reorders methods are behavior-risky. An extraction can silently drop a branch (e.g. a fallback-to-default path on an empty/invalid response).The key insight: PHP-CS-Fixer, PHPStan, and a passing unit suite will not catch a dropped branch if that path isn't unit-covered — in a real 2026-06-27 cleanup only a human code reviewer did.
Guidance added
return/else/early-exit preserved?).Placement
New section appended to the existing SAST reference
skills/php-modernization/references/static-analysis-tools.md, which is already linked fromSKILL.md(Reference routing → "Static analysis"). Matches the file's existing narrative "hazard" style with a seen-in-practice anecdote. SKILL.md is untouched (no bloat, stays under its ~500-word ceiling).Version decision
No version bump. This is a references-only addition to an already-linked file; SKILL.md, plugin.json, and composer.json are unchanged, so the
check-version-parityhook stays green (all three remain at 1.19.1).Validation
Local
pre-commitrun on the changed file:markdownlint-cli2Passed,validate-skill(all files) Passed,check-version-parityPassed, plus trailing-whitespace/end-of-file/merge-conflict/large-file checks Passed. Commit is signed (ED25519) with Signed-off-by.