- Extension ID
- What's new?
- Description
- In what situation should you install this extension?
- Function Point, Quality and Sizing support
- AIP Core compatibility
- Supported DBMS servers used for AIP Core schemas
- Dependencies with other extensions
- Download and installation instructions
- What analysis results can you expect?
Extension ID
com.castsoftware.php.security
What's new?
See Psalm Security Rules - 1.0 - Release Notes for more information.
Description
This extension provides a dedicated set of quality rules that have been designed to check your PHP source code for user input security defects or violations. These quality rules are based on the user input security checks provided by the open source static analysis tool called Psalm (see https://psalm.dev/) and are in addition to the PHP quality rules provided by the PHP Analyzer. The PHP Analyzer is a dependent extension and the Psalm Security Rules extension will run its quality rules against the results of the PHP Analyzer analysis.
The following Psalm user input security checks are supported by this extension:
- https://psalm.dev/docs/running_psalm/issues/TaintedCallable/
- https://psalm.dev/docs/running_psalm/issues/TaintedCookie/
- https://psalm.dev/docs/running_psalm/issues/TaintedEval/
- https://psalm.dev/docs/running_psalm/issues/TaintedFile/
- https://psalm.dev/docs/running_psalm/issues/TaintedHeader/
- https://psalm.dev/docs/running_psalm/issues/TaintedInclude/
- https://psalm.dev/docs/running_psalm/issues/TaintedLdap/
- https://psalm.dev/docs/running_psalm/issues/TaintedShell/
- https://psalm.dev/docs/running_psalm/issues/TaintedSql/
- https://psalm.dev/docs/running_psalm/issues/TaintedSSRF/
- https://psalm.dev/docs/running_psalm/issues/TaintedTextWithQuotes/
- https://psalm.dev/docs/running_psalm/issues/TaintedUnserialize/
A detailed explanation of the security checks provided by Psalm can be seen in https://psalm.dev/docs/security_analysis/ with a dedicated section about avoiding false-positives
In what situation should you install this extension?
If you are analyzing PHP source code and would like to check this code for user input security violations and view the results in the CAST Engineering Dashboard, you should install this extension.
Function Point, Quality and Sizing support
- Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
- Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
| Function Points (transactions) |  |
|---|---|
| Quality and Sizing |  |
AIP Core compatibility
| AIP Core release | Supported |
|---|---|
| 8.3.x | |
Supported DBMS servers used for AIP Core schemas
This extension is compatible with the following DBMS servers used to host AIP Core schemas:
| AIP Core release | CSS/PostgreSQL |
|---|---|
| All supported releases | |
Dependencies with other extensions
Some CAST extensions require the presence of other CAST extensions in order to function correctly. The Psalm Security Rules extension requires that the following other CAST extensions are also installed:
- PHP Analyzer (in order to get the objects to attach violations to)
- PHP Runtime (in order to have an executable launch Psalm)
Download and installation instructions
The extension will not be automatically downloaded and installed in CAST Console. If you need to use it, you should manually install the extension using the Application - Extensions interface:
