We (Chapter Three) had an internal discussion a few months back looking at the questions we cover in manual audits and flagging which ones might be candidates for good automated checks.

Sharing here in case anyone else has some motivation to pick these up before we do.

  • number of custom code lines / num of custom modules
  • unnused modules check
  • auto check if patch has been applied
  • Patch for hacked to detect pressflow + pantheon and other stable forks
  • static code analysis plugin?
  • do template files contain logic static analysis
  • number of contributors check for repo
  • drupal tests plugin
  • admin theme in use
  • total number of roles / with user count per role
  • percentage of total permissions assigned to each role
  • best practice folder structure
  • check for use of often problematic hooks

Comments

fluxsauce’s picture

fluxsauce commented

Hey, fantastic! Thank you very much for the suggestions. Some of these can be knocked out pretty quickly, others will take a bit of thought. I can take pull requests on https://github.com/fluxsauce/site_audit as well if you'd like.

shivanshuag’s picture

shivanshuag commented

Some of the checks listed here are very ambiguos and it would be helpful if you could provide some more info on them -
1. auto check if patch has been applied - patch has been applied on a module or core?
2. static code analysis plugin
3. do template files contain logic static analysis - what is logic static analysis?
4. number of contributors check for repo - which repo?
5. drupal tests plugin - what is the plugin supposed to do?

fluxsauce’s picture

fluxsauce commented

Hi shivanshuag,

Let's break each apart.

auto check if patch has been applied - patch has been applied on a module or core?

This is basically a duplicate of a Hacked! check, so integrating with Hacked would take care of it.

static code analysis plugin

do template files contain logic static analysis - what is logic static analysis?

The question is "Do template files contain logic?" The methodology is static analysis. Templates really shouldn't contain anything other than simple boolean, if/else/for logic. Maybe while. The goal is to find business logic mixed in with presentation logic, so SQL queries, drupal_get/set_message and other goofy stuff like that.

number of contributors check for repo - which repo?

This is assuming the site in question is under version control of some sort. For git, it's something like git log --format='%aN' | sort -u

drupal tests plugin - what is the plugin supposed to do?

See https://www.drupal.org/simpletest

Does that help clarify? Thanks for your interest in this, especially for Google Summer of Code!

shivanshuag’s picture

shivanshuag commented

hi,
Most of it is clearer now. Just a few more things

1. All the tools you listed in the satic code analysis plugin are to be run and the results reported by site audit?

2. Is the drupal tests plugin supposed to run the tests of all the modules and report the results(fail/pass)?

Thanks a lot for your help.

fluxsauce’s picture

fluxsauce commented

All the tools you listed in the satic code analysis plugin are to be run and the results reported by site audit?

Potentially? Sure! Some already do.

Is the drupal tests plugin supposed to run the tests of all the modules and report the results(fail/pass)?

Good question! This is kind of a brainstorm. I'd say the modules, not of Drupal itself. Even a list of modules that have tests available would be a great start.