CAST AIP Technologies
Page tree

Versions Compared

Old Version 25

changes.mady.by.user James Hurrell

Saved on

compared with

New Version Current

changes.mady.by.user James Hurrell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

CAST AIP(tick)An installation of any compatible release of CAST AIP (see table above).-
PHP / PHP Code Sniffer / PHPMD(tick)

The extension requires the installation of three third party items:

  • PHP
  • PHP Code Sniffer
  • PHPMD

These items are provided with the extension, however, they must be installed manually as described below.

-
Java JRE(tick)The extension requires a Java JRE to be installed on the machine: only Java JRE 1.7 is currently supported. This is used by the pre-processor. See Source code preprocessing.

Note that these prerequisites are only applicable in the following circumstances:

  • If you are using version  1.2.0 of the PHP extension AND CAST AIP  8.2.0

Therefore, if you are using CAST AIP  8.2.1 and PHP 3.0, you don't need to set a JAVA_HOME and you do not need to install a JRE. The extension will automatically use the JRE provided with CAST AIP.


JAVA_HOME environment variable(tick)

The extension requires that a JAVA_HOME system environment variable is also present on the machine, pointing to the Java JRE installation folder:


...

Info
Note that the CAST Management Studio will use the LISA folder to analyze the preprocessed files (see CAST Management Studio help for more information about this folder).

Short tags

PHP short tags <? and <?= in the delivered source code cannot be handled as is, therefor the analyzer will automatically convert them to <?php tags with an added comment, for example: <?=$string?> will be transformed into <?php /*php short tag*/echo $string>.

Deliver the source code

Using the CAST Delivery Manager Tool:

  • create a new Version
  • create a new Package for your source code using the Files on your file system option and choose the location of your source code:

Click to enlarge

Image Added

  • Run the Package action.
  • Before delivering the source code, check the packaging results.

Analysis configuration and execution

Refer to Analysis Configuration and Execution for more information.

Logging mechanism

Analysis log files

Analysis logs are stored in the default locations used by the CAST Management Studio.

PHP Preprocessor

PHP Preprocessor log files (the preprocessor is launched automatically during an analysis) are stored in the following locations:

CAST AIP releaseLocationLog file name
8.2.x

%PROGRAMDATA%\CAST\CAST\Extensions\<extension_name>\Configuration\Languages\PHP\prepro

Info
Note that the above location is the default, however, if you have modified the CAST_PLUGINS_ROOT_PATH variable in the CastGlobalSettings.ini file, this location may be different.


com.castsoftware.php.prepro_<ExtensionVersion>_<YYYYMMDDHHMMSS>.log
8.3.xDefault location is set to %PROGRAMDATA%\CAST\CAST\Logs\<unique_application_id>\, but this location can be configured at will in the CAST Management Studio Preferences.

PHP CodeSniffer

PHP CodeSniffer log files (the CodeSniffer is launched automatically during an analysis) are stored in the following locations:

CAST AIP releaseLocationLog file name
8.2.x

%PROGRAMDATA%\CAST\CAST\Extensions\<extension_name>\Configuration\Languages\PHP\plugin

Info
Note that the above location is the default, however, if you have modified the CAST_PLUGINS_ROOT_PATH variable in the CastGlobalSettings.ini file, this location may be different.


com.castsoftware.php.plugin_<ExtensionVersion>_<YYYYMMDDHHMMSS>.log
8.3.xDefault location is set to %PROGRAMDATA%\CAST\CAST\Logs\<unique_application_id>\, but this location can be configured at will in the CAST Management Studio Preferences.

Errors and Warnings

The PHP configuration included in the extension uses external plugins. During the analysis, the Universal Analyzer or the plugin can throw errors or warnings. The table below list the most significant errors/warnings and lists a suggested remediation action:

ToolError or WarningAction
Analyzer & Code SnifferUA Plugin : No property (......) found in meta model for php...No action required. The analyzer is telling you that not all the properties are considered to be injected into the Analysis Service.

What results can you expect?

Objects

PHP Objects

IconMetamodel Name

Image Added

PHP Array

Image Added

PHP Class

Image Added

PHP Class Constant

Image Added

PHP Constructor

Image Added

PHP Define

Image Added

PHP Function

Image Added

PHP Interface

Image Added

PHP Member

Image Added

PHP Method

Image Added

PHP Section

Image Added

Script Function

Image Added

Script Section

Symfony Framework objects

IconMetamodel Name

Image Added

PHP Symfony Controller

Image Added

PHP Symfony Controller Class

Image Added

PHP Symfony Route

Image Added

PHP Symfony Service

In CAST Enlighten, all Symfony objects will appear under their respective folders as shown below :

Image Added

PHP Symfony Controller Class

  • Supported scenario: If the Class name ends with Controller, we will create PHP Symfony Controller Class objects
  • Links:
    • PHP Symfony Controller Class --- Refer Link ---> PHP Class
  • Limitations: Alternate syntax where you can give the class name that does not have suffix "Controller" is not supported

PHP Symfony Controller 

  • Supported scenario: If the method or function ends with suffix "Action", then PHP Symfony Controller Object will be created
  • Links:
    • PHP Symfony Controller --- Refer Link ---> PHP Symfony Route
    • PHP Symfony Controller --- Refer Link ---> PHP Method\Function

