- What's new?
- Changes in results post upgrade
- Function Point, Quality and Sizing support
- Prerequisites to using the extension
- CAST AIP compatibility
- Supported DBMS servers
- Supported Versions of PHP
- Licence Agreements
- Documentation of PHP Quality Rules and Metrics
What's new?
PHP 2.0.0 - funcrel
Bug fixing
Extension name
The extension is now known as the PHP Analyzer and will appear as so in CAST Extend, CAST Extension Downloader and CAST Server Manager.
New third-party code "sniffer" package
A new third-party code "sniffer" package called "phpcs-security-audit" is now shipped with this release of the extension. This package integrates with the existing "Pear" sniffer shipped with previous releases of the extension. This package is used to generate results for certain security related rule. There is no impact to end users.
Removed rules
The following Rules have been removed in an effort to provide improved and more targeted results. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as not Active and not Detached. They will be completely ignored in any new snapshot:
| Rule name | ID | Reason |
|---|---|---|
| Avoid Empty Class definition | 1007032 | This rule was incorrectly applied to PHP classes instead of CSS |
| Avoid Classes with High Cyclomatic Complexity (PHP) | 1007018 | A better representation of method/function level complexity is provided by "Avoid Methods and Functions with High Cyclomatic Complexity (PHP)". To gauge the complexity of the class and related problems you can refer to "Avoid classes exceeding number of weighted methods (PHP)". |
Disabled rules
The following Rules have been disabled. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as Active and Detached. They will be completely ignored in any new snapshot:
| Rule name | ID | Reason |
|---|---|---|
| Avoid having properties with __get and no __set (PHP) | 1007166 | __get and __set can be used separately and some situations warrant that they should be. Therefore, this rule has been disabled. You can enable it to get violations where both __get and __set do not exist. |
New rules
The following Rules have been added in this release of the extension:
| Rule name | ID | Category |
|---|---|---|
CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP) | 1007244 | Security |
CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP) | 1007246 | Security |
CWE-311: Use sufficient SSL\TLS context (PHP) | 1007248 | Security |
CWE-624: Avoid preg_replace with /e option (PHP) | 1007250 | Security |
CWE-661: Avoid filesystem function calls without sanitizing user input (PHP) | 1007252 | Security |
| Avoid files that declare both symbols and execute logic with side effects (PHP) | 1007254 | Standard |
Changed parent Technical Criterion
The following rules have been moved to a new parent Technical Criterion:
| Rule name | ID | Previous parent TC | New parent TC |
|---|---|---|---|
| CWE-624: Avoid using eval expressions (PHP) | 1007156 | Programming Practices - Structuredness - 61024 | Secure Coding - Input Validation - 66062 |
PHP 2.0.0 - beta 1
Support for installation on Oracle Server
Currently this extension is not supported for installation on Oracle Server, but this will be supported in the next release of the extension.
Support for Backfired Function Points
The extension now supports Backfired Function Point counting.
Quality Rule renaming
All the Quality Rules below have been renamed and have also had their documentation updated for all fields (description, rationale, remediation, remediation sample, sample etc):
| Previous Quality Rule name | New Quality Rule name | ID |
|---|---|---|
| Avoid Script Functions with High Fan-In (PHP) | Avoid JavaScript Functions with High Fan-In (PHP) | 1007008 |
| Avoid Script Functions with High Fan-Out (PHP) | Avoid JavaScript Functions with High Fan-Out (PHP) | 1007010 |
| Avoid Methods and Functions with High Cyclomatic Complexity (PHP) | Avoid artifacts with High Cyclomatic Complexity (PHP) | 1007016 |
| Avoid unreferenced Script Functions (PHP) | Avoid unreferenced JavaScript Functions (PHP) | 1007054 |
| Avoid unused parameters (PHP) | Avoid artifacts with unused parameters (PHP) | 1007058 |
| Avoid undocumented Methods or Functions (PHP) | Avoid undocumented artifacts (PHP) | 1007098 |
| Avoid Methods and Functions with a very low comment/code ratio (PHP) | Avoid artifacts with a very low comment/code ratio (PHP) | 1007100 |
| Avoid undocumented Script Functions (PHP) | Avoid undocumented JavaScript Functions (PHP) | 1007110 |
| Avoid Script Functions with a very low comment/code ratio (PHP) | Avoid JavaScript Functions with a very low comment/code ratio (PHP) | 1007112 |
| Avoid Sections With Queries on more than 4 Tables (PHP) | Avoid artifacts with sql statements referring more than 4 Tables (PHP) | 1007118 |
| Avoid Sections with Group By (PHP) | Avoid artifacts with Group By sql statement (PHP) | 1007120 |
| Avoid Functions throwing exceptions and not having a @Throws tag (PHP) | Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP) | 1007124 |
| Avoid classes exceeding maximum length (PHP) | Avoid classes with excessive lines of code (PHP) | 1007126 |
| Avoid methods having too many parameters (PHP) | Avoid artifacts with excessive number of parameters (PHP) | 1007128 |
| Avoid Methods exceeding maximum length (PHP) | Avoid Artifacts with excessive lines of code (PHP) | 1007130 |
| Avoid classes with too many fields (PHP) | Avoid classes with excessive number of fields (PHP) | 1007132 |
| Avoid classes with too many methods (PHP) | Avoid classes with excessive number of methods (PHP) | 1007134 |
| Avoid classes having a number of public methods and attributes exceeds maximum (PHP) | Avoid classes having with excessive number of public methods and fields (PHP) | 1007136 |
| Avoid having unused variables (PHP) | Avoid unused local variables (PHP) | 1007138 |
| Avoid classes exceeding number of weighted methods (PHP) | Avoid classes with excessive number of weighted methods (PHP) | 1007144 |
| Avoid unconditional "if" and "elseif" statements (PHP) | Avoid unconditional "if" and "else if\elseif" statements (PHP) | 1007146 |
| Avoid useless overriding Methods (PHP) | Avoid methods and constructor overridden only with parent artifact call (PHP) | 1007148 |
Avoid functions having the optional parameters before the others (PHP) | Avoid artifacts with optional parameters before required parameters (PHP) | 1007164 |
| Avoid having functions with no return (PHP) | Avoid using function or method return value that do not have return (PHP) | 1007168 |
| Avoid having call function return ignored (PHP) | Avoid function return value ignored (PHP) | 1007170 |
| Avoid having constructors with a return value (PHP) | Avoid having constructors with return value (PHP) | 1007172 |
| Avoid using short tags like "<?=$name> (PHP) | Avoid using PHP short tags (PHP) | 1007192 |
| Avoid Select * queries in PHP Section (PHP) | Avoid artifacts with "select *" Sql statement (PHP) | 1007220 |
Avoid artifacts with variables passed by reference when calling a function (PHP) | Avoid having variables passed by reference when calling a function (PHP) | 1007232 |
Quality Rule merging
The following Quality Rules have been merged, i.e. the functionality of two Quality Ruless has been merged into one because the only difference was the violating object types. The Quality Rule listed in the column Removed Quality Rule / ID is the Quality Rule that is no longer available:
| Previous Quality Rule name / ID | New Quality Rule name / ID | Removed Quality Rule / ID |
|---|---|---|
| Avoid php methods and php functions directly accessing database tables (PHP) / 1007002 | Avoid artifacts directly accessing database tables (PHP) / 1007002 | Avoid php sections directly access database tables (PHP) / 1007000 |
| Use lowercase for control structures in Methods and Functions (PHP) / 1007086 | Use lowercase for control structures (PHP) / 1007086 | Use lowercase for control structures in Sections (PHP) / 1007084 |
Quality Rule scope changes
The following Quality Rules have had their scope changed and now flag violations for all expected object types:
| Quality Rule name | ID |
|---|---|
| Avoid Methods and Functions with High Fan-In (PHP) | 1007004 |
| Avoid Methods and Functions with High Fan-Out (PHP) | 1007006 |
| Avoid JavaScript Functions with High Fan-In (PHP) | 1007008 |
| Avoid JavaScript Functions with High Fan-Out (PHP) | 1007010 |
| Avoid artifacts with sql statements referring more than 4 Tables (PHP) | 1007118 |
| Avoid artifacts with Group By sql statement (PHP) | 1007120 |
| Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP) | 1007124 |
| Avoid artifacts with excessive number of parameters (PHP) | 1007128 |
| Avoid Artifacts with excessive lines of code (PHP) | 1007130 |
| Avoid artifacts with "select *" Sql statement (PHP) | 1007220 |
| Avoid having variables passed by reference when calling a function (PHP) | 1007232 |
PHP 2.0.0 - alpha
Change of scope for some Quality Rules
In order to report more granular violations, the following Quality Rules now give violations for the nearest type containing violations. Previously, all of them were reporting only phpSections as violating objects. This will result in an increase in total violations for these Quality Rules when upgrading to PHP 2.0.0 and generating a new snapshot on unchanged source code. You can also find out more in PHP 2.0 - Bug Fix List.
| Quality Rule | ID |
|---|---|
| Avoid using empty statement (PHP) | 1007030 |
| Avoid method invocation in a loop termination expression (PHP) | 1007050 |
| Avoid having variable with a too short name (PHP) | 1007088 |
| Avoid having variable with a too long name (PHP) | 1007090 |
| Avoid unnecessary string concatenations (PHP) | 1007114 |
| Avoid unused variables (PHP) | 1007138 |
| Avoid using goto statement (PHP) | 1007154 |
| Avoid variables without naming convention (PHP) | 1007212 |
| Avoid having control structures without proper spacing in the open and close brace - PSR2 (PHP) | 1007228 |
| Avoid Having control structures without proper switch case declarations (PSR2) (PHP) | 1007230 |
| Avoid having variables passed by reference when calling a function (PHP) | 1007232 |
| Avoid having inline control statements (PHP) | 1007234 |
| Avoid having object not instantiated using parenthesis - Symfony STD (PHP) | 1007240 |
Quality Rule renaming
The following Quality Rules have been renamed in PHP 2.0.x:
| Previous Quality Rule name | New Quality Rule name | ID |
|---|---|---|
| Avoid Sections directly access to database tables | Avoid php sections directly access database tables | 1007000 |
| Avoid Methods and Functions directly access to database tables | Avoid php methods and php functions directly accessing database tables | 1007002 |
| Avoid FOR loops which can be simplified to a WHILE loop | Avoid artifacts using "for" loops which can be simplified to a "while" loop | 1007022 |
| Use identical type operators rather than EQUAL operators | Use identical type operator rather than "equal" operator | 1007026 |
| Use Increment/decrement operators where possible | Use increment/decrement operators where possible | 1007028 |
| Avoid classes having too many children | Avoid classes having excessive number of derived classes | 1007036 |
| Avoid classes having too many dependencies | Avoid classes having excessive number of dependencies | 1007038 |
| Avoid having Classes implementing too many Interfaces | Avoid Classes implementing excessive number of Interfaces | 1007042 |
| Avoid classes with a high depth of inheritance tree | Avoid Classes with High Depth of Inheritance Tree | 1007046 |
| Avoid large interfaces-too many methods | Avoid interfaces with excessive number of Methods | 1007048 |
| Avoid method invocation in a loop termination expression | Avoid method invocation in loop termination expression | 1007050 |
| Avoid unused Function parameters | Avoid unused parameters | 1007058 |
| Avoid artifacts not checking the ending comments on Methods and Functions | Avoid method and functions without comments denoting scope end | 1007070 |
| Avoid having Files without a naming convention | Avoid files with names not following naming convention | 1007072 |
| A class name should start with a upper case letter | A class name should start with an upper case letter | 1007078 |
| Avoid Classes not having the same name as the file | Avoid Class name not matching parent file name | 1007080 |
| Avoid uppercase keywords for control structures in Sections | Use lowercase for control structures in Sections | 1007084 |
| Avoid uppercase keywords for control structures in Functions and Methods | Use lowercase for control structures in Methods and Functions | 1007086 |
| Avoid having variable with a too short name | Avoid having variable with too short name | 1007088 |
| Avoid having variable with a too long name | Avoid having variable with too long name | 1007090 |
| Avoid ELSEIF statements. ELSE and IF should be separate | Avoid "elseif" statements | 1007096 |
| Avoid Sections with string concatenations | Avoid unnecessary string concatenations | 1007114 |
| Avoid Methods with Object Instantiation in loops | Avoid artifacts with Object Instantiation in loops | 1007116 |
| Avoid using break statement in FOR loops | Avoid using break or continue statements in loops with high cyclomatic complexity | 1007176 |
| Avoid using include_once | Use file inclusion based on API suitability | 1007180 |
| Avoid using count function inside a for loop | Avoid using size functions inside loops | 1007184 |
| Avoid copying needless the variables | Avoid direct access to superglobals | 1007202 |
| Avoid using $row[xxx] | Avoid fetching database rows as array and accessing using subscript | 1007218 |
| Avoid having control structures without proper spacing in the open and close brace - PSR2 | Avoid control structures without proper spacing before and after open\close braces - PSR2 | 1007228 |
| Avoid having class methods without scope modifiers - Symfony STD | Avoid having Class Methods or Constructor without scope modifiers - Symfony STD | 1007236 |
| Avoid having object not instantiated using parenthesis - Symfony STD | Avoid artifacts having object instantiation without parenthesis - Symfony STD | 1007240 |
Disabled Quality Rules
The following Quality Rules have been disabled in PHP 2.0.x. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as Active and Detached. They will be completely ignored in any new snapshot:
| Previous Quality Rule name | ID |
|---|---|
| Avoid artifacts not checking the ending comments on Methods and Functions (PHP) | 1007070 |
| Avoid using time() to get the system time (PHP) | 1007210 |
Quality Rule removal
The following Quality Rules have been removed from PHP 2.0.x in an effort to provide improved and more targeted results. Note that these Quality Rules will still be available in the Assessment Model (in case they are involved in existing snapshots), and will be flagged as not Active and not Detached. They will be completely ignored in any new snapshot:
Quality Rule | ID | Reason |
|---|---|---|
| Avoid classes having too many parents (PHP) | 1007040 | The results of "Avoid Classes with a High Depth of Inheritance Tree (PHP)" include results of this QR which you can use instead. |
| Avoid using variable without testing them for initialisation (PHP) | 1007160 | The results of "Use identical type operator rather than "equal" operator (PHP)" include results of this QR which you can use. |
| Avoid having lonely variables (PHP) | 1007162 | This QR does not apply to PHP 5.x. |
| Avoid functions having the optional parameters before the others (PHP) | 1007164 | Duplicate of "Avoid unassigned default values in Functions (PHP)" |
| Avoid having the assignment to "$this" (PHP) | 1007174 | PHP 5.x does not support assignment to $this. |
| Avoid using print (PHP) | 1007178 | In PHP 5.x, there is very little, if any, difference in performance. |
| Avoid using double quote for long strings without variables (PHP) | 1007182 | In PHP 5.x, there is very little, if any, difference in performance. |
| Avoid using regular expressions (PHP) | 1007188 | This QR will be replaced. |
| Avoid using period for echo function (PHP) | 1007196 | In PHP 5.x, there is very little, if any, difference in performance. |
| Avoid using arrays as parameters of str functions (PHP) | 1007214 | This QR is not applicable to PHP 5.x. |
| Avoid having For-loops that use a function call in the test expression (PHP) | 1007226 | The results of "Avoid method invocation in a loop termination expression (PHP)" include results of this QR which you can use instead. |
| Avoid having variables passed by reference when calling a function (PHP) | 1007232 | This QR does not apply to PHP 5.x. |
Log file naming convention
The names used for the PHP Preprocessor and PHP CodeSniffer log files have been changed. See PHP 2.0 - Analysis Configuration for more information.
Bug fixes
Changes in results post upgrade
Below is a list of changes made to the Quality Model/analyzer in the current release of the PHP extension that are known to cause impacts to results:
PHP 2.0.0 - funcrel
Changed parent Technical Criterion
As mentioned in Changed parent Technical Criterion above, rule Avoid using eval expressions (PHP) - 1007156 has been moved from the "Programming Practices - Structuredness - 61024" Technical Criterion to the "Secure Coding - Input Validation - 66062" Technical Criterion. Therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Technical Crieria involved will change.
Removed/disabled Rules
Several Rules have been removed/disabled from PHP 2.0.x , therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules that have been removed/disabled will no longer be visible.
PHP 2.0.0 - beta 1
Merging/removal of Quality Rules
Several Quality Rules have been merged and others removed from PHP 2.0.x (see Quality Rule merging above), therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules that have been removed (as listed in Quality Rule removal) will no longer be visible.
Quality Rule scope changes
Multiple Quality Rules have had their "scope" changed and now flag violations for all expected object types. The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on the same source code. See Quality Rule scope changes for a list of the impacted Quality Rules.
Quality Rule bug fixing
Multiple Quality Rules contained bugs that caused false violations. The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on the same source code. The following Quality Rules are impacted:
| Quality Rule | ID | Notes |
|---|---|---|
| Avoid JavaScript Functions with High Fan-In (PHP) | 1007008 | |
| Avoid Script Functions with High Fan-Out (PHP) | 1007010 | |
Avoid artifacts with sql statements referring more than 4 Tables (PHP) | 1007118 | |
| Avoid artifacts with Group By sql statement (PHP) | 1007120 | |
Avoid artifacts throwing exceptions without @Throws tag in doc comments (PHP) | 1007124 | |
| Avoid artifacts with "select *" Sql statement (PHP) | 1007220 | |
| All SQL related Quality Rules (for example Avoid artifacts with Group By sql statement (PHP) etc.) | - | Previously, comment identifiers in PHP were not handled correctly and as such, false violations were reported. For example the following code would have falsely violated the Quality Rule "Avoid artifacts with Group By sql statement (PHP) - 1007120" even though the GroupBy statement was commented out: Select columnA, count(*) From SomeTable /* Group By ColumnA */ This bug has now been fixed and the following identifiers are now handled correctly:
|
PHP 2.0.0 - alpha
Removal/disabling of multiple Quality Rules
Multiple Quality Rules have been removed/disabled from PHP 2.0.x (see Quality Rule removal above), therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, results for the Quality Rules listed in Quality Rule removal and in Disabled Quality Rules will no longer be visible.
Quality Rule bug fixing
Multiple Quality Rules have been debugged, fixed and improved in PHP 2.0.x (see PHP 2.0 - Bug Fix List). The fixes will impact results when upgrading to PHP 2.0.0 and generating a new snapshot on unchanged source code. The impacts fall into three main categories:
- True violations that were previously missing may now be detected.
- No violations at all. Violations may now be detected.
- Incorrect/insufficient object types considered for violations. Increase in violations.
You can find out more in PHP 2.0 - Bug Fix List.
Changes to the analyzer
Avoid Undocumented <artifact> (PHP)
In previous releases of the PHP extension, the analyzer would routinely add comment lines to source code as part of the violation detection process. This had an undesirable side effect in that previously uncommented source code which had been commented by the analyzer was from then on considered to include comment lines and did not trigger a violation of the various Quality Rules entitled "Avoid Undocumented <artifact> (PHP)" (where <artifact> is classes, functions, methods and sections). The action of adding comments to source code during the analysis has now been stopped and therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, there may be an increased number of violations for these Quality Rules where uncommented artifacts are detected. These violations are now correct.
Abstract and Final Methods/Constructors
In previous releases of the PHP extension, the analyzer would not create specific objects for abstract or final methods/constructions. This bug has now been fixed (abstract or final methods/constructions are now created) and therefore after an upgrade to PHP 2.0.0 and the generation of a post upgrade snapshot on the same source code, any Quality Rule that includes methods and/or constructors in its scope may return an increased number of violations if any newly detected abstract/final methods/constructors qualifies.
- Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
- Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
| Function Points (transactions) | Quality and Sizing |
|---|---|
 | |
| Prerequisites | Description | Notes |
|---|---|---|
| Java JRE | Note that these prerequisites are only applicable in the following circumstances:
Therefore, if you are using CAST AIP ≥ 8.2.1, you don't need to set a JAVA_HOME. The PHP extension will use the JRE provided with CAST AIP and located in the installation folder.
| |
| JAVA_HOME environment variable |
| |
| PHP / PHP Code Sniffer / PHPMD | The extension requires the installation of three third party items:
These items are provided with the extension, however, they must be installed manually as described in PHP 2.0 - Analysis Configuration. | N/A |
CAST recommends that you always install the latest release of an extension.
| CAST AIP version | Supported? |
|---|---|
| 8.3.x | |
| 8.2.x | |
| 8.1.x | |
| 8.0.x | |
| ≥ 7.3.4 | |
Supported DBMS servers
| DBMS | Supported? |
|---|---|
| CSS | |
| Oracle | |
| Microsoft SQL Server |  |
Supported Versions of PHP
This version of the PHP extension provides partial support for the following PHP versions:
- 5.x
Licence Agreements
The PHP extension uses several third-party tools. The Licence Agreements for these tools are listed below:
PHP_CodeSniffer
More information about this tool is available here: http://pear.php.net/package/PHP_CodeSniffer
Version
CAST ships version 2.5.0 of the PHP_CodeSniffer.
License
The licence agreement for the PHP_CodeSniffer tool is available here:
and is detailed below:
Copyright (c) 2012, Squiz Pty Ltd (ABN 77 084 670 600)
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Squiz Pty Ltd nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Quality Rules calculated by the PHP_CodeSniffer tool
| Rule name | ID |
|---|---|
Avoid artifacts using "for" loops which can be simplified to a "while" loop (PHP) | 1007022 |
Avoid incrementer jumbling in loops (PHP) | 1007024 |
Use identical type operator rather than "equal" operator (PHP) | 1007026 |
Use increment/decrement operators where possible (PHP) | 1007028 |
Avoid using empty statement (PHP) | 1007030 |
Avoid empty class definition (PHP) | 1007032 |
Avoid classes having excessive number of derived classes(PHP) | 1007036 |
Avoid classes having excessive number of dependencies (PHP) | 1007038 |
Avoid Classes with High Depth of Inheritance Tree (PHP) | 1007046 |
Avoid unnecessary final modifiers inside final Classes (PHP) | 1007056 |
Avoid unused parameters (PHP) | 1007058 |
Avoid Class name not matching parent file name (PHP) | 1007080 |
Use lowercase for control structures in Sections (PHP) | 1007084 |
Use lowercase for control structures in Methods and Functions (PHP) | 1007086 |
Avoid having variable with too short name (PHP) | 1007088 |
Avoid having variable with too long name (PHP) | 1007090 |
Avoid "elseif" statements (PHP) | 1007096 |
Avoid Functions throwing exceptions and not having a @Throws tag (PHP) | 1007124 |
Avoid classes exceeding maximum length (PHP) | 1007126 |
Avoid methods having too many parameters (PHP) | 1007128 |
Avoid Methods exceeding maximum length (PHP) | 1007130 |
Avoid classes with too many fields (PHP) | 1007132 |
Avoid classes with too many methods (PHP) | 1007134 |
Avoid classes having a number of public methods and attributes exceeds maximum (PHP) | 1007136 |
Avoid having unused variables (PHP) | 1007138 |
Avoid unused private fields (PHP) | 1007140 |
Avoid unused private methods (PHP) | 1007142 |
Avoid classes exceeding number of weighted methods (PHP) | 1007144 |
Avoid unconditional "if" and "elseif" statements (PHP) | 1007146 |
Avoid useless overriding Methods (PHP) | 1007148 |
Avoid unassigned default values in Functions (PHP) | 1007150 |
Avoid having variables without naming conventions (PHP) | 1007212 |
Avoid having For-loops that use a function call in the test expression (PHP) | 1007226 |
Avoid control structures without proper spacing before and after open\close braces - PSR2 (PHP) | 1007228 |
Avoid Having control structures without proper switch case declarations (PSR2) (PHP) | 1007230 |
Avoid having variables passed by reference when calling a function (PHP) | 1007232 |
Avoid having inline control statements (PHP) | 1007234 |
Avoid having Class Methods or Constructor without scope modifiers - Symfony STD (PHP) | 1007236 |
Avoid having multiple classes defined in a single file - Symfony STD (PHP) | 1007238 |
Avoid artifacts having object instantiation without parenthesis - Symfony STD (PHP) | 1007240 |
CWE-311: Use sufficient SSL\TLS context (PHP) | 1007248 |
| Avoid files that declare both symbols and execute logic with side effects (PHP) | 1007254 |
Rules using the PHP_CodeSniffer framework but implemented by CAST
| Rule name | ID |
|---|---|
| Avoid using embedded CSS in Web Pages (PHP) | 1007012 |
| Avoid empty style definition (PHP) | 1007034 |
| Avoid artifacts with Object Instantiation in loops (PHP) | 1007116 |
CWE-624: Avoid using eval expressions (PHP) | 1007156 |
Avoid artifacts using exit and die expressions (PHP) | 1007158 |
Avoid using variable without testing them for initialisation (PHP) | 1007160 |
| Avoid having constructors with a return value (PHP) | 1007172 |
| Avoid using break or continue statements in loops with high cyclomatic complexity (PHP) | 1007176 |
| Avoid using size functions inside loops (PHP) | 1007184 |
| Avoid direct access to superglobals (PHP) | 1007202 |
| Avoid fetching database rows as array and accessing using subscript (PHP) | 1007218 |
Avoid artifacts with Group By sql statement (PHP) | 1007120 |
| Avoid artifacts with "select *" Sql statement (PHP) | 1007220 |
| Avoid artifacts with sql statements referring more than 4 Tables (PHP) | 1007118 |
phpcs-security-audit
This package integrates with the existing "Pear" code sniffer. This package is used to generate results for certain security related rules. More information about this package is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit.
The licence agreement for this tool is available here:
Rules calculated by the phpcs-security-audit tool
| Rule name | ID |
|---|---|
| CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP) | 1007244 |
| CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP) | 1007246 |
| CWE-624: Avoid preg_replace with /e option (PHP) | 1007250 |
| CWE-661: Avoid filesystem function calls without sanitizing user input (PHP) | 1007252 |
PHPMD
More information about this tool is available here: http://phpmd.org/
The licence agreement for the PHPMD tool is detailed below:
Copyright (c) 2009-2011, Manuel Pichler <mapi@phpmd.org>.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PHP Depend
More information about this tool is available here: http://pdepend.org/
The licence agreement for the PHP Depend tool is available in the file "LICENSE.txt" delivered in the source folder of the tool and is detailed below:
Copyright (c) 2008-2012, Manuel Pichler <mapi@pdepend.org>.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Documentation of PHP Quality Rules and Metrics
Documentation of all CAST Metrics and Quality Rules specific to the PHP extension is delivered via a compiled HTML Help file (CHM). Please ensure that once the CHM has been downloaded you right-click on the CHM file in Windows Explorer and choose Properties > Unblock. This will ensure that the CHM is readable on your own PC:
