Page tree
Skip to end of metadata
Go to start of metadata

Although this extension is officially supported by CAST, please note that it has been developed within the technical constraints of the CAST Universal Analyzer technology and to some extent adapted to meet specific customer needs. Therefore the extension may not address all of the coding techniques and patterns that exist for the target technology and may not produce the same level of analysis and precision regarding e.g. quality measurement and/or function point counts that are typically produced by other CAST AIP analyzers.

What's new?

PHP 2.0.0 - funcrel

Bug fixing

See PHP 2.0 - Release Notes.

Extension name

The extension is now known as the PHP Analyzer and will appear as so in CAST Extend, CAST Extension Downloader and CAST Server Manager.

New third-party code "sniffer" package

A new third-party code "sniffer" package called "phpcs-security-audit" is now shipped with this release of the extension. This package integrates with the existing "Pear" sniffer shipped with previous releases of the extension. This package is used to generate results for certain security related rule. There is no impact to end users.

Removed rules

The following Rules have been removed in an effort to provide improved and more targeted results. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as not Active and not Detached. They will be completely ignored in any new snapshot:

Rule nameIDReason
Avoid Empty Class definition1007032This rule was incorrectly applied to PHP classes instead of CSS
Avoid Classes with High Cyclomatic Complexity (PHP)1007018A better representation of method/function level complexity is provided by "Avoid Methods and Functions with High Cyclomatic Complexity (PHP)". To gauge the complexity of the class and related problems you can refer to "Avoid classes exceeding number of weighted methods (PHP)".

Disabled rules

The following Rules have been disabled. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as Active and Detached. They will be completely ignored in any new snapshot:

Rule nameIDReason
Avoid having properties with __get and no __set (PHP)1007166__get and __set can be used separately and some situations warrant that they should be. Therefore, this rule has been disabled. You can enable it to get violations where both __get and __set do not exist.

New rules

The following Rules have been added in this release of the extension:

Rule nameIDCategory

CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP)

1007244Security

CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP)

1007246Security

CWE-311: Use sufficient SSL\TLS context (PHP)

1007248Security

CWE-624: Avoid preg_replace with /e option (PHP)

1007250Security

CWE-661: Avoid filesystem function calls without sanitizing user input (PHP)

1007252Security
Avoid files that declare both symbols and execute logic with side effects (PHP)1007254Standard

Changed parent Technical Criterion

The following rules have been moved to a new parent Technical Criterion:

Rule nameIDPrevious parent TCNew parent TC
CWE-624: Avoid using eval expressions (PHP)1007156Programming Practices - Structuredness - 61024Secure Coding - Input Validation - 66062

PHP 2.0.0 - beta 1

Support for installation on Oracle Server

Currently this extension is not supported for installation on Oracle Server, but this will be supported in the next release of the extension.

Support for Backfired Function Points

The extension now supports Backfired Function Point counting.

Quality Rule renaming

All the Quality Rules below have been renamed and have also had their documentation updated for all fields (description, rationale, remediation, remediation sample, sample etc):

Previous Quality Rule nameNew Quality Rule nameID
Avoid Script Functions with High Fan-In (PHP)Avoid JavaScript Functions with High Fan-In (PHP)1007008
Avoid Script Functions with High Fan-Out (PHP)Avoid JavaScript Functions with High Fan-Out (PHP)1007010
Avoid Methods and Functions with High Cyclomatic Complexity (PHP)Avoid artifacts with High Cyclomatic Complexity (PHP)1007016
Avoid unreferenced Script Functions (PHP)Avoid unreferenced JavaScript Functions (PHP)1007054
Avoid unused parameters (PHP)Avoid artifacts with unused parameters (PHP)1007058
Avoid undocumented Methods or Functions (PHP)Avoid undocumented artifacts (PHP)1007098
Avoid Methods and Functions with a very low comment/code ratio (PHP)Avoid artifacts with a very low comment/code ratio (PHP)1007100
Avoid undocumented Script Functions (PHP)Avoid undocumented JavaScript Functions (PHP)1007110
Avoid Script Functions with a very low comment/code ratio (PHP)Avoid JavaScript Functions with a very low comment/code ratio (PHP)1007112
Avoid Sections With Queries on more than 4 Tables (PHP)Avoid artifacts with sql statements referring more than 4 Tables (PHP)1007118
Avoid Sections with Group By (PHP)Avoid artifacts with Group By sql statement (PHP)1007120
Avoid Functions throwing exceptions and not having a @Throws tag (PHP)Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP)1007124
Avoid classes exceeding maximum length (PHP)Avoid classes with excessive lines of code (PHP)1007126
Avoid methods having too many parameters (PHP)Avoid artifacts with excessive number of parameters (PHP)1007128
Avoid Methods exceeding maximum length (PHP)Avoid Artifacts with excessive lines of code (PHP)1007130
Avoid classes with too many fields (PHP)Avoid classes with excessive number of fields (PHP)1007132
Avoid classes with too many methods (PHP)Avoid classes with excessive number of methods (PHP)1007134
Avoid classes having a number of public methods and attributes exceeds maximum (PHP)Avoid classes having with excessive number of public methods and fields (PHP)1007136
Avoid having unused variables (PHP)Avoid unused local variables (PHP)1007138
Avoid classes exceeding number of weighted methods (PHP)Avoid classes with excessive number of weighted methods (PHP)1007144
Avoid unconditional "if" and "elseif" statements (PHP)Avoid unconditional "if" and "else if\elseif" statements (PHP)1007146
Avoid useless overriding Methods (PHP)Avoid methods and constructor overridden only with parent artifact call (PHP)1007148

Avoid functions having the optional parameters before the others (PHP)

Avoid artifacts with optional parameters before required parameters (PHP)1007164
Avoid having functions with no return (PHP)Avoid using function or method return value that do not have return (PHP)1007168
Avoid having call function return ignored (PHP)Avoid function return value ignored (PHP)1007170
Avoid having constructors with a return value (PHP)Avoid having constructors with return value (PHP)1007172
Avoid using short tags like "<?=$name> (PHP)Avoid using PHP short tags (PHP)1007192
Avoid Select * queries in PHP Section (PHP)Avoid artifacts with "select *" Sql statement (PHP)1007220

Avoid artifacts with variables passed by reference when calling a function (PHP)

Avoid having variables passed by reference when calling a function (PHP)1007232

Quality Rule merging

The following Quality Rules have been merged, i.e. the functionality of two Quality Ruless has been merged into one because the only difference was the violating object types. The Quality Rule listed in the column Removed Quality Rule / ID is the Quality Rule that is no longer available:

Previous Quality Rule name / IDNew Quality Rule name / IDRemoved Quality Rule / ID
Avoid php methods and php functions directly accessing database tables (PHP) / 1007002Avoid artifacts directly accessing database tables (PHP) / 1007002Avoid php sections directly access database tables (PHP) / 1007000
Use lowercase for control structures in Methods and Functions (PHP) / 1007086Use lowercase for control structures (PHP) / 1007086Use lowercase for control structures in Sections (PHP) / 1007084

Quality Rule scope changes

The following Quality Rules have had their scope changed and now flag violations for all expected object types:

Quality Rule nameID
Avoid Methods and Functions with High Fan-In (PHP)1007004
Avoid Methods and Functions with High Fan-Out (PHP)1007006
Avoid JavaScript Functions with High Fan-In (PHP)1007008
Avoid JavaScript Functions with High Fan-Out (PHP)1007010
Avoid artifacts with sql statements referring more than 4 Tables (PHP)1007118
Avoid artifacts with Group By sql statement (PHP)1007120
Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP)1007124
Avoid artifacts with excessive number of parameters (PHP)1007128
Avoid Artifacts with excessive lines of code (PHP)1007130
Avoid artifacts with "select *" Sql statement (PHP)1007220
Avoid having variables passed by reference when calling a function (PHP)1007232

PHP 2.0.0 - alpha

Change of scope for some Quality Rules

In order to report more granular violations, the following Quality Rules now give violations for the nearest type containing violations. Previously, all of them were reporting only phpSections as violating objects. This will result in an increase in total violations for these Quality Rules when upgrading to PHP 2.0.0 and generating a new snapshot on unchanged source code. You can also find out more in PHP 2.0 - Release Notes.

Quality RuleID
Avoid using empty statement (PHP)1007030
Avoid method invocation in a loop termination expression (PHP)1007050
Avoid having variable with a too short name (PHP)1007088
Avoid having variable with a too long name (PHP)1007090
Avoid unnecessary string concatenations (PHP)1007114
Avoid unused variables (PHP)1007138
Avoid using goto statement (PHP)1007154
Avoid variables without naming convention (PHP)1007212
Avoid having control structures without proper spacing in the open and close brace - PSR2 (PHP)1007228
Avoid Having control structures without proper switch case declarations (PSR2) (PHP)1007230
Avoid having variables passed by reference when calling a function (PHP)1007232
Avoid having inline control statements (PHP)1007234
Avoid having object not instantiated using parenthesis - Symfony STD (PHP)1007240

Quality Rule renaming

The following Quality Rules have been renamed in PHP 2.0.x:

Previous Quality Rule nameNew Quality Rule nameID
Avoid Sections directly access to database tablesAvoid php sections directly access database tables1007000
Avoid Methods and Functions directly access to database tablesAvoid php methods and php functions directly accessing database tables1007002
Avoid FOR loops which can be simplified to a WHILE loopAvoid artifacts using "for" loops which can be simplified to a "while" loop1007022
Use identical type operators rather than EQUAL operatorsUse identical type operator rather than "equal" operator1007026
Use Increment/decrement operators where possibleUse increment/decrement operators where possible1007028
Avoid classes having too many childrenAvoid classes having excessive number of derived classes1007036
Avoid classes having too many dependenciesAvoid classes having excessive number of dependencies1007038
Avoid having Classes implementing too many InterfacesAvoid Classes implementing excessive number of Interfaces1007042
Avoid classes with a high depth of inheritance treeAvoid Classes with High Depth of Inheritance Tree1007046
Avoid large interfaces-too many methodsAvoid interfaces with excessive number of Methods1007048
Avoid method invocation in a loop termination expressionAvoid method invocation in loop termination expression1007050
Avoid unused Function parametersAvoid unused parameters1007058
Avoid artifacts not checking the ending comments on Methods and FunctionsAvoid method and functions without comments denoting scope end1007070
Avoid having Files without a naming conventionAvoid files with names not following naming convention1007072
A class name should start with a upper case letterA class name should start with an upper case letter1007078
Avoid Classes not having the same name as the fileAvoid Class name not matching parent file name1007080
Avoid uppercase keywords for control structures in SectionsUse lowercase for control structures in Sections1007084
Avoid uppercase keywords for control structures in Functions and MethodsUse lowercase for control structures in Methods and Functions1007086
Avoid having variable with a too short nameAvoid having variable with too short name1007088
Avoid having variable with a too long nameAvoid having variable with too long name1007090
Avoid ELSEIF statements. ELSE and IF should be separateAvoid "elseif" statements1007096
Avoid Sections with string concatenationsAvoid unnecessary string concatenations1007114
Avoid Methods with Object Instantiation in loopsAvoid artifacts with Object Instantiation in loops1007116
Avoid using break statement in FOR loopsAvoid using break or continue statements in loops with high cyclomatic complexity1007176
Avoid using include_onceUse file inclusion based on API suitability1007180
Avoid using count function inside a for loopAvoid using size functions inside loops1007184
Avoid copying needless the variablesAvoid direct access to superglobals1007202
Avoid using $row[xxx]Avoid fetching database rows as array and accessing using subscript1007218
Avoid having control structures without proper spacing in the open and close brace - PSR2Avoid control structures without proper spacing before and after open\close braces - PSR21007228
Avoid having class methods without scope modifiers - Symfony STDAvoid having Class Methods or Constructor without scope modifiers - Symfony STD1007236
Avoid having object not instantiated using parenthesis - Symfony STDAvoid artifacts having object instantiation without parenthesis - Symfony STD1007240

Disabled Quality Rules

The following Quality Rules have been disabled in PHP 2.0.x. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as Active and Detached. They will be completely ignored in any new snapshot:

Previous Quality Rule nameID
Avoid artifacts not checking the ending comments on Methods and Functions (PHP)1007070
Avoid using time() to get the system time (PHP)1007210

Quality Rule removal

The following Quality Rules have been removed from PHP 2.0.x in an effort to provide improved and more targeted results. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as not Active and not Detached. They will be completely ignored in any new snapshot:

Quality Rule

ID

Reason

Avoid classes having too many parents (PHP)1007040The results of "Avoid Classes with a High Depth of Inheritance Tree (PHP)" include results of this QR which you can use instead.
Avoid using variable without testing them for initialisation (PHP)1007160The results of "Use identical type operator rather than "equal" operator (PHP)" include results of this QR which you can use.
Avoid having lonely variables (PHP)1007162This QR does not apply to PHP 5.x.
Avoid functions having the optional parameters before the others (PHP)1007164Duplicate of "Avoid unassigned default values in Functions (PHP)"
Avoid having the assignment to "$this" (PHP)1007174PHP 5.x does not support assignment to $this.
Avoid using print (PHP)1007178In PHP 5.x, there is very little, if any, difference in performance.
Avoid using double quote for long strings without variables (PHP)1007182In PHP 5.x, there is very little, if any, difference in performance.
Avoid using regular expressions (PHP)1007188This QR will be replaced.
Avoid using period for echo function (PHP)1007196In PHP 5.x, there is very little, if any, difference in performance.
Avoid using arrays as parameters of str functions (PHP)1007214This QR is not applicable to PHP 5.x.
Avoid having For-loops that use a function call in the test expression (PHP)1007226The results of "Avoid method invocation in a loop termination expression (PHP)" include results of this QR which you can use instead.
Avoid having variables passed by reference when calling a function (PHP)1007232This QR does not apply to PHP 5.x.

Log file naming convention

The names used for the PHP Preprocessor and PHP CodeSniffer log files have been changed. See PHP 2.0 - Analysis Configuration for more information.

Bug fixes

See PHP 2.0 - Release Notes.

Changes in results post upgrade

Below is a list of changes made to the Quality Model/analyzer in the current release of the PHP extension that are known to cause impacts to results:

PHP 2.0.0 - funcrel

Changed parent Technical Criterion

As mentioned in Changed parent Technical Criterion above, rule Avoid using eval expressions (PHP) - 1007156 has been moved from the "Programming Practices - Structuredness - 61024" Technical Criterion to the "Secure Coding - Input Validation - 66062" Technical Criterion. Therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Technical Crieria involved will change.

Removed/disabled Rules

Several Rules have been removed/disabled from PHP 2.0.x , therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules that have been removed/disabled will no longer be visible.

PHP 2.0.0 - beta 1

Merging/removal of Quality Rules

Several Quality Rules have been merged and others removed from PHP 2.0.x (see Quality Rule merging above), therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules that have been removed (as listed in Quality Rule removal) will no longer be visible.

Quality Rule scope changes

Multiple Quality Rules have had their "scope" changed and now flag violations for all expected object types. The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on the same source code. See Quality Rule scope changes for a list of the impacted Quality Rules.

Quality Rule bug fixing

Multiple Quality Rules contained bugs that caused false violations. The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on the same source code. The following Quality Rules are impacted:

Quality RuleIDNotes
Avoid JavaScript Functions with High Fan-In (PHP)1007008 
Avoid Script Functions with High Fan-Out (PHP)1007010 

Avoid artifacts with sql statements referring more than 4 Tables (PHP)

1007118 
Avoid artifacts with Group By sql statement (PHP)1007120 

Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP)

1007124 
Avoid artifacts with "select *" Sql statement (PHP)1007220 
All SQL related Quality Rules (for example Avoid artifacts with Group By sql statement (PHP) etc.)-

Previously, comment identifiers in PHP were not handled correctly and as such, false violations were reported. For example the following code would have falsely violated the Quality Rule "Avoid artifacts with Group By sql statement (PHP) - 1007120" even though the GroupBy statement was commented out:

Select columnA, count(*)
From SomeTable
/* Group By ColumnA */

This bug has now been fixed and the following identifiers are now handled correctly:

  • /*...*/
  • --
  • #

PHP 2.0.0 - alpha

Removal/disabling of multiple Quality Rules

Multiple Quality Rules have been removed/disabled from PHP 2.0.x (see Quality Rule removal above), therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules listed in Quality Rule removal and in Disabled Quality Rules will no longer be visible.

Quality Rule bug fixing

Multiple Quality Rules have been debugged, fixed and improved in PHP 2.0.x (see PHP 2.0 - Release Notes). The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on unchanged source code. The impacts fall into three main categories:

  • True violations that were previously missing may now be detected.
  • No violations at all. Violations may now be detected.
  • Incorrect/insufficient object types considered for violations. Increase in violations.

You can find out more in PHP 2.0 - Release Notes.

Changes to the analyzer

Avoid Undocumented <artifact> (PHP)

In previous releases of the PHP extension, the analyzer would routinely add comment lines to source code as part of the violation detection process. This had an undesirable side effect in that previously uncommented source code which had been commented by the analyzer was from then on considered to include comment lines and did not trigger a violation of the various Quality Rules entitled "Avoid Undocumented <artifact> (PHP)" (where <artifact> is classes, functions, methods and sections). The action of adding comments to source code during the analysis has now been stopped and therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, there may be an increased number of violations for these Quality Rules where uncommented artifacts are detected. These violations are now correct.

Abstract and Final Methods/Constructors

In previous releases of the PHP extension, the analyzer would not create specific objects for abstract or final methods/constructions. This bug has now been fixed (abstract or final methods/constructions are now created) and therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, any Quality Rule that includes methods and/or constructors in its scope may return an increased number of violations if any newly detected abstract/final methods/constructors qualifies.

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
(transactions)
Quality and Sizing
(tick)(tick)

Prerequisites to using the extension

PrerequisitesDescriptionNotes
Java JREThe extension requires a Java JRE to be installed on the machine: only Java JRE 1.7 is currently supported. This is used by the pre-processor. See PHP 2.0 - Release Notes.

Note that these prerequisites are only applicable in the following circumstances:

  • If you are using version  1.2.0 of the PHP extension AND CAST AIP  8.2.0

Therefore, if you are using CAST AIP  8.2.1, you don't need to set a JAVA_HOME. The PHP extension will use the JRE provided with CAST AIP and located in the installation folder.

 

JAVA_HOME environment variable

The extension requires that a JAVA_HOME system environment variable is also present on the machine, pointing to the Java JRE installation folder:


PHP / PHP Code Sniffer / PHPMD

The extension requires the installation of three third party items:

  • PHP
  • PHP Code Sniffer
  • PHPMD

These items are provided with the extension, however, they must be installed manually as described in PHP 2.0 - Release Notes.

N/A

CAST AIP compatibility

CAST recommends that you always install the latest release of an extension.

CAST AIP versionSupported?
8.3.x(tick)
8.2.x(tick)
8.1.x(tick)
8.0.x(tick)
7.3.4(tick)

Supported DBMS servers

DBMSSupported?
CSS(tick)
Oracle(tick)
Microsoft SQL Server(error)

Supported Versions of PHP

This version of the PHP extension provides partial support for the following PHP versions:

  • 5.x

Licence Agreements

The PHP extension uses several third-party tools. The Licence Agreements for these tools are listed below:

PHP_CodeSniffer

More information about this tool is available here: http://pear.php.net/package/PHP_CodeSniffer

Version

CAST ships version 2.5.0 of the PHP_CodeSniffer.

License

The licence agreement for the PHP_CodeSniffer tool is available here:

and is detailed below:

Copyright (c) 2012, Squiz Pty Ltd (ABN 77 084 670 600)
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Squiz Pty Ltd nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Quality Rules calculated by the PHP_CodeSniffer tool

Rule nameID

Avoid artifacts using "for" loops which can be simplified to a "while" loop (PHP)

1007022

Avoid incrementer jumbling in loops (PHP)

1007024

Use identical type operator rather than "equal" operator (PHP)

1007026

Use increment/decrement operators where possible (PHP)

1007028

Avoid using empty statement (PHP)

1007030

Avoid empty class definition (PHP)

1007032

Avoid classes having excessive number of derived classes(PHP)

1007036

Avoid classes having excessive number of dependencies (PHP)

1007038

Avoid Classes with High Depth of Inheritance Tree (PHP)

1007046

Avoid unnecessary final modifiers inside final Classes (PHP)

1007056

Avoid unused parameters (PHP)

1007058

Avoid Class name not matching parent file name (PHP)

1007080

Use lowercase for control structures in Sections (PHP)

1007084

Use lowercase for control structures in Methods and Functions (PHP)

1007086

Avoid having variable with too short name (PHP)

1007088

Avoid having variable with too long name (PHP)

1007090

Avoid "elseif" statements (PHP)

1007096

Avoid Functions throwing exceptions and not having a @Throws tag (PHP)

1007124

Avoid classes exceeding maximum length (PHP)

1007126

Avoid methods having too many parameters (PHP)

1007128

Avoid Methods exceeding maximum length (PHP)

1007130

Avoid classes with too many fields (PHP)

1007132

Avoid classes with too many methods (PHP)

1007134

Avoid classes having a number of public methods and attributes exceeds maximum (PHP)

1007136

Avoid having unused variables (PHP)

1007138

Avoid unused private fields (PHP)

1007140

Avoid unused private methods (PHP)

1007142

Avoid classes exceeding number of weighted methods (PHP)

1007144

Avoid unconditional "if" and "elseif" statements (PHP)

1007146

Avoid useless overriding Methods (PHP)

1007148

Avoid unassigned default values in Functions (PHP)

1007150

Avoid having variables without naming conventions (PHP)

1007212

Avoid having For-loops that use a function call in the test expression (PHP)

1007226

Avoid control structures without proper spacing before and after open\close braces - PSR2 (PHP)

1007228

Avoid Having control structures without proper switch case declarations (PSR2) (PHP)

1007230

Avoid having variables passed by reference when calling a function (PHP)

1007232

Avoid having inline control statements (PHP)

1007234

Avoid having Class Methods or Constructor without scope modifiers - Symfony STD (PHP)

1007236

Avoid having multiple classes defined in a single file - Symfony STD (PHP)

1007238

Avoid artifacts having object instantiation without parenthesis - Symfony STD (PHP)

1007240

CWE-311: Use sufficient SSL\TLS context (PHP)

1007248

Avoid files that declare both symbols and execute logic with side effects (PHP)1007254

Rules using the PHP_CodeSniffer framework but implemented by CAST

Rule nameID
Avoid using embedded CSS in Web Pages (PHP)1007012
Avoid empty style definition (PHP)1007034
Avoid artifacts with Object Instantiation in loops (PHP)1007116

CWE-624: Avoid using eval expressions (PHP)

1007156

Avoid artifacts using exit and die expressions (PHP)

1007158

Avoid using variable without testing them for initialisation (PHP)

1007160
Avoid having constructors with a return value (PHP)1007172
Avoid using break or continue statements in loops with high cyclomatic complexity (PHP)1007176
Avoid using size functions inside loops (PHP)1007184
Avoid direct access to superglobals (PHP)1007202
Avoid fetching database rows as array and accessing using subscript (PHP)1007218

Avoid artifacts with Group By sql statement (PHP)

1007120
Avoid artifacts with "select *" Sql statement (PHP)1007220
Avoid artifacts with sql statements referring more than 4 Tables (PHP)1007118

phpcs-security-audit

This package integrates with the existing "Pear" code sniffer. This package is used to generate results for certain security related rules. More information about this package is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit.

The licence agreement for this tool is available here:

Rules calculated by the phpcs-security-audit tool

Rule nameID
CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP)1007244
CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP)1007246
CWE-624: Avoid preg_replace with /e option (PHP)1007250
CWE-661: Avoid filesystem function calls without sanitizing user input (PHP)1007252

PHPMD

More information about this tool is available here: http://phpmd.org/

The licence agreement for the PHPMD tool is detailed below:

Copyright (c) 2009-2011, Manuel Pichler <mapi@phpmd.org>.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PHP Depend

More information about this tool is available here: http://pdepend.org/

The licence agreement for the PHP Depend tool is available in the file "LICENSE.txt" delivered in the source folder of the tool and is detailed below:

Copyright (c) 2008-2012, Manuel Pichler <mapi@pdepend.org>.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Documentation of PHP Quality Rules and Metrics

Documentation of all CAST Metrics and Quality Rules specific to the PHP extension is delivered via a compiled HTML Help file (CHM). Please ensure that once the CHM has been downloaded you right-click on the CHM file in Windows Explorer and choose Properties > Unblock. This will ensure that the CHM is readable on your own PC:


  • No labels