PHP Symfony Route

  • Supported scenario:
    • If a route has been declared in the yml file, a route object will be created
    • If a route has been declared in PHP file an annotation route object will be created as follows:
      • Default naming convention for route annotation when declared without name above class "<classname>_Class_Annotation_<number>"
      • Default naming convention for route annotation when declared without name above method "<methodname>_Method_Annotation_<number>"
  • Links:
    • PHP Symfony Route --- Call Link ---> PHP Symfony Controller

PHP Symfony Service

  • Supported scenario: If a service has been declared in the yml configuration files, PHP Symfony Service Object will be created
  • Links:
    • PHP Symfony Service --- Call Link ---> PHP Method
    • PHP Symfony Service --- Call Link ---> PHP Property
    • PHP Symfony Service --- Call Link ---> PHP Class constructor
  • Limitation: Inheritance is not supported while determining property setter or constructor injection - they need to be defined in the same class which is being referred to in the service

Structural Rules

The following structural rules are provided:

3.0.6-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.6-funcrel
3.0.5-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.5-funcrel
3.0.4-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.4-funcrel
3.0.3-funcrel https://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.3-funcrel
3.0.2-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.2-funcrel
3.0.1-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.1-funcrel
3.0.0-funcrelhttps://technologies.castsoftware.com/rules?sec=srs_php&ref=||3.0.0-funcrel

You can also find a global list here:

https://technologies.castsoftware.com/rules?sec=t_1017000&ref=||

Limitations

Expand

LISA path length limited to 256 characters

If the LISA (Large Intermediate Storage Area) path for a specific file exceeds 256 characters, violation calculation for this file will fail with message "<filepath> does not exist". This warning will appear in com.castsoftware.plugin*.log file. This is a limitation of PHP itself and not the PHP extenation. To remediate this issue reduce path to the LISA folder where possible.

Due to a limitation in the Universal Analyzer (the "engine" used for PHP analyses), links will be created from any name to any matching name. At a minimum the following rule may be impacted and give erroneous results:

1007004Avoid Methods and Functions with High Fan-In (PHP)
1007006Avoid Methods and Functions with High Fan-Out (PHP)
1007008Avoid JavaScript Functions with High Fan-In (PHP)
1007010Avoid JavaScript Functions with High Fan-Out (PHP)
1007168Avoid using function or method return value that do not have return (PHP)
1007170Avoid function return value ignored (PHP)

Analysis of XML and XSL files contained in the PHP application

The analysis of XML and XSL files contained in the PHP application is not supported. Any links between these files and any other file in the application will not be detected. This will impact the results of all the Quality Rules using these files.

Analysis of very big PHP applications

Very big PHP applications might need to be divided and analyzed in multiple small analyses instead of one analysis for the entire application.  

Support of JavaScript source code

The PHP extension does not support JavaScript and as such, any JavaScript source code located in .PHP or JavaScript  files will not be analyzed. CAST recommends using the HTML5 and JavaScript extension to analyze JavaScript files in the source code.

Support of PHTML files

PHTML files are supported with some limitations. If the files contain calls to functions or methods defined in other files and these other files are not specifically included, then these links will be lost.

Support of UNICODE

Unicode is supported in the current version of PHP Language Pack

Links between PHP and database objects

Calls to database objects from PHP are not typed (for example Us (Use Select), Ui (Use Insert)) - instead all calls are recorded as U links.

If a php class has members declared on the same line, only the first member will be detected. For example:

Code Block
languagephp
class Test {

public $first, $second, $third;

}

After analysis only object for "first" will be created.

Limitations specific to rules

Avoid artifacts having recursive calls

"Avoid artifacts having recursive calls" (7388 - a standard CAST rule) - in some cases, a false positive may be detected: a call to a parent function can be detected as a recursive call

Info
Note that an equivalent rule specific to the PHP extension (Avoid artifacts having recursive calls (PHP) - 1007242) was added in PHP 1.2.0. This replacement rule now produces accurate results and the results of 7388 should be ignored.

Avoid using break or continue statements in loops with high cyclomatic complexity

"Avoid using break or continue statements in loops with high cyclomatic complexity" (1007176) - if the break statement is located in JavaScript functions, no violations will be detected. JavaScript source code located in .PHP or JavaScript files is not analyzed (see limitation listed above).

Avoid unreferenced PHP Files

The rule "Avoid unreferenced PHP Files" (1007052) will return a false positive violation when a PHP file is referenced only from other technologies, for example from only within html/javascript source code.

License agreements

The PHP extension uses several third-party tools. The Licence Agreements for these tools are listed below:

Expand

PHP_CodeSniffer

More information about this tool is available here: http://pear.php.net/package/PHP_CodeSniffer

Version

CAST ships version 2.5.0 of the PHP_CodeSniffer.

License

The licence agreement for the PHP_CodeSniffer tool is available here:

and is detailed below:

Copyright (c) 2012, Squiz Pty Ltd (ABN 77 084 670 600)
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Squiz Pty Ltd nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Anchor
QR
QR
Quality Rules calculated by the PHP_CodeSniffer tool

Rule nameID

Avoid artifacts using "for" loops which can be simplified to a "while" loop (PHP)

1007022

Avoid incrementer jumbling in loops (PHP)

1007024

Use identical type operator rather than "equal" operator (PHP)

1007026

Use increment/decrement operators where possible (PHP)

1007028

Avoid using empty statement (PHP)

1007030

Avoid empty class definition (PHP)

1007032

Avoid classes having excessive number of derived classes(PHP)

1007036

Avoid classes having excessive number of dependencies (PHP)

1007038

Avoid Classes with High Depth of Inheritance Tree (PHP)

1007046

Avoid unnecessary final modifiers inside final Classes (PHP)

1007056

Avoid unused parameters (PHP)

1007058

Avoid Class name not matching parent file name (PHP)

1007080

Use lowercase for control structures in Sections (PHP)

1007084

Use lowercase for control structures in Methods and Functions (PHP)

1007086

Avoid having variable with too short name (PHP)

1007088

Avoid having variable with too long name (PHP)

1007090

Avoid "elseif" statements (PHP)

1007096

Avoid Functions throwing exceptions and not having a @Throws tag (PHP)

1007124

Avoid classes exceeding maximum length (PHP)

1007126

Avoid methods having too many parameters (PHP)

1007128

Avoid Methods exceeding maximum length (PHP)

1007130

Avoid classes with too many fields (PHP)

1007132

Avoid classes with too many methods (PHP)

1007134

Avoid classes having a number of public methods and attributes exceeds maximum (PHP)

1007136

Avoid having unused variables (PHP)

1007138

Avoid unused private fields (PHP)

1007140

Avoid unused private methods (PHP)

1007142

Avoid classes exceeding number of weighted methods (PHP)

1007144

Avoid unconditional "if" and "elseif" statements (PHP)

1007146

Avoid useless overriding Methods (PHP)

1007148

Avoid unassigned default values in Functions (PHP)

1007150

Avoid having variables without naming conventions (PHP)

1007212

Avoid having For-loops that use a function call in the test expression (PHP)

1007226

Avoid control structures without proper spacing before and after open\close braces - PSR2 (PHP)

1007228

Avoid Having control structures without proper switch case declarations (PSR2) (PHP)

1007230

Avoid having variables passed by reference when calling a function (PHP)

1007232

Avoid having inline control statements (PHP)

1007234

Avoid having Class Methods or Constructor without scope modifiers - Symfony STD (PHP)

1007236

Avoid having multiple classes defined in a single file - Symfony STD (PHP)

1007238

Avoid artifacts having object instantiation without parenthesis - Symfony STD (PHP)

1007240

CWE-311: Use sufficient SSL\TLS context (PHP)

1007248

Avoid files that declare both symbols and execute logic with side effects (PHP)1007254

Rules using the PHP_CodeSniffer framework but implemented by CAST

Rule nameID
Avoid using embedded CSS in Web Pages (PHP)1007012
Avoid empty style definition (PHP)1007034
Avoid artifacts with Object Instantiation in loops (PHP)1007116

CWE-624: Avoid using eval expressions (PHP)

1007156

Avoid artifacts using exit and die expressions (PHP)

1007158

Avoid using variable without testing them for initialisation (PHP)

1007160
Avoid having constructors with a return value (PHP)1007172
Avoid using break or continue statements in loops with high cyclomatic complexity (PHP)1007176
Avoid using size functions inside loops (PHP)1007184
Avoid direct access to superglobals (PHP)1007202
Avoid fetching database rows as array and accessing using subscript (PHP)1007218

Avoid artifacts with Group By sql statement (PHP)

1007120
Avoid artifacts with "select *" Sql statement (PHP)1007220
Avoid artifacts with sql statements referring more than 4 Tables (PHP)1007118

Anchor
phpcs-security-audit
phpcs-security-audit
phpcs-security-audit

This package integrates with the existing "Pear" code sniffer. This package is used to generate results for certain security related rules. More information about this package is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit. The licence agreement for this tool is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/LICENSE.

Rules calculated by the phpcs-security-audit tool

Rule nameID
CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP)1007244
CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP)1007246
CWE-624: Avoid preg_replace with /e option (PHP)1007250
CWE-661: Avoid filesystem function calls without sanitizing user input (PHP)1007252

PHPMD

More information about this tool is available here: http://phpmd.org/. The licence agreement for the PHPMD tool is detailed below:

Copyright (c) 2009-2011, Manuel Pichler <mapi@phpmd.org>.
All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PHP Depend

More information about this tool is available here: http://pdepend.org/. The licence agreement for the PHP Depend tool is available in the file "LICENSE.txt" delivered in the source folder of the tool and is detailed below:

Copyright (c) 2008-2012, Manuel Pichler <mapi@pdepend.org>.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



Panel

On this page:

Table of Contents
maxLevel2

Target audience:

Users of the extension providing PHP support.


Info

Summary: This document provides information about the extension providing PHP support.

Extension ID

com.castsoftware.php

What's new?

Please see PHP 3.0 - Release Notes for more information.

Description

This extension provides support for applications written using the PHP language.

In what situation should you install this extension?

If your application contains source code written using PHP and you want to view these object types and their links with other objects, then you should install this extension.

Supported Versions of PHP

Info
Although this extension is officially supported by CAST, please note that it has been developed within the technical constraints of the CAST Universal Analyzer technology and to some extent adapted to meet specific customer needs. Therefore the extension may not address all of the coding techniques and patterns that exist for the target technology and may not produce the same level of analysis and precision regarding e.g. quality measurement and/or function point counts that are typically produced by other CAST AIP analyzers.

This version of the extension provides support for:

PHP versionSupported

5.x

(tick)

Function Point, Quality and Sizing support

This extension provides the following support:

  • Function Points (transactions): a green tick indicates that OMG Function Point counting and Transaction Risk Index are supported
  • Quality and Sizing: a green tick indicates that CAST can measure size and that a minimum set of Quality Rules exist
Function Points
(transactions)		(tick)
Quality and Sizing(tick)

CAST AIP compatibility

This extension is compatible with:

CAST AIP release

Supported

8.3.x

(tick)
8.2.x(tick)
8.1.x(tick)
8.0.x(tick)
≥ 7.3.4(tick)

Supported DBMS servers

DBMSSupported?
CSS(tick)
Oracle(error)
Microsoft SQL Server(error)

Prerequisites

CAST AIP(tick)An installation of any compatible release of CAST AIP (see table above).-
PHP / PHP Code Sniffer / PHPMD(tick)

The extension requires the installation of three third party items:

  • PHP
  • PHP Code Sniffer
  • PHPMD

These items are provided with the extension, however, they must be installed manually as described below.

-
Java JRE(tick)The extension requires a Java JRE to be installed on the machine: only Java JRE 1.7 is currently supported. This is used by the pre-processor. See Source code preprocessing.

Note that these prerequisites are only applicable in the following circumstances:

  • If you are using version  1.2.0 of the PHP extension AND CAST AIP  8.2.0

Therefore, if you are using CAST AIP  8.2.1 and PHP 3.0, you don't need to set a JAVA_HOME and you do not need to install a JRE. The extension will automatically use the JRE provided with CAST AIP.


JAVA_HOME environment variable(tick)

The extension requires that a JAVA_HOME system environment variable is also present on the machine, pointing to the Java JRE installation folder:

Image Added

Download and installation instructions

Extension

Please see:

Info
  • Install an extension states that it is not necessary to perform Step 3 (Import the Assessment Model) when using the extension with CAST AIP ≥ 8.3.x, however, due to a bug in CAST AIP and the changes that have been introduced in PHP 2.0.x, you must perform this Step 3 when using the extension with CAST AIP 8.3.0 - 8.3.2.
  • This extension contains a File discoverer and you should take note of the specific instructions in the installation guide that explains how to package your source code with the CAST Delivery Manager Tool when you have an existing Version.
  • The latest release status of this extension can be seen when downloading it from the CAST Extend server.

Anchor
PHP
PHP
PHP installation

The PHP extension requires that PHP (which includes all third-party items such as Code Sniffer) is installed on the analysis machine before an analysis is run: PHP is bundled with the PHP extension (third party PHP installations are not compatible with the PHP extension and must be removed and replaced with PHP bundled with the PHP extension).

Info
  • If you have already installed a previous version of the PHP extension (for example PHP 1.0.x and legacy releases prior to PHP 1.0) on your analysis machine and already have a functioning PHP install from that extension, please ensure that you uninstall PHP before proceeding with the instructions below. To remove the PHP installation provided with the PHP extension, you simply need to delete the folder into which it was installed (by default this is usually set to C:\php).
  • Please check that you do not have an existing third party (i.e. not provided by CAST) installation of PHP on this machine (particularly if you have never installed any version of the PHP extension on your analysis machine). If a third party version already exists, please follow the PHP uninstall procedure for the install method that was used, before proceeding with the instructions below. Third party PHP installations are not compatible with the PHP extension.

The following steps describe how to install PHP to the analysis machine:

  • Go to the "TOOLS" folder - this folder is created after unpacking the extension archive file.

  • Inside the "php_sniffer_install" folder, open the file "PHPINSTALL.bat" in edit mode.

  • PHP must be installed to a folder name that does not contain white space therefore CAST highly recommends that you leave the settings as they are in PHPINSTALL.batwhich will install PHP to C:\php. If necessary you can change this by updating the PHPINSTL_DRIVE variable:
Code Block
languagetext
REM *****************************************************
REM Specify the Directory where PHP would be installed **
REM Specify the directory where PHP would be installed **
REM A directory PHP would be created inside it.        **
REM *****************************************************

set batch_path=%~dp0
set batch_drive=%batch_path:~0,2%
SET PHPINSTL_DRIVE=C:
SET PHPINSTL_DIR=%PHPINSTL_DRIVE%\php

  • Save and close the batch file "PHPINSTALL.bat"

  • Run the batch file  "PHPINSTALL.bat" - this will start the installation process. Please follow below the installation process steps:

    • When prompted: "Are your installations a system wide PEAR or a local copy ?", two choices are available: system or local. Both installation types are OK for the PHP extension, but CAST recommends the system wide installation.

    • When prompted: "Below is a suggested file layout for your new PEAR installation. To change individual locations, type the number in front of the directory.  Type 'all' to change all of them or simply press Enter to accept these locations."  The recommendation for this step is to type ENTER and therefore accept the default configuration.

  • Go to the "C:\Windows" folder and check if the "php.ini" file exists. If it does exist, add the following lines anywhere in the file. If the file does not exist, create it and then add the following lines:

Code Block
languagetext
;Increase of the memory of the Code Sniffer
memory_limit = 3072M
  • Create a System Environment Variable called"PHP_HOME" with the value of the physical folder where PHP has been installed - for example "C:\php"

  • The installation is now complete.

Info
  • The PHP installation needs to be completed once on each machine that will be used to analyze PHP.
  • If the installation is unsuccessful, the following will be displayed in the batch window:
Code Block
languagetext
"Installation unsuccessful. Few QRs will not work. Please contact CAST Support."


CAST Transaction Configuration Center (TCC) configuration

A set of PHP Entry Points for use in the CAST Transaction Configuration Center is delivered in the extension via a .TCCSetup file. 

  • with CAST AIP ≥ 8.3.x, there is nothing for you to do: these entry points will be automatically imported during the extension installation and will be available in the CAST Transaction Configuration Center.
  • with CAST AIP ≤ 8.2.x, you can manually import the file %PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.php.<version>\Configuration\TCC\Base_PHP.TCCSetup to obtain your configuration (see instructions below).

Manual import action for CAST AIP ≤ 8.2.x

Expand

  • Locate the .TCCSetup file in the extension folder: %PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.php.<version>\Configuration\TCC\Base_PHP.TCCSetup

  • In the CAST Transaction Configuration Center, ensure you have selected the Templates node:

Image Added

  • This .TCCSetup file is to be imported into the CAST Transaction Calibration Center using either the:

    • File > Import Configuration menu option:

Image Added

    • Or right clicking on the Template node and selecting Import Configuration:

Image Added

  • The import of the "Base_PHP.TCCSetup" file will provide you with a sample Transaction Entry point in the Free Definition node under Templates:

Image Added

  • Now right click the "Standard Entry Point - PHP" item and select copy:

Image Added

  • Paste the item into the equivalent node under the Application, for example, below we have copied it into the Application Meudon:

Image Added

  • Repeat for any additional items or generic sets that have been imported from the .TCCSetup file.

Anchor
third
third
Configure rules for third-party tool analysis results

Note

This section is deprecated and is no longer available for use.

PHP ≥ 3.0.0 is shipped with a specific set of rules that can be configured to be triggered during an analysis if a set of analysis results originating from third-party tools is available. The configuration process is as follows:

Expand

Create config.xml file

Create an empty file called config.xml here:

Code Block
languagetext
%PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.php.<version>\Configuration\Languages\PHP\prepro\

Edit this file with a text editor and paste in the following content:

Code Block
languagetext
[URI_to_third-party_tool]" TOOL_PASSWORD="[password]" TOOL_USERNAME="[username]">
		<tool-scan TOOL_BASE_URI="[url_to_third-party_tool]" TOOL_PASSWORD="[password]" TOOL_USERNAME="[username]">
<!-- application one -->
			<application id="[number]" name="[application-name_GUID]">
<!-- version one -->
				<scan report-file-name="[application-name_GUID_execution-unit-ID].csv" name="[execution-unit-ID]"/>
<!-- end version one -->
			</application>
<!-- end application one -->
		</tool-scan>
    </tool-scan>
</php-analyzer-config>

Where:

<php-analyzer-config PHP_HOME="[location_of_PHP_installation_on_analysis_machine]">Location of the PHP installation on the analysis machine.

[URI_to_third-party_tool]" TOOL_PASSWORD="[password]" TOOL_USERNAME="[username]">

Details for the third-party analysis tool.

<application id="[number]"

Can be any number but should be unique in config.xml.
name="[application-name_GUID]">

Name of the Application in which the PHP analysis will be run, formed as follows:

  • application name - as defined in the CAST Management Studio
  • application ID - can be found in the LISA folder (as defined in the CAST Management Studio). For example:

Image Added

<scan report-file-name="[application-name_GUID_execution-unit-ID].csv"

Name of the .CSV file that contains the results of the third-party analysis tool, formed as follows:

  • application name - as defined in the CAST Management Studio
  • application ID (see above)
  • execution-unit-ID - can be found in the LISA folder (as defined in the CAST Management Studio). For example:

Image Added

name="[execution-unit-ID]"/>

ID of the Execution unit, see above.

For example:

Code Block
languagetext
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<php-analyzer-config PHP_HOME="C:\PHP">
   <tool-scan TOOL_BASE_URI="https://url.com" TOOL_PASSWORD="password" TOOL_USERNAME="username">
<!-- application one -->
       <application id="1" name="MEUDON_5041bf13594344ab92a3050c44dc469a">
<!-- first version -->
         <scan report-file-name="MEUDON_5041bf13594344ab92a3050c44dc469a_Scrf639b26fbf40432a83b5786aee09f34f.csv" name="Scrf639b26fbf40432a83b5786aee09f34f"/>    
<!-- second version -->
         <scan report-file-name="MEUDON_5041bf13594344ab92a3050c44dc469a_Scrf639b26fbf40432a83b5786xyz80f12b.csv" name="Scrf639b26fbf40432a83b5786xyz80f12b"/>    
       </application>   
<!-- application two -->
       <application id="2" name="SEVRES_39a97592f6c948ac9cf1912867879b93">
<!-- second version -->
         <scan report-file-name="SEVRES_39a97592f6c948ac9cf1912867879b93_Scr00cea601c6584584a25c27f2c3a4f41d.csv" name="Scr00cea601c6584584a25c27f2c3a4f41d"/>    
       </application>   
    </tool-scan>
</php-analyzer-config>

Edit template.csv file

Edit the template.csv file located here and fill in with the results of the third-party tool analysis:

Code Block
languagetext
%PROGRAMDATA%\CAST\CAST\Extensions\com.castsoftware.php.<version>\Configuration\Languages\PHP\prepro\PersistentResults

The template.csv file contains no data, just the following headings. The order of the headings in the file must be retained.

  • Issue ID
  • Name
  • Severity
  • Filename
  • Line
  • Sink
  • Source
  • Parameter
  • Depth
  • Origin
  • Markup
  • CWE
  • OWASP
  • SANS
  • Description

Finally rename the template.csv file to match the configuration defined in config.xml, for example:

Code Block
languagetext
MEUDON_5041bf13594344ab92a3050c44dc469a_Scrf639b26fbf40432a83b5786aee09f34f.csv

Rules

The next time an analysis is run, the following rules will be triggered:

Rule IdNew RuleDetails
1007256DEPRECATEDCWE-79: Avoid cross-site scripting - Improper Neutralization of input in script tag during web page generation (PHP)
1007258DEPRECATEDCWE-79: Avoid cross-site scripting - Improper Neutralization of input during web page generation (PHP)
1007260DEPRECATEDCWE-78: Avoid Command Injection - Improper Neutralization of Special Elements used in an OS Command (PHP)
1007262DEPRECATEDCWE-73: Avoid file name or path controlled by raw user input (PHP)
1007264DEPRECATEDCWE-434: Avoid unrestricted file upload (PHP)
1007266DEPRECATEDCWE-89: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command within single quotes (PHP)
1007268DEPRECATEDCWE-89: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command without quotes (PHP)
1007270DEPRECATEDCWE-89: Avoid SQL Injection - Improper Neutralization of Special Elements used in an SQL Command in dynamic query (PHP)
1007272DEPRECATEDCWE-384: Avoid Session Fixation (PHP)
1007274DEPRECATEDCWE-502: Avoid Object Injection (PHP)
1007276DEPRECATEDCWE-287: Avoid Cookie Misconfiguration (path) (PHP)
1007278DEPRECATEDCWE-328: Avoid weak hash functions (PHP)
1007280DEPRECATEDCWE-214: Avoid System Information Leakage (PHP)
1007282DEPRECATEDCWE-614: Avoid Cookie Misconfiguration (secure flag) (PHP)
1007284DEPRECATEDCWE-200: Avoid Cookie Misconfiguration (httpOnly flag) (PHP)
1007286DEPRECATEDCWE-242: Avoid PHP Dangerous Feature (PHP)
1007288DEPRECATEDCWE-489: Avoid debug code in the production system (PHP)
1007290DEPRECATEDCWE-79: Avoid cross site scripting (single quoted attribute) (PHP)


Prepare and deliver the source code

Once the extension is downloaded and installed, you can now package your source code and run an analysis. The process of preparing and delivering your source code is described below:

Source code preparation

  • Only files with following extensions will be analyzed *.php; *.php4; *.php5; *.php6; *.inc; *.phtml. The *.yml and *.yaml extensions are also supported for Symfony framework.
  • The analysis of XML and XSL files contained in the PHP application is not supported. 
  • The analysis of HTML and JavaScript source code is managed by the HTML and JavaScript extension / .NET analyzer, to be configured in addition to the PHP analysis.

Anchor
pre
pre
Source code preprocessing

PHP source code needs to be preprocessed so that CAST can understand it and analyze it correctly. In previous releases of the PHP extension, this preprocessing was a manual action that needed to be completed before the code was analyzed. However, in this release and all future releases, the code preprocessing is actioned automatically when an analysis is launched or a snapshot is generated (the code is preprocessed before the analysis starts). In other words you only need to package, deliver and launch an analysis/generate a snapshot for the preprocessing to be completed.

Info
Note that the CAST Management Studio will use the LISA folder to analyze the preprocessed files (see CAST Management Studio help for more information about this folder).

Deliver the source code

Using the CAST Delivery Manager Tool:

...

  • Run the Package action.
  • Before delivering the source code, check the packaging results.

Analysis configuration and execution

Refer to Analysis Configuration and Execution for more information.

Logging mechanism

Analysis log files

Analysis logs are stored in the default locations used by the CAST Management Studio.

PHP Preprocessor

PHP Preprocessor log files (the preprocessor is launched automatically during an analysis) are stored in the following locations:

CAST AIP releaseLocationLog file name
8.2.x

%PROGRAMDATA%\CAST\CAST\Extensions\<extension_name>\Configuration\Languages\PHP\prepro

Info
Note that the above location is the default, however, if you have modified the CAST_PLUGINS_ROOT_PATH variable in the CastGlobalSettings.ini file, this location may be different.


com.castsoftware.php.prepro_<ExtensionVersion>_<YYYYMMDDHHMMSS>.log
8.3.xDefault location is set to %PROGRAMDATA%\CAST\CAST\Logs\<unique_application_id>\, but this location can be configured at will in the CAST Management Studio Preferences.

PHP CodeSniffer

PHP CodeSniffer log files (the CodeSniffer is launched automatically during an analysis) are stored in the following locations:

CAST AIP releaseLocationLog file name
8.2.x

%PROGRAMDATA%\CAST\CAST\Extensions\<extension_name>\Configuration\Languages\PHP\plugin

Info
Note that the above location is the default, however, if you have modified the CAST_PLUGINS_ROOT_PATH variable in the CastGlobalSettings.ini file, this location may be different.


com.castsoftware.php.plugin_<ExtensionVersion>_<YYYYMMDDHHMMSS>.log
8.3.xDefault location is set to %PROGRAMDATA%\CAST\CAST\Logs\<unique_application_id>\, but this location can be configured at will in the CAST Management Studio Preferences.

Errors and Warnings

The PHP configuration included in the extension uses external plugins. During the analysis, the Universal Analyzer or the plugin can throw errors or warnings. The table below list the most significant errors/warnings and lists a suggested remediation action:

ToolError or WarningAction
Analyzer & Code SnifferUA Plugin : No property (......) found in meta model for php...No action required. The analyzer is telling you that not all the properties are considered to be injected into the Analysis Service.

What results can you expect?

Objects

PHP Objects

IconMetamodel Name

PHP Array

PHP Class

PHP Class Constant

PHP Constructor

PHP Define

PHP Function

PHP Interface

PHP Member

PHP Method

PHP Section

Script Function

Script Section

Symfony Framework objects

IconMetamodel Name

PHP Symfony Controller

PHP Symfony Controller Class

PHP Symfony Route

PHP Symfony Service

In CAST Enlighten, all Symfony objects will appear under their respective folders as shown below :

PHP Symfony Controller Class

  • Supported scenario: If the Class name ends with Controller, we will create PHP Symfony Controller Class objects
  • Links:
    • PHP Symfony Controller Class --- Refer Link ---> PHP Class
  • Limitations: Alternate syntax where you can give the class name that does not have suffix "Controller" is not supported

PHP Symfony Controller 

  • Supported scenario: If the method or function ends with suffix "Action", then PHP Symfony Controller Object will be created
  • Links:
    • PHP Symfony Controller --- Refer Link ---> PHP Symfony Route
    • PHP Symfony Controller --- Refer Link ---> PHP Method\Function

PHP Symfony Route

  • Supported scenario:
    • If a route has been declared in the yml file, a route object will be created
    • If a route has been declared in PHP file an annotation route object will be created as follows:
      • Default naming convention for route annotation when declared without name above class "<classname>_Class_Annotation_<number>"
      • Default naming convention for route annotation when declared without name above method "<methodname>_Method_Annotation_<number>"
  • Links:
    • PHP Symfony Route --- Call Link ---> PHP Symfony Controller

PHP Symfony Service

  • Supported scenario: If a service has been declared in the yml configuration files, PHP Symfony Service Object will be created
  • Links:
    • PHP Symfony Service --- Call Link ---> PHP Method
    • PHP Symfony Service --- Call Link ---> PHP Property
    • PHP Symfony Service --- Call Link ---> PHP Class constructor
  • Limitation: Inheritance is not supported while determining property setter or constructor injection - they need to be defined in the same class which is being referred to in the service

Structural Rules

The following structural rules are provided:

...

https://technologies.castsoftware.com/rules?sec=t_1017000&ref=||

Limitations

Expand

LISA path length limited to 256 characters

If the LISA (Large Intermediate Storage Area) path for a specific file exceeds 256 characters, violation calculation for this file will fail with message "<filepath> does not exist". This warning will appear in com.castsoftware.plugin*.log file. This is a limitation of PHP itself and not the PHP extenation. To remediate this issue reduce path to the LISA folder where possible.

Due to a limitation in the Universal Analyzer (the "engine" used for PHP analyses), links will be created from any name to any matching name. At a minimum the following rule may be impacted and give erroneous results:

1007004Avoid Methods and Functions with High Fan-In (PHP)
1007006Avoid Methods and Functions with High Fan-Out (PHP)
1007008Avoid JavaScript Functions with High Fan-In (PHP)
1007010Avoid JavaScript Functions with High Fan-Out (PHP)
1007168Avoid using function or method return value that do not have return (PHP)
1007170Avoid function return value ignored (PHP)

Analysis of XML and XSL files contained in the PHP application

The analysis of XML and XSL files contained in the PHP application is not supported. Any links between these files and any other file in the application will not be detected. This will impact the results of all the Quality Rules using these files.

Analysis of very big PHP applications

Very big PHP applications might need to be divided and analyzed in multiple small analyses instead of one analysis for the entire application.  

Support of JavaScript source code

The PHP extension does not support JavaScript and as such, any JavaScript source code located in .PHP or JavaScript  files will not be analyzed. CAST recommends using the HTML5 and JavaScript extension to analyze JavaScript files in the source code.

Support of PHTML files

PHTML files are supported with some limitations. If the files contain calls to functions or methods defined in other files and these other files are not specifically included, then these links will be lost.

Support of UNICODE

Unicode is supported in the current version of PHP Language Pack

Links between PHP and database objects

Calls to database objects from PHP are not typed (for example Us (Use Select), Ui (Use Insert)) - instead all calls are recorded as U links.

Missing Links

If a php class has members declared on the same line, only the first member will be detected. For example:

Code Block
languagephp
class Test {

public $first, $second, $third;

}

After analysis only object for "first" will be created.

Limitations specific to rules

Avoid artifacts having recursive calls

"Avoid artifacts having recursive calls" (7388 - a standard CAST rule) - in some cases, a false positive may be detected: a call to a parent function can be detected as a recursive call

Info
Note that an equivalent rule specific to the PHP extension (Avoid artifacts having recursive calls (PHP) - 1007242) was added in PHP 1.2.0. This replacement rule now produces accurate results and the results of 7388 should be ignored.

Avoid using break or continue statements in loops with high cyclomatic complexity

"Avoid using break or continue statements in loops with high cyclomatic complexity" (1007176) - if the break statement is located in JavaScript functions, no violations will be detected. JavaScript source code located in .PHP or JavaScript files is not analyzed (see limitation listed above).

Avoid unreferenced PHP Files

The rule "Avoid unreferenced PHP Files" (1007052) will return a false positive violation when a PHP file is referenced only from other technologies, for example from only within html/javascript source code.

License agreements

The PHP extension uses several third-party tools. The Licence Agreements for these tools are listed below:

Expand

PHP_CodeSniffer

More information about this tool is available here: http://pear.php.net/package/PHP_CodeSniffer

Version

CAST ships version 2.5.0 of the PHP_CodeSniffer.

License

The licence agreement for the PHP_CodeSniffer tool is available here:

and is detailed below:

Copyright (c) 2012, Squiz Pty Ltd (ABN 77 084 670 600)
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Squiz Pty Ltd nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Anchor
QR
QR
Quality Rules calculated by the PHP_CodeSniffer tool

Rule nameID

Avoid artifacts using "for" loops which can be simplified to a "while" loop (PHP)

1007022

Avoid incrementer jumbling in loops (PHP)

1007024

Use identical type operator rather than "equal" operator (PHP)

1007026

Use increment/decrement operators where possible (PHP)

1007028

Avoid using empty statement (PHP)

1007030

Avoid empty class definition (PHP)

1007032

Avoid classes having excessive number of derived classes(PHP)

1007036

Avoid classes having excessive number of dependencies (PHP)

1007038

Avoid Classes with High Depth of Inheritance Tree (PHP)

1007046

Avoid unnecessary final modifiers inside final Classes (PHP)

1007056

Avoid unused parameters (PHP)

1007058

Avoid Class name not matching parent file name (PHP)

1007080

Use lowercase for control structures in Sections (PHP)

1007084

Use lowercase for control structures in Methods and Functions (PHP)

1007086

Avoid having variable with too short name (PHP)

1007088

Avoid having variable with too long name (PHP)

1007090

Avoid "elseif" statements (PHP)

1007096

Avoid Functions throwing exceptions and not having a @Throws tag (PHP)

1007124

Avoid classes exceeding maximum length (PHP)

1007126

Avoid methods having too many parameters (PHP)

1007128

Avoid Methods exceeding maximum length (PHP)

1007130

Avoid classes with too many fields (PHP)

1007132

Avoid classes with too many methods (PHP)

1007134

Avoid classes having a number of public methods and attributes exceeds maximum (PHP)

1007136

Avoid having unused variables (PHP)

1007138

Avoid unused private fields (PHP)

1007140

Avoid unused private methods (PHP)

1007142

Avoid classes exceeding number of weighted methods (PHP)

1007144

Avoid unconditional "if" and "elseif" statements (PHP)

1007146

Avoid useless overriding Methods (PHP)

1007148

Avoid unassigned default values in Functions (PHP)

1007150

Avoid having variables without naming conventions (PHP)

1007212

Avoid having For-loops that use a function call in the test expression (PHP)

1007226

Avoid control structures without proper spacing before and after open\close braces - PSR2 (PHP)

1007228

Avoid Having control structures without proper switch case declarations (PSR2) (PHP)

1007230

Avoid having variables passed by reference when calling a function (PHP)

1007232

Avoid having inline control statements (PHP)

1007234

Avoid having Class Methods or Constructor without scope modifiers - Symfony STD (PHP)

1007236

Avoid having multiple classes defined in a single file - Symfony STD (PHP)

1007238

Avoid artifacts having object instantiation without parenthesis - Symfony STD (PHP)

1007240

CWE-311: Use sufficient SSL\TLS context (PHP)

1007248

Avoid files that declare both symbols and execute logic with side effects (PHP)1007254

Rules using the PHP_CodeSniffer framework but implemented by CAST

Rule nameID
Avoid using embedded CSS in Web Pages (PHP)1007012
Avoid empty style definition (PHP)1007034
Avoid artifacts with Object Instantiation in loops (PHP)1007116

CWE-624: Avoid using eval expressions (PHP)

1007156

Avoid artifacts using exit and die expressions (PHP)

1007158

Avoid using variable without testing them for initialisation (PHP)

1007160
Avoid having constructors with a return value (PHP)1007172
Avoid using break or continue statements in loops with high cyclomatic complexity (PHP)1007176
Avoid using size functions inside loops (PHP)1007184
Avoid direct access to superglobals (PHP)1007202
Avoid fetching database rows as array and accessing using subscript (PHP)1007218

Avoid artifacts with Group By sql statement (PHP)

1007120
Avoid artifacts with "select *" Sql statement (PHP)1007220
Avoid artifacts with sql statements referring more than 4 Tables (PHP)1007118

Anchor
phpcs-security-audit
phpcs-security-audit
phpcs-security-audit

This package integrates with the existing "Pear" code sniffer. This package is used to generate results for certain security related rules. More information about this package is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit. The licence agreement for this tool is available here: https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/LICENSE.

Rules calculated by the phpcs-security-audit tool

Rule nameID
CWE-79: Avoid use of raw user input that can expose XSS vulnerability (PHP)1007244
CWE-98: Avoid use of user input that can expose Stream Injection vulnerability (PHP)1007246
CWE-624: Avoid preg_replace with /e option (PHP)1007250
CWE-661: Avoid filesystem function calls without sanitizing user input (PHP)1007252

PHPMD

More information about this tool is available here: http://phpmd.org/. The licence agreement for the PHPMD tool is detailed below:

Copyright (c) 2009-2011, Manuel Pichler <mapi@phpmd.org>.
All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PHP Depend

More information about this tool is available here: http://pdepend.org/. The licence agreement for the PHP Depend tool is available in the file "LICENSE.txt" delivered in the source folder of the tool and is detailed below:

Copyright (c) 2008-2012, Manuel Pichler <mapi@pdepend.org>.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Manuel Pichler nor the names of his contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

...