SonarPHP: PHP static analyzer for SonarQube & SonarLint

Overview

Code Quality and Security for PHP Build Status

This SonarSource project is a static code analyser for PHP language used as an extension for the SonarQube platform. It will allow you to produce stable and easily supported code by helping you find and correct bugs, vulnerabilities and smells in your code.

Features

Useful links

More documentation

Have question or feedback?

To provide feedback (request a feature, report a bug etc.) use the SonarSource Community Forum. Please do not forget to specify the language (PHP!), plugin version and SonarQube version.

If you have a question on how to use plugin (and the docs don't help you), we also encourage you to use the community forum.

Contributing

Topic in SonarSource Community Forum

To request a new feature, please create a new thread in SonarSource Community Forum. Even if you plan to implement it yourself and submit it back to the community, please start a new thread first to be sure that we can follow up on it.

Pull Request (PR)

To submit a contribution, create a pull request for this repository. Please make sure that you follow our code style and all tests are passing (Travis build is created for each PR).

Custom Rules

If you have an idea for a rule but you are not sure that everyone needs it you can implement a custom rule available only for you.

Custom Rules API Changes

  • 3.15 (January 2021)
    • PHPCustomRulesDefinition was removed, it was deprecated since version 2.13 (March 2018)
    • Removed dependency on sslr-squid-bridge which is not maintained anymore
  • 3.11, support of PHP 8:
    • ParameterTree#type() is deprecated. Use ParameterTree#declaredType() instead.
    • ReturnTypeClauseTree#type() is deprecated. Use ReturnTypeClauseTree#declaredType() instead.
    • ClassPropertyDeclarationTree#typeAnnotation() is deprecated. Use ClassPropertyDeclarationTree#declaredType() instead.
    • CatchBlockTree#variable() can now return NULL.
    • FunctionCallTree#arguments() is deprecated. Use FunctionCallTree#callArguments() instead.
    • AnonymousClassTree#arguments() is deprecated. Use AnonymousClassTree#callArguments() instead.
    • New tree: CallArgumentTree. This tree wraps expressions passed as arguments now.
    • New kind of expression: ThrowExpressionTree.
    • New kind of expression: MatchExpressionTree.
    • ParameterTree now has a visibility method.

Testing

To run tests locally follow these instructions.

Build the Project and Run Unit Tests

To build the plugin and run its unit tests, execute this command from the project's root directory (you will need Maven):

mvn clean install

Integration Tests

To run integration tests, you will need to create a properties file like the one shown below, and set its location in an environment variable named ORCHESTRATOR_CONFIG_URL.

# version of SonarQube server
sonar.runtimeVersion=8.9

Before running any of integration tests make sure the submodules are checked out:

  git submodule init
  git submodule update

Plugin Test

The "Plugin Test" is an additional integration test which verifies plugin features such as metric calculation, coverage etc. To launch it, execute this command from directory its/plugin:

mvn clean install

Ruling Test

The "Ruling Test" is a special integration test which launches the analysis of a large code base, saves the issues created by the plugin in report files, and then compares those results to the set of expected issues (stored as JSON files). To launch ruling test:

cd its/ruling
mvn clean install

This test gives you the opportunity to examine the issues created by each rule and make sure they're what you expect. You can inspect new/lost issues checking web-pages mentioned in the logs at the end of analysis:

INFO  - HTML Issues Report generated: /path/to/project/sonar-php/its/sources/src/.sonar/issues-report/issues-report.html
INFO  - Light HTML Issues Report generated: /path/to/project/sonar-php/its/sources/src/.sonar/issues-report/issues-report-light.html

If everything looks good to you, you can copy the file with the actual issues located at

sonar-php/its/ruling/target/actual/

into the directory with the expected issues

sonar-php/its/ruling/src/test/resources/expected/

License

Copyright 2010-2021 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0

You might also like...
A static analysis tool for security

progpilot A static analyzer for security purposes Only PHP language is currently supported Installation Option 1: use standalone phar Download the lat

Parse: A Static Security Scanner

Parse: A PHP Security Scanner PLEASE NOTE: This tool is still in a very early stage. The work continues... The Parse scanner is a static scanning tool

Static Analysis Results Baseliner

Static Analysis Results Baseliner (SARB) Why SARB Requirements Installing Using SARB Examples Further reading Why SARB? If you've tried to introduce a

Infection Static Analysis Plugin

Static analysis on top of mutation testing - prevents escaped mutants from being invalid according to static analysis

PHPMD is a spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD. PHPMD can be seen as an user friendly frontend application for the raw metrics stream measured by PHP Depend.

PHPMD PHPMD is a spin-off project of PHP Depend and aims to be a PHP equivalent of the well known Java tool PMD. PHPMD can be seen as an user friendly

A PHP parser written in PHP

PHP Parser This is a PHP 5.2 to PHP 8.0 parser written in PHP. Its purpose is to simplify static code analysis and manipulation. Documentation for ver

A PHP VM implementation in PHP
A PHP VM implementation in PHP

PHPPHP A PHP VM implementation written in PHP. This is a basic VM implemented in PHP using the AST generating parser developed by @nikic To see what's

PHP Architecture Tester - Easy to use architectural testing tool for PHP :heavy_check_mark:
PHP Architecture Tester - Easy to use architectural testing tool for PHP :heavy_check_mark:

Easy to use architecture testing tool for PHP Introduction πŸ“œ PHP Architecture Tester is a static analysis tool to verify architectural requirements.

Provides functionality that helps writing PHP code that has runtime-specific (PHP / HHVM) execution paths

sebastian/environment This component provides functionality that helps writing PHP code that has runtime-specific (PHP / HHVM) execution paths. Instal

Comments
  • Add integration test coverage and overall test coverage parsers

    Add integration test coverage and overall test coverage parsers

    can set in sonar-project.properies

    sonar.php.coverage.reportPath=tests/_log/unit.coverage.xml sonar.php.coverage.itReportPath=tests/_log/integration.coverage.xml sonar.php.coverage.overallReportPath=tests/_log/coverage.xml

    opened by sanyatuning 4
  • Convert parameter descriptions to Markdown for php:S1808

    Convert parameter descriptions to Markdown for php:S1808

    Since SQ 4.5, rule parameter descriptions are considered as Markdown. This breaks compatibility with previous versions of SQ (since param descriptions that make heavy use of Markdown will be close to unreadable on versions < 4.5).

    enhancement 
    opened by jblievremont 4
  • Bump guava from 26.0-jre to 29.0-jre

    Bump guava from 26.0-jre to 29.0-jre

    Bumps guava from 26.0-jre to 29.0-jre.

    Release notes

    Sourced from guava's releases.

    29.0

    Maven

    <dependency>
      <groupId>com.google.guava</groupId>
      <artifactId>guava</artifactId>
      <version>29.0-jre</version>
      <!-- or, for Android: -->
      <version>29.0-android</version>
    </dependency>
    

    Javadoc

    JDiff

    Changelog

    • Guava types can no longer be sent over GWT-RPC. To temporarily reenable support, set the guava.gwt.emergency_reenable_rpc system property to true. (5214a10b1e)
      • This is the only breaking change in this release, and it affects only users of the guava-gwt artifact, not people who use only the guava artifact. This release contains no changes that break binary compatibility for any users.
    • API documentation for Guava classes is now easier to reach. For example, for ImmutableList, visit guava.dev/ImmutableList. Also, more easily access the index at guava.dev/api.
    • collect: Annotated FluentIterable.from(FluentIterable) with @DoNotCall. (b1c77b7df3)
    • collect: Made ceiling, floor, headSet(E, boolean), and tailSet(E, boolean) methods available in the GWT-emulated ImmutableSortedSet. (7e0fe90ca8, 5f2fbf27b2)
    • graph: Made it possible to set a stable incident edge order by calling the newly added method [Value]Graph.Builder.incidentEdgeOrder(ElementOrder.stable()). (70164025a8)
    • graph: Added incidentEdgeOrder() to the [Value]Graph interfaces. (cde576ec00)
    • util.concurrent: Added Duration-based default methods to ListeningScheduledExecutorService. (931e83f969)
    • util.concurrent: Added immediateVoidFuture. (9f3bae5853)
    • util.concurrent: Removed @Beta from Service and related classes. (dc46627fea)
    • util.concurrent: Deprecated the 1-arg overload of ServiceManager.addListener. (86e3620125)
    • util.concurrent: Changed the return type of ServiceManager.servicesByState() to ImmutableSetMultimap (but also retained a method with the old signature for binary compatibility). (31999ae6f5)
    • util.concurrent: Made it safe to load the AbstractFuture class from a ForkJoinPool thread under a security manager. (6e0c5b5d50)

    28.2

    Maven

    <dependency>
      <groupId>com.google.guava</groupId>
      <artifactId>guava</artifactId>
      <version>28.2-jre</version>
      <!-- or, for Android: -->
      <version>28.2-android</version>
    </tr></table> 
    

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
  • Bump junit from 4.10 to 4.13.1

    Bump junit from 4.10 to 4.13.1

    Bumps junit from 4.10 to 4.13.1.

    Release notes

    Sourced from junit's releases.

    JUnit 4.13.1

    Please refer to the release notes for details.

    JUnit 4.13

    Please refer to the release notes for details.

    JUnit 4.13 RC 2

    Please refer to the release notes for details.

    JUnit 4.13 RC 1

    Please refer to the release notes for details.

    JUnit 4.13 Beta 3

    Please refer to the release notes for details.

    JUnit 4.13 Beta 2

    Please refer to the release notes for details.

    JUnit 4.13 Beta 1

    Please refer to the release notes for details.

    JUnit 4.12

    Please refer to the release notes for details.

    JUnit 4.12 Beta 3

    Please refer to the release notes for details.

    JUnit 4.12 Beta 2

    No release notes provided.

    JUnit 4.12 Beta 1

    No release notes provided.

    JUnit 4.11

    No release notes provided.

    Commits
    • 1b683f4 [maven-release-plugin] prepare release r4.13.1
    • ce6ce3a Draft 4.13.1 release notes
    • c29dd82 Change version to 4.13.1-SNAPSHOT
    • 1d17486 Add a link to assertThrows in exception testing
    • 543905d Use separate line for annotation in Javadoc
    • 510e906 Add sub headlines to class Javadoc
    • 610155b Merge pull request from GHSA-269g-pwp5-87pp
    • b6cfd1e Explicitly wrap float parameter for consistency (#1671)
    • a5d205c Fix GitHub link in FAQ (#1672)
    • 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 2
Releases(3.25.0.9077)
  • 3.25.0.9077(Sep 19, 2022)

    Release notes - SonarPHP - Version 3.25

    Bug

    SONARPHP-1316 Import of PHPStan reports without issues should not raise an error

    SONARPHP-1313 PHP sensor should be executed also on TEST files.

    SONARPHP-1308 The namespace resolver should not look into other namespaces to resolve

    False-Positive

    SONARPHP-1311 Rule S1313: Exclude reserved documentation IP ranges

    Improvement

    SONARPHP-1318 Adapt PHPUnit integration tests to reflect state-of-the art testing in PHP

    SONARPHP-1312 External report information on files that are excluded from the analysis should not be processed

    SONARPHP-1282 Adjust fully qualified path of external reports to prevent incorrect allocation

    New Feature

    SONARPHP-1315 Support readonly class syntax

    Source code(tar.gz)
    Source code(zip)
  • 3.24.0.8949(Aug 8, 2022)

    Release notes - SonarPHP - Version 3.24

    Bug

    SONARPHP-1300 Parsing error on the order of constructor promoted property characteristics

    SONARPHP-1296 Parse error on keywords as enum case identifier

    False Negative

    SONARPHP-1267 Parser: All keywords should be case insensitive

    SONARPHP-1170 S2050: FN on fully qualified name

    SONARPHP-1168 S2755: FN with fully qualified names

    False-Positive

    SONARPHP-1303 Rule S1313: Exclude local IPv4-mapped IPv6 address

    SONARPHP-1299 S1144 should take into account PHPDoc @uses

    SONARPHP-1238 S5996 FP on line breaks after end boundaries

    SONARPHP-1169 FP for S2277 when using fully qualified name

    Improvement

    SONARPHP-1298 Update Analyzer Commons to 1.25: minor changes on Regex checks

    SONARPHP-1294 Rule S1192: Add period as allowed character for exceptions

    SONARPHP-1136 S2755 should support cakephp xml utils

    SONARPHP-593 Make S1697 cover PHP idiomatic cases

    New Feature

    SONARPHP-1306 Rules support PCI DSS Security Standard

    SONARPHP-1293 Provide OWASP Top 10 2021 security standards for rules metadata

    Task

    SONARPHP-1309 Add Windows build and plugin qa step to CI

    SONARPHP-1301 Remove deprecated DuplicatedBlocks rule from Sonar Way

    Source code(tar.gz)
    Source code(zip)
  • 3.23.1.8766(Mar 28, 2022)

  • 3.23.0.8726(Feb 9, 2022)

    New Feature

    • [SONARPHP-1270] - Rule S6393: Regular expressions should have valid delimiters
    • [SONARPHP-1272] - Rule S6396: Superfluous curly brace quantifiers should be avoided
    • [SONARPHP-1273] - Rule S6397: Character classes in regular expressions should not contain only one character
    • [SONARPHP-1274] - Rule S6323: Alternation in regular expressions should not contain empty alternatives
    • [SONARPHP-1275] - Rule S6326: Regular expressions should not contain multiple spaces
    • [SONARPHP-1276] - Rule S6353: Regular expression quantifiers and character classes should be used concisely
    • [SONARPHP-1277] - Rule S6328: Replacement strings should reference existing regular expression groups
    • [SONARPHP-1278] - Rule S6331: Regular expressions should not contain empty groups
    • [SONARPHP-1279] - Rule S6395: Non-capturing groups without quantifier should not be used

    False-Positive

    • [SONARPHP-1268] - S3699 should not raise on arrow functions or match clauses
    Source code(tar.gz)
    Source code(zip)
  • 3.22.1.8626(Jan 24, 2022)

  • 3.22.0.8482(Nov 26, 2021)

    Bug

    • [SONARPHP-1262] - PHPStan report import should not fail on paths with class context

    New Feature

    • [SONARPHP-1251] - Parser should support Enums
    • [SONARPHP-1252] - Parser should support `new` in initializers
    • [SONARPHP-1253] - Parser should support readonly properties
    • [SONARPHP-1254] - Parser should support first-class callable syntax
    • [SONARPHP-1255] - Parser should support pure intersection types
    • [SONARPHP-1256] - Parser should support explicit octal integer literal notation
    • [SONARPHP-1260] - Parser should support final class constants
    • [SONARPHP-1264] - S1144 UnusedPrivateMethodCheck should raise on enum private and protected methods
    • [SONARPHP-1265] - Parser should allow enums as inner statements

    Improvement

    Source code(tar.gz)
    Source code(zip)
  • 3.21.2.8292(Nov 12, 2021)

  • 3.21.1.8250(Oct 26, 2021)

  • 3.21.0.8193(Oct 12, 2021)

    New Feature

    • [SONARPHP-1185] - Rule S5850: Alternatives in regular expressions should be grouped when used with anchors
    • [SONARPHP-1188] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
    • [SONARPHP-1192] - Rule S5867: Unicode-aware versions of character classes should be preferred
    • [SONARPHP-1193] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference
    • [SONARPHP-1198] - Rule S5857: Character classes should be preferred over reluctant quantifiers in regular expressions
    • [SONARPHP-1200] - Rule S6002: Regex lookahead assertions should not be contradictory
    • [SONARPHP-1201] - Rule S5843: Regular expressions should not be too complicated
    • [SONARPHP-1204] - Rule S5856: Regular expressions should be syntactically valid
    Source code(tar.gz)
    Source code(zip)
  • 3.20.0.8080(Sep 13, 2021)

    New Feature

    • [SONARPHP-1180] - Add PCRE recursion feature to regex parser
    • [SONARPHP-1189] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes
    • [SONARPHP-1190] - Rule S5996: Regex boundaries should not be used in a way that can never be matched
    • [SONARPHP-1191] - Rule S5855: Regex alternatives should not be redundant
    • [SONARPHP-1194] - Rule S5868: Unicode Grapheme Clusters should be avoided inside regex character classes
    • [SONARPHP-1196] - Rule S5869: Character classes in regular expressions should not contain the same character twice
    • [SONARPHP-1199] - Rule S5994: Regex patterns following a possessive quantifier should not always fail
    • [SONARPHP-1202] - Rule S5842: Regex repetition pattern's body should not match the empty String
    • [SONARPHP-1203] - Rule S5361: `str_replace` should be preferred to `preg_replace`

    Task

    • [SONARPHP-1216] - Collect statistics to recognize and identify time consumers

    Improvement

    False-Positive

    • [SONARPHP-1219] - S1808 NamespaceAndUseStatementCheck does not consider group use statements
    • [SONARPHP-1234] - Rule S4792: Invalid exceptions for error_reporting
    Source code(tar.gz)
    Source code(zip)
  • 3.19.0.7847(Aug 16, 2021)

    New Feature

    • [SONARPHP-1179] - Rule S6339: Secret keys and salt values should be robust
    • [SONARPHP-1206] - Rule S6341: WordPress theme and plugin editors are security-sensitive
    • [SONARPHP-1207] - Rule S6342: Allowing themes and plugins to be managed in WordPress admin area is security-sensitive
    • [SONARPHP-1208] - Rule S6343: Disabling automatic updates is security-sensitive
    • [SONARPHP-1210] - Rule S6344: Constants should not be redefined
    • [SONARPHP-1211] - Rule S6345: Allowing all external requests from a WordPress server is security-sensitive
    • [SONARPHP-1212] - Rule S6346: Allowing unauthenticated database repair in WordPress is security-sensitive
    • [SONARPHP-1213] - Rule S6347: WordPress options should not be defined at the end of "wp-config.php"
    • [SONARPHP-1214] - Rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive
    • [SONARPHP-1215] - Rule S6349: WordPress option names should not be misspelled

    Improvement

    • [SONARPHP-1176] - WordPress: S4507 should consider WP_DEBUG option
    • [SONARPHP-1177] - WordPress: S5332 should consider FORCE_SSL_ADMIN and FORCE_SSL_LOGIN options
    Source code(tar.gz)
    Source code(zip)
  • 3.18.0.7718(Jul 27, 2021)

    Bug

    • [SONARPHP-1151] - LoopExecutingAtMostOnceCheck crashes on loop inside "declare" statement
    • [SONARPHP-1152] - NullPointerException in S4824 UnsetForeachReferenceVariableCheck
    • [SONARPHP-1156] - Symbols should be created for the right hand side of constant declarations
    • [SONARPHP-1171] - Empty method check fails when JVM's default locale uses Eastern Arabic digits

    New Feature

    • [SONARPHP-1154] - SonarPHP should load external PHPStan JSON reports
    • [SONARPHP-1155] - SonarPHP should load external Psalm reports

    Improvement

    • [SONARPHP-1175] - Collect errors when importing reports and display them in UI
    Source code(tar.gz)
    Source code(zip)
  • 3.17.0.7439(Apr 29, 2021)

  • 3.16.0.7320(Mar 24, 2021)

  • 3.15.0.7197(Jan 29, 2021)

    New Feature

    • [SONARPHP-952] - Rule S2755: XML parsers should not be vulnerable to XXE attacks
    • [SONARPHP-1102] - Rule S5332: Using clear-text protocols is security-sensitive
    • [SONARPHP-1103] - Rule S5042: Expanding archive files is security-sensitive
    • [SONARPHP-1104] - Rule S5808: Authorizations should be based on strong decisions
    • [SONARPHP-1105] - Rule S2612: Setting loose file permissions is security-sensitive
    • [SONARPHP-1106] - Rule S4502: Disabling CSRF protections is security-sensitive
    • [SONARPHP-1107] - Rule S5693: Allowing requests with excessive content length is security-sensitive
    • [SONARPHP-1112] - Rule S5122: Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
    • [SONARPHP-1114] - Rule S5876: A new session should be created during user authentication

    Task

    • [SONARPHP-1125] - Remove deprecated API: PHPCustomRulesDefinition
    Source code(tar.gz)
    Source code(zip)
  • 3.14.0.6990(Jan 8, 2021)

    Bug

    • [SONARPHP-1073] - Parsing issue message should be readable
    • [SONARPHP-1084] - Parse error on named argument using keyword value
    • [SONARPHP-1116] - No symbol is created for lower case superglobals
    • [SONARPHP-1121] - Qualified name of class member symbol should be case sensitive

    Improvement

    False-Positive

    • [SONARPHP-1115] - Revise rule S3358 to exclude shorthand ternary operator
    • [SONARPHP-1117] - FP on S2115 where a variable is reassigned using "list"
    Source code(tar.gz)
    Source code(zip)
  • 3.13.0.6849(Nov 30, 2020)

    Improvement

    Source code(tar.gz)
    Source code(zip)
  • 3.12.0.6710(Oct 29, 2020)

    Bug

    • [SONARPHP-1081] - Parsing error on capitalized __Construct method with property promotion
    • [SONARPHP-1083] - NPE in S2001 "PHPDeprecatedFunctionUsageCheck"

    New Feature

    • [SONARPHP-1082] - Add fully-qualified class names to declared types.

    Improvement

    False-Positive

    • [SONARPHP-1079] - FP on EmptyMethodCheck for PHP 8 Constructor Property Promotion
    • [SONARPHP-1080] - FP on UnusedFunctionParametersCheck for PHP 8 Constructor Property Promotion
    Source code(tar.gz)
    Source code(zip)
  • 3.11.0.6645(Oct 20, 2020)

    Bug

    Task

    Improvement

    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.11.0.6645.jar(5.28 MB)
  • 3.10.0.6474(Oct 5, 2020)

    Bug

    • [SONARPHP-983] - Object instantiation with method should raise parser error
    • [SONARPHP-1032] - S3699: Issue message contains "null" due to wrong method name resolving
    • [SONARPHP-1033] - StackOverflow in S1764 IdenticalOperandsInBinaryExpressionCheck
    • [SONARPHP-1052] - StackOverflow when scanning Abantecart

    Task

    False-Positive

    • [SONARPHP-885] - S2077: Resolve variable constant values to avoid noisy issues
    • [SONARPHP-973] - Rule S5527 should not raise when CURLOPT_SSL_VERIFYHOST is set to 1/TRUE
    • [SONARPHP-1028] - Revise rule S125 to reduce false positive noise
    • [SONARPHP-1030] - S1172 shoudn't raise issues on functions which call "func_get_args"
    • [SONARPHP-1031] - Reduce noise of S1172 unused function parameters should be removed
    • [SONARPHP-1049] - Private constant's are reported as unused when used before init

    False Negative

    • [SONARPHP-754] - UseOfUninitializedVariableCheck should use a CFG to find new issues
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.10.0.6474.jar(5.25 MB)
  • 3.9.0.6331(Aug 25, 2020)

    Bug

    • [SONARPHP-1022] - Regex in S1186 implementation leads to a StackOverflowError
    • [SONARPHP-1024] - NCLOC and other metrics should not be fed for PHP test files

    New Feature

    • [SONARPHP-371] - S110: Inheritance tree of classes should not be too deep
    • [SONARPHP-1009] - S930: The number of arguments passed to a function should match the number of parameters

    Task

    • [SONARPHP-1025] - Compliant and Noncompliant code examples of S5915 are the same.

    Improvement

    • [SONARPHP-1010] - S3699: consider cross-file knowledge of method declarations to get possible returns
    • [SONARPHP-1011] - S2234: consider cross-file knowledge of function declarations to get parameter order
    • [SONARPHP-1018] - S100: exclude overriding methods based on cross-file resolution of hierarchy
    • [SONARPHP-1019] - S107: exclude overriding methods based on cross-file resolution of hierarchy
    • [SONARPHP-1020] - S1172: exclude overriding methods based on cross-file resolution of hierarchy
    • [SONARPHP-1021] - Log the currently analyzed file name when a StackOverflowError happens
    • [SONARPHP-1023] - S1186: Check only comments that are directly above the method
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.9.0.6331.jar(5.24 MB)
  • 3.8.1.6222(Aug 14, 2020)

  • 3.8.0.6152(Aug 7, 2020)

    New Feature

    • [SONARPHP-984] - Add rule S2699: Tests should include assertions
    • [SONARPHP-986] - Add rule S2187: TestCases should contain tests
    • [SONARPHP-987] - Add rule S5785: PHPUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
    • [SONARPHP-989] - Add rule S3415: Assertion arguments should be passed in the correct order
    • [SONARPHP-990] - Add rule S2701: Literal boolean values should not be used in assertions
    • [SONARPHP-991] - Add rule S5783: Only one method invocation is expected when testing checked exceptions
    • [SONARPHP-992] - Add rule S1607: Tests should not be ignored
    • [SONARPHP-993] - Add rule S5779: Assertion methods should not be used within the try block of a try-catch catching an Exception
    • [SONARPHP-994] - Add rule S5899: Test methods should be discoverable
    • [SONARPHP-995] - Add rule S5863: Assertions should not compare an object to itself
    • [SONARPHP-999] - Add rule S3360: Test class names should end with "Test"
    • [SONARPHP-1006] - Create an abstract PhpUnitCheck class
    • [SONARPHP-1007] - Add rule S5935: Framework-provided functions should be used to test exceptions
    • [SONARPHP-1008] - Add rules S5915: Assertions should not be made at the end of blocks expecting an exception

    Improvement

    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.8.0.6152.jar(5.21 MB)
  • 3.7.0.5943(Jul 24, 2020)

    Release Notes - Version 3.7

    New Feature

    • [SONARPHP-976] - Rule S5708: Caught Exceptions must derive from Throwable
    • [SONARPHP-977] - Rule S1045: All "catch" blocks should be able to catch exceptions
    • [SONARPHP-978] - Rule S5713: A subclass should not be in the same "catch" clause as a parent class
    • [SONARPHP-979] - Rule S5632: Raised Exceptions must derive from Throwable
    • [SONARPHP-1000] - RSPEC-5911 Class of caught exception should be defined

    Improvement

    • [SONARPHP-980] - S3984 should check whether a class extends Exception
    • [SONARPHP-981] - Fix issue message for S2166
    • [SONARPHP-982] - S2166 detects exception classes case-insensitive
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.7.0.5943.jar(5.15 MB)
  • 3.6.0.5808(Jul 3, 2020)

    Bug

    New Feature

    • [SONARPHP-822] - Rule S4824: References used in "foreach" loops should be "unset"
    • [SONARPHP-935] - Update S4830 to match new RSPEC content
    • [SONARPHP-936] - Rule S5527: Server hostnames should be verified during SSL/TLS connections
    • [SONARPHP-938] - Rule S5547: Cipher algorithms should be robust
    • [SONARPHP-940] - RSPEC-5542 Encryption algorithms should be used with secure mode and padding scheme

    Task

    • [SONARPHP-971] - Update dependencies on Apache commons-lang

    Improvement

    • [SONARPHP-939] - Deprecate S2278 in favor of S5547
    • [SONARPHP-941] - Deprecate S2277 in favor of S5542
    • [SONARPHP-967] - Rule S4790: its content should be replaced by S2070
    • [SONARPHP-969] - Update commons.io.version to 2.7+
    • [SONARPHP-970] - Improve S1192 to reduce noise of duplicated string literals
    • [SONARPHP-972] - Rule S4790 should raise when insecure algos are passed to hash(), hash_init(), hash_pbkdf2(), mhash()

    False-Positive

    • [SONARPHP-857] - FP S1854: "use" clause of function expression
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.6.0.5808.jar(5.11 MB)
  • 3.5.0.5655(May 28, 2020)

    Release Notes - SonarSource Analyzer for PHP - Version 3.5

    New Feature

    • [SONARPHP-693] - Rule S1226: Method parameters, caught exceptions and foreach variables' initial values should not be ignored
    • [SONARPHP-751] - Rule S2166: Classes named like "Exception" should extend "Exception" or a subclass
    • [SONARPHP-764] - Rule: Array values should not be replaced unconditionally
    • [SONARPHP-765] - Rule: Unary prefix operators should not be repeated
    • [SONARPHP-769] - Rule: Methods should not be empty
    • [SONARPHP-772] - Rule: Octal values should not be used
    • [SONARPHP-774] - Rule: "switch" statements should not be nested
    • [SONARPHP-775] - Rule: Parameters should be passed in the correct order
    • [SONARPHP-790] - Rule S1155: "empty()" should be used to test for emptiness
    • [SONARPHP-791] - Rule S1940: Boolean checks should not be inverted
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.5.0.5655.jar(4.91 MB)
  • 3.4.0.5461(May 11, 2020)

    Release Notes - SonarPHP - Version 3.4

    False-Positive

    • [SONARPHP-789] - FP on S2037 (SelfKeywordUsageCheck): constant from parent class declared in another file
    • [SONARPHP-853] - FP S1144 when anonymous nested class
    • [SONARPHP-884] - RSPEC-1603 should not raise issues on namespaced classes
    • [SONARPHP-906] - S1125 should ignore operands of ternary operator
    • [SONARPHP-930] - FP on S1185 when a method defines default values for parameters
    • [SONARPHP-932] - FP: CodeFollowingJumpStatementCheck should ignore PHP closing tags
    • [SONARPHP-949] - False Positive S905: @phan-var statement
    • [SONARPHP-959] - Rule S2068: filter string literal that contains the wordlist item
    • [SONARPHP-960] - Rule S2068: filter database query parameters
    • [SONARPHP-961] - FP on anonymous function for "$this should not be used in a static context"

    Task

    • [SONARPHP-937] - Remove rule S1536 that can be spotted by PHP interpreter
    • [SONARPHP-963] - Change issue type of S3011 to code smell

    Improvement

    • [SONARPHP-927] - Stop logging warnings when importing test results based on 'dataProvider'
    • [SONARPHP-948] - Deprecate RSPEC-2964
    • [SONARPHP-951] - The progress report should report the current file instead of the next one
    • [SONARPHP-956] - S2068 should detect hardcoded credentials in LDAP and database functions
    • [SONARPHP-957] - Rule S2068: support URI userinfo component
    • [SONARPHP-962] - Update branding to drop 'SonarPHP'
    • [SONARPHP-964] - Fix performance issue on PHPTree.getLastToken()
    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-3.4.0.5461.jar(4.87 MB)
  • 2.12-RC1(Nov 17, 2017)

    SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.12.

    Important: the minimal compatibility has change to SonarQube 6.7 LTS.

    This version fixes 7 rules, feeds "Cognitive Complexity Metric" and introduces 20 new rules:

    • S1110: Redundant parentheses should be removed
    • S3923: All branches in a conditional structure should not have exactly the same implementation
    • S2757: "=+" should not be used instead of "+="
    • S3972: Conditionals should start on new lines
    • S3973: Conditionally executed code should be denoted by either indentation or curly braces
    • S3801: Functions should use "return" consistently
    • S3699: The output of functions that don't return anything should not be used
    • S2201: Return values from functions without side effects should not be ignored
    • S3981: Collection sizes and array length comparisons should make sense
    • S2123: Values should not be uselessly incremented
    • S4144: Methods should not have identical implementations
    • S3984: Exception should not be created without being thrown
    • S1075: URIs should not be hardcoded
    • S4142: Duplicate values should not be passed as arguments
    • S1121: Assignments should not be made from within sub-expressions
    • S3358: Ternary operators should not be nested
    • S2737: "catch" clauses should do more than rethrow
    • NoSonar: Track uses of "NOSONAR" comments
    • S2251: A "for" loop update clause should move the counter in the right direction
    • S836: Variables should be initialized before use

    Release Notes

    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-2.12.0.2845.jar(2.96 MB)
  • 2.11-RC1(Oct 26, 2017)

  • 2.10(Mar 8, 2017)

    SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.10.

    The main changes in this release include :

    But there's much more, see the release notes: https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10956&version=13456

    Source code(tar.gz)
    Source code(zip)
    sonar-php-plugin-2.10.0.2087.jar(3.56 MB)
Owner
SonarSource
Continuous Code Quality and Code Security
SonarSource
A static analyzer for PHP version migration

PHP Migration Readme in Chinese δΈ­ζ–‡ This is a static analyzer for PHP version migration and compatibility checking. It can suppose your current code ru

Yuchen Wang 194 Sep 27, 2022
PHPSA - Smart Analyzer for PHP

PHPSA - Smart Analyzer for PHP PHPSA is a development tool aimed at bringing complex analysis for PHP applications and libraries. P.S This software is

Dmitry Patsura 647 Nov 20, 2022
PHP Static Analysis Tool - discover bugs in your code without running it!

PHPStan - PHP Static Analysis Tool PHPStan focuses on finding errors in your code without actually running it. It catches whole classes of bugs even b

PHPStan 11.6k Dec 30, 2022
Beautiful and understandable static analysis tool for PHP

PhpMetrics PhpMetrics provides metrics about PHP project and classes, with beautiful and readable HTML report. Documentation | Twitter | Contributing

PhpMetrics 2.3k Dec 22, 2022
Performs advanced static analysis on PHP code

PHP Analyzer Please report bugs or feature requests via our website support system ? in bottom right or by emailing [email protected]. Contri

Continuous Inspection 443 Sep 23, 2022
The Exakat Engine : smart static analysis for PHP

Exakat The Exakat Engine is an automated code reviewing engine for PHP. Installation Installation with the phar Phar is the recommended installation p

Exakat 370 Dec 28, 2022
A static php code analysis tool using the Graph Theory

Mondrian Ok guyz, you have a master degree in Graph Theory, you follow Law of Demeter and you live on S.O.L.I.D principles ? Let's have some Fun ! (^Ο‰

Florent Genette 391 Nov 30, 2022
A static analysis tool for finding errors in PHP applications

Psalm Psalm is a static analysis tool for finding errors in PHP applications. Installation To get started, check out the installation guide. Live Demo

Vimeo 5k Jan 2, 2023
Deptrac is a static code analysis tool for PHP that helps you communicate, visualize and enforce architectural decisions in your projects

Deptrac is a static code analysis tool for PHP that helps you communicate, visualize and enforce architectural decisions in your projects. You can freely define your architectural layers over classes and which rules should apply to them.

QOSSMIC GmbH 2.2k Dec 30, 2022
Static code analysis to find violations in a dependency graph

PhpDependencyAnalysis PhpDependencyAnalysis is an extendable static code analysis for object-oriented PHP-Projects to generate dependency graphs from

Marco Muths 546 Dec 7, 2022