Release notes - SonarPHP - Version 3.25

Bug

SONARPHP-1316 Import of PHPStan reports without issues should not raise an error

SONARPHP-1313 PHP sensor should be executed also on TEST files.

SONARPHP-1308 The namespace resolver should not look into other namespaces to resolve

False-Positive

SONARPHP-1311 Rule S1313: Exclude reserved documentation IP ranges

Improvement

SONARPHP-1318 Adapt PHPUnit integration tests to reflect state-of-the art testing in PHP

SONARPHP-1312 External report information on files that are excluded from the analysis should not be processed

SONARPHP-1282 Adjust fully qualified path of external reports to prevent incorrect allocation

New Feature

SONARPHP-1315 Support readonly class syntax

Release notes - SonarPHP - Version 3.24

Bug

SONARPHP-1300 Parsing error on the order of constructor promoted property characteristics

SONARPHP-1296 Parse error on keywords as enum case identifier

False Negative

SONARPHP-1267 Parser: All keywords should be case insensitive

SONARPHP-1170 S2050: FN on fully qualified name

SONARPHP-1168 S2755: FN with fully qualified names

False-Positive

SONARPHP-1303 Rule S1313: Exclude local IPv4-mapped IPv6 address

SONARPHP-1299 S1144 should take into account PHPDoc @uses

SONARPHP-1238 S5996 FP on line breaks after end boundaries

SONARPHP-1169 FP for S2277 when using fully qualified name

Improvement

SONARPHP-1298 Update Analyzer Commons to 1.25: minor changes on Regex checks

SONARPHP-1294 Rule S1192: Add period as allowed character for exceptions

SONARPHP-1136 S2755 should support cakephp xml utils

SONARPHP-593 Make S1697 cover PHP idiomatic cases

New Feature

SONARPHP-1306 Rules support PCI DSS Security Standard

SONARPHP-1293 Provide OWASP Top 10 2021 security standards for rules metadata

Task

SONARPHP-1309 Add Windows build and plugin qa step to CI

SONARPHP-1301 Remove deprecated DuplicatedBlocks rule from Sonar Way

Improvement

• [SONARPHP-1295] - Provide descriptions for rule