Add optional cpg-language-php module with a minimal PHP frontend

[Copilot]

• Inspect latest CI/build status and failing logs context
• Reproduce current PHP frontend baseline build/tests before changes
• Fix review suggestions in PHP frontend dependency/version configuration
• Fix review suggestions in PHP foreach handling and nullable return type parsing
• Run targeted PHP frontend tests/build validation
• Run final validation checks and reply on PR comment

[codecov]

Codecov Report

❌ Patch coverage is 37.48459% with 507 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.16%. Comparing base (bd8fc20) to head (54e6ec0).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...hofer/aisec/cpg/frontends/php/ExpressionHandler.kt	26.56%	176 Missing and 59 partials ⚠️
...nhofer/aisec/cpg/frontends/php/StatementHandler.kt	39.60%	93 Missing and 29 partials ⚠️
...ofer/aisec/cpg/frontends/php/DeclarationHandler.kt	50.35%	42 Missing and 27 partials ⚠️
...aunhofer/aisec/cpg/frontends/php/PhpLexerBase.java	11.66%	46 Missing and 7 partials ⚠️
...e/fraunhofer/aisec/cpg/frontends/php/PHPHandler.kt	12.50%	14 Missing ⚠️
...fer/aisec/cpg/frontends/php/PHPLanguageFrontend.kt	74.41%	5 Missing and 6 partials ⚠️
.../aisec/cpg/frontends/php/CaseChangingCharStream.kt	84.61%	1 Missing and 1 partial ⚠️
.../main/kotlin/de/fraunhofer/aisec/codyze/Project.kt	0.00%	1 Missing ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
.../fraunhofer/aisec/codyze/console/ConsoleService.kt	45.94% <100.00%> (+0.36%)	⬆️
.../main/kotlin/de/fraunhofer/aisec/codyze/dsl/Dsl.kt	94.40% <100.00%> (+0.03%)	⬆️
.../fraunhofer/aisec/cpg/frontends/php/PHPLanguage.kt	100.00% <100.00%> (ø)
.../kotlin/de/fraunhofer/aisec/cpg/mcp/SetupConfig.kt	71.15% <100.00%> (+0.56%)	⬆️
...n/de/fraunhofer/aisec/cpg_vis_neo4j/Application.kt	38.97% <100.00%> (+0.45%)	⬆️
.../main/kotlin/de/fraunhofer/aisec/codyze/Project.kt	50.34% <0.00%> (-0.35%)	⬇️
.../aisec/cpg/frontends/php/CaseChangingCharStream.kt	84.61% <84.61%> (ø)
...fer/aisec/cpg/frontends/php/PHPLanguageFrontend.kt	74.41% <74.41%> (ø)
...e/fraunhofer/aisec/cpg/frontends/php/PHPHandler.kt	12.50% <12.50%> (ø)
...aunhofer/aisec/cpg/frontends/php/PhpLexerBase.java	11.66% <11.66%> (ø)
... and 3 more

... and 2 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[oxisto]

@copilot please check why tests are failing

[Copilot]

@copilot please check why tests are failing

I checked the failing CI run and reproduced it: the failure is dependency resolution in :codyze-compliance:integrationTest when all frontends are enabled. cpg-language-jvm strictly requires org.antlr:antlr4-runtime:4.9.3, while cpg-language-php brings org.antlr:antlr4-runtime:4.13.2 (via antlr4), so Gradle cannot resolve one version for the shared runtime classpath. Reference commit: b8038e9.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• archive.eclipse.org
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED -XX:MaxMetaspaceSize=384m -XX:+HeapDumpOnOutOfMemoryError -Xms256m -Xmx512m -Dfile.encoding=UTF-8 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[oxisto]

@copilot can we try to add some more test for the patch coverage? please keep it "themed", e.g. functions, classes, etc. don't add "patch coverage tests"

[Copilot]

@copilot can we try to add some more test for the patch coverage? please keep it "themed", e.g. functions, classes, etc. don't add "patch coverage tests"

Added themed test coverage for functions/classes in commit 17f545e.

Specifically, I extended the existing PHP fixtures and assertions with:

• a new multiply function case in functions.php
• a new Gauge class with constructor/read methods in classes.php
• matching assertions in PHPLanguageFrontendTest

These run successfully with ./gradlew -PenablePHPFrontend=true :cpg-language-php:test --tests de.fraunhofer.aisec.cpg.frontends.php.PHPLanguageFrontendTest.

[Copilot]

Pull request overview

This PR introduces an optional PHP language frontend (cpg-language-php) and wires it into the existing “optional frontend” enablement mechanism so that PHP support can be included on demand without affecting default builds.

Changes:

• Adds the new :cpg-language-php module with an ANTLR-based minimal PHP 8 frontend plus basic unit tests and fixtures.
• Extends the frontend enablement toggles (enablePHPFrontend) and hooks PHP language registration into downstream entrypoints (Codyze, MCP, Neo4j app, console service).
• Updates documentation to list PHP as an experimental language and updates the Codyze Console webapp README to use pnpm commands.

Reviewed changes

Copilot reviewed 27 out of 28 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
settings.gradle.kts	Adds enablePHPFrontend flag and conditionally includes :cpg-language-php.
build.gradle.kts	Logs PHP frontend enablement similarly to other frontends.
buildSrc/src/main/kotlin/cpg.frontend-dependency-conventions.gradle.kts	Adds conditional dependency on :cpg-language-php when enabled.
gradle.properties.example	Documents the new enablePHPFrontend toggle.
configure_frontends.sh	Adds interactive configuration prompt for the PHP frontend.
gradle/libs.versions.toml	Adds ANTLR entries to the version catalog (reviewed for consistency with the PR’s ANTLR goal).
README.md	Updates supported languages list/table to include PHP.
cpg-language-php/build.gradle.kts	New module build file with ANTLR generation + runtime deps.
cpg-language-php/src/main/antlr/PhpLexer.g4	Adds PHP lexer grammar (from grammars-v4) for code parsing.
cpg-language-php/src/main/antlr/PhpParser.g4	Adds PHP parser grammar (from grammars-v4) for code parsing.
cpg-language-php/src/main/java/.../PhpLexerBase.java	Lexer base support for mode transitions / heredoc etc.
cpg-language-php/src/main/kotlin/.../PHPLanguage.kt	Defines the PHP language model (extensions, built-in types, operators).
cpg-language-php/src/main/kotlin/.../PHPLanguageFrontend.kt	Implements parsing and TU construction for PHP sources.
cpg-language-php/src/main/kotlin/.../PHPHandler.kt	Base handler abstraction for PHP ANTLR contexts.
cpg-language-php/src/main/kotlin/.../DeclarationHandler.kt	Models PHP declarations (functions/classes/namespaces/params).
cpg-language-php/src/main/kotlin/.../ExpressionHandler.kt	Models PHP expressions (calls, literals, operators, etc.).
cpg-language-php/src/main/kotlin/.../StatementHandler.kt	Models PHP statements (blocks, loops, if, switch, try/catch, etc.).
cpg-language-php/src/main/kotlin/.../CaseChangingCharStream.kt	CharStream wrapper to support case-insensitive lexing.
cpg-language-php/src/test/kotlin/.../PHPLanguageFrontendTest.kt	Adds basic unit tests for PHP functions/classes/statements parsing.
cpg-language-php/src/test/resources/php/functions.php	Test fixture for PHP functions.
cpg-language-php/src/test/resources/php/classes.php	Test fixture for PHP namespaces/classes/methods.
cpg-language-php/src/test/resources/php/statements.php	Test fixture for representative PHP statements.
cpg-neo4j/.../Application.kt	Registers PHP as an optional language for the Neo4j visualization app.
cpg-mcp/.../SetupConfig.kt	Registers PHP as an optional language for MCP setup.
codyze-core/.../Project.kt	Registers PHP as an optional language for Codyze analysis projects.
codyze-core/.../dsl/Dsl.kt	Registers PHP as an optional language for DSL-created projects.
codyze-console/.../ConsoleService.kt	Registers PHP as an optional language for the console backend translation config.
codyze-console/src/main/webapp/README.md	Updates dev/build instructions to pnpm-based commands.

Comments suppressed due to low confidence (2)

cpg-language-php/src/main/kotlin/de/fraunhofer/aisec/cpg/frontends/php/DeclarationHandler.kt:162

• Method return types declared as :?type will lose the nullable marker because only returnTypeDecl().typeHint().text is passed into frontend.typeOf(...) (the leading ? is a separate token). If you want typeOf to treat nullable types differently (it currently checks for ?), include the QuestionMark token when constructing the type string here.

                ctx.returnTypeDecl()?.typeHint()?.let {
                    method.returnTypes = listOf(frontend.typeOf(it.text))
                }

cpg-language-php/src/main/kotlin/de/fraunhofer/aisec/cpg/frontends/php/DeclarationHandler.kt:210

• Nullable parameter types (?T $x) are not represented correctly: the nullable marker is a separate ? token in the grammar, but handleFormalParameter passes only ctx.typeHint().text to frontend.typeOf(...). This means ?T will currently be treated as T (and typeOf's contains("?") branch is never reached). Consider prepending ? when ctx.QuestionMark() is present (or explicitly modeling nullability if supported).

        val rawName = varInit?.VarName()?.text ?: ""
        val name = rawName.removePrefix("$")
        val isVariadic = ctx.children?.any { it.text == "..." } == true

        val type = ctx.typeHint()?.let { frontend.typeOf(it.text) } ?: autoType()

        val param = newParameter(name, type, variadic = isVariadic, rawNode = ctx)

[oxisto]

@copilot fix code review suggestions

[Copilot]

@copilot fix code review suggestions

Done — I fixed the review suggestions in commit 2f8caaf (plus follow-up commits on top).

Included fixes:

• ANTLR alignment: catalog entries set to 4.9.3 and PHP runtime constrained with strictly("4.9.3")
• Nullable type handling: function/method/parameter type normalization now respects nullable marker consistently
• Foreach handling: improved loop-variable modeling for key/value variants, avoided incorrect declaration creation for complex assignables, and added foreach scope handling
• Themed PHP tests extended to cover the new foreach/function/class behaviors

Validation run:

• ./gradlew -PenablePHPFrontend=true :cpg-language-php:test --tests de.fraunhofer.aisec.cpg.frontends.php.PHPLanguageFrontendTest
• all pass