Created by user-1a1b1, last modified by James Hurrell on Jan 21, 2021
3.0.6-funcrel
Note
This release deprecates security rules (see list below) that were provided by a third-party solution which is no longer compatible with CAST AIP. See also https://doc.castsoftware.com/display/TECHNOS/PHP+3.0#PHP3.0-thirdConfigurerulesforthird-partytoolanalysisresults.
Rules
| Rule Id | New Rule | Details |
|---|
| 1007258 | FALSE | DEPRECATED: Avoid cross-site scripting - Improper Neutralization of input during web page generation (PHP). |
| 1007260 | FALSE | DEPRECATED: Avoid Command Injection - Improper Neutralization of Special Elements used in an OS Command (PHP). |
| 1007262 | FALSE | DEPRECATED: Avoid file name or path controlled by raw user input (PHP). |
| 1007264 | FALSE | DEPRECATED: Avoid unrestricted file upload (PHP) |
| 1007266 | FALSE | DEPRECATED: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command within single quotes (PHP). |
| 1007268 | FALSE | DEPRECATED: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command without quotes (PHP). |
| 1007270 | FALSE | DEPRECATED: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command in dynamic query (PHP). |
| 1007272 | FALSE | DEPRECATED: Avoid Session Fixation (PHP). |
| 1007274 | FALSE | DEPRECATED: Avoid Object Injection (PHP). |
| 1007276 | FALSE | DEPRECATED: Avoid Cookie Misconfiguration (path) (PHP). |
| 1007278 | FALSE | DEPRECATED: Avoid weak hash functions (PHP). |
| 1007280 | FALSE | DEPRECATED: Avoid System Information Leakage (PHP). |
| 1007282 | FALSE | DEPRECATED: Avoid Cookie Misconfiguration (secure flag) (PHP). |
| 1007284 | FALSE | DEPRECATED: Avoid Cookie Misconfiguration (httpOnly flag) (PHP). |
| 1007286 | FALSE | DEPRECATED: Avoid PHP Dangerous Feature (PHP). |
| 1007288 | FALSE | DEPRECATED: Avoid debug code in the production system (PHP). |
| 1007290 | FALSE | DEPRECATED: Avoid cross site scripting (single quoted attribute) (PHP). |
| 1007256 | FALSE | DEPRECATED: Avoid cross-site scripting - Improper Neutralization of input in script tag during web page generation (PHP) |
3.0.5-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 22973 | Space consumption is too high because CSS/PostgreSQL is shared across all applications. |
| 23935 | The count of violations is higher than the actual number of violations. |
| 23958 | Total count of violations is not matching with the number of violated objects displayed for PHP. |
3.0.4-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 19657 | Missing link from PHP to PHP. As a consequence of this fix, links between PHP artifacts may increase. |
| 20170 | Fix for "Warning com.castsoftware.php plugin has encountered an error.". |
| 20811 | Fix for "Warning com.castsoftware.php plugin has encountered an error.". |
| 22268 | Fix for "Warning com.castsoftware.php plugin has encountered an error". |
| 20501 | The location of temporary files for "pdepend" has been changed to path specified for CAST_CURRENT_USER_TEMP_PATH. Also temporary files created by "pdepend" will be cleaned after every analysis. |
| 20614 | False violation for the rule 'A file should either declare symbol or execute logic but not both.' |
| 22287 | PHP 3.0.3-funcrel Extension installation on the schemas is not complete. |
| 22366 | Incorrect link created between PHP section and SQL table. As a consequence of this fix, the number of links from PHP to SQL will reduce. |
Other Updates
| Details |
|---|
| Remove Oracle\SQL Server support content. Folders for SQL and Oracle support have been removed from PHP installation. This has no effect on analysis results on CSS/PostgreSQL. |
| Total checks are less then violations, for "Avoid direct definition of JavaScript Functions in a Web page (PHP)" |
3.0.3-funcrel
Other Updates
| Details |
|---|
| Handling of PHP Short Tags: As PHP Analyzer uses Universal Analyzer, php short tags <? and <?= cannot be handled as is, therefor the analyzer will automatically convert them to <?php tags with an added comment, for example: <?=$string?> will be transformed into <?php /*php short tag*/echo $string>. |
| Missing link from PHP to SQL DB: Links were missing in some cases while dealing with "from" clause of SQL statement. This has now been fixed. After upgrade, links to data functions may increase. |
| PHP Section objects for php short tags <? and <?= were not being created. This has now been fixed. After extension upgrade number of phpSection objects will change. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1007002 | FALSE | New weight of 6 for the rule Avoid artifacts directly accessing database tables (PHP). |
| 1007016 | FALSE | New weight of 7 for the rule Avoid artifacts with High Cyclomatic Complexity (PHP). |
| 1007026 | FALSE | New weight of 7 for the rule Use identical type operators rather than EQUAL operators (PHP). |
| 1007036 | FALSE | New weight of 7 for the rule Avoid classes having excessive number of derived classes(PHP). |
| 1007038 | FALSE | New weight of 7 for the rule Avoid classes having excessive number of dependencies (PHP). |
| 1007046 | FALSE | New weight of 7 for the rule Avoid Classes with a High Depth of Inheritance Tree (PHP). |
| 1007050 | FALSE | New weight of 7 for the rule Avoid method invocation in a loop termination expression (PHP). |
| 1007116 | FALSE | New weight of 7 for the rule Avoid Methods with Object Instantiation in loops (PHP). |
| 1007132 | FALSE | New weight of 6 for the rule Avoid classes with excessive number of fields (PHP). |
| 1007144 | FALSE | New weight of 8 for the rule Avoid classes with excessive number of weighted methods (PHP). |
| 1007146 | FALSE | New weight of 7 for the rule Avoid unconditional IF and ELSEIF statements (PHP). |
| 1007172 | FALSE | New weight of 8 for the rule Avoid having constructors with a return value (PHP). |
| 1007176 | FALSE | New weight of 7 for the rule Avoid using break statement in FOR loops (PHP). |
| 1007180 | FALSE | New weight of 8 for the rule Use file inclusion based on API suitability (PHP). |
| 1007184 | FALSE | New weight of 7 for the rule Avoid using size functions inside loops (PHP). |
| 1007190 | FALSE | New weight of 7 for the rule Avoid using relative path (PHP). |
| 1007218 | FALSE | New weight of 7 for the rule Avoid using $row[xxx] (PHP). |
| 1007220 | FALSE | New weight of 7 for the rule Avoid Select * queries in PHP Section (PHP). |
| 1007238 | FALSE | New weight of 6 for the rule Avoid having multiple classes defined in a single file - Symfony STD (PHP). |
| 1007244 | FALSE | New weight of 8 for the rule Avoid cross-site scripting - Improper Neutralization of script-related HTML tags in a web page (PHP). |
| 1007246 | FALSE | New weight of 8 for the rule Avoid Remote File Inclusion - Improper Control of Filename for Include/Require Statement in PHP Program (PHP). |
| 1007252 | FALSE | New weight of 8 for the rule Avoid filesystem function calls without sanitizing user input (PHP). |
| 1007024 | FALSE | Avoid incrementer jumbling in loops (PHP) - Rule is now flagged as critical and thresholds changed. |
| 1007156 | FALSE | Avoid using eval expressions (PHP) - rule is now flagged as critical and thresholds changed. |
| 1007158 | FALSE | Avoid using exit and die expressions (PHP) - rule is now flagged as critical and thresholds changed. |
| 1007192 | FALSE | Avoid using PHP short tags (PHP) - rule is now flagged as critical, thresholds changed and a bug has been fixed where no violations were being recorded. |
| 1007206 | FALSE | Avoid using @error suppression (PHP) - rule is now flagged as critical and thresholds changed. |
| 1007250 | FALSE | Avoid preg_replace with /e option (PHP) - rule is now flagged as critical and thresholds changed. |
| 1007168 | FALSE | DEPRECATED: Avoid using function or method return value that do not have return (PHP) |
| 1007170 | FALSE | DEPRECATED: Avoid function return value ignored (PHP). |
3.0.2-funcrel
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 17020 | PHP analysis warnings- 'unable to find end of ESQL section' & 'end of string' not found |
| 17606 | Permanent Fix - Error during Manage Delivery - "Library dmtcoediscovererphp version 1.0 is missing: null null" |
Other Updates
| Details |
|---|
| User Role Operator is hardcoded in many COE Extensions like RPG, flex, php and so on. PHP extension no longer depends on existence of operator user\role. |
3.0.1-funcrel
Other Updates
| Details |
|---|
| The behaviour of the PHP discoverer (embedded in the PHP extension) has now been changed. If the discoverer identifies only .inc, .yml or .yaml files in the source code, no PHP project will be discovered and no corresponding Analysis Unit will be created. This fix has been implemented because these file types are also used by other technologies unrelated to PHP and in this situation a PHP project should not be discovered. The impact of this fix will only be seen in the following circumstances after having installed the new release of the extension: 1) When creating a new package in the CAST Delivery Manager Tool. 2) If repackaging an existing package and choosing the "Force extraction" or "Force scan" options. |
| The preprocessor will no longer get stuck due to insufficient handling of different line endings. As a consequence of the fix, line endings in all files processed by PHP extension will be normalized to windows. |
| The titles of PHP rules that included the word "CWE" have now been updated and the word "CWE" removed. There is no impact to results. |
3.0.0-funcrel
Note
Rules marked with a * in the Rules table below will only be triggered with the integration of third party software results in the specified format. Please see https://doc.castsoftware.com/display/TECHNOS/PHP+3.0#PHP3.0-third.
Resolved Issues
| Customer Ticket Id | Details |
|---|
| 14399 | %Compliance, %successful check & Average showing negative value on Health Dashboard. As part of the fix, the analyzer will now look for JavaScript function definitions in PHP files whose parent is of type "ScriptSection". In previous releases the analyzer was erroneously looking for "sourceFile" as the parent. Therefore, after an upgrade to this release of the extension and the generation of a post-upgrade snapshot on unchanged source code, results may be impacted: there may be new violations reported on new objects and any existing violations may no longer be reported. |
Rules
| Rule Id | New Rule | Details |
|---|
| 1007244 | TRUE | Avoid cross-site scripting - Improper Neutralization of script-related HTML tags in a web page (PHP) |
| 1007246 | TRUE | Avoid Remote File Inclusion - Improper Control of Filename for Include/Require Statement in PHP Program (PHP) |
| 1007248 | TRUE | Use sufficient SSL\TLS context (PHP) |
| 1007250 | TRUE | Avoid preg_replace with /e option (PHP) |
| 1007252 | TRUE | Avoid filesystem function calls without sanitizing user input (PHP) |
| 1007254 | TRUE | Avoid files that declare both symbols and execute logic with side effects (PHP) |
| 1007256 | TRUE | Avoid cross-site scripting - Improper Neutralization of input in script tag during web page generation (PHP) * |
| 1007258 | TRUE | Avoid cross-site scripting - Improper Neutralization of input during web page generation (PHP) * |
| 1007260 | TRUE | Avoid Command Injection - Improper Neutralization of Special Elements used in an OS Command (PHP) * |
| 1007262 | TRUE | Avoid file name or path controlled by raw user input (PHP) * |
| 1007264 | TRUE | Avoid unrestricted file upload (PHP) * |
| 1007266 | TRUE | Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command within single quotes (PHP) * |
| 1007268 | TRUE | Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command without quotes (PHP) * |
| 1007270 | TRUE | Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command in dynamic query (PHP) * |
| 1007272 | TRUE | Avoid Session Fixation (PHP) * |
| 1007274 | TRUE | Avoid Object Injection (PHP) * |
| 1007276 | TRUE | Avoid Cookie Misconfiguration (path) (PHP) * |
| 1007278 | TRUE | Avoid weak hash functions (PHP) * |
| 1007280 | TRUE | Avoid System Information Leakage (PHP) * |
| 1007282 | TRUE | Avoid Cookie Misconfiguration (secure flag) (PHP) * |
| 1007284 | TRUE | Avoid Cookie Misconfiguration (httpOnly flag) (PHP) * |
| 1007286 | TRUE | Avoid PHP Dangerous Feature (PHP) * |
| 1007288 | TRUE | Avoid debug code in the production system (PHP) * |
| 1007290 | TRUE | Avoid cross site scripting (single quoted attribute) (PHP) * |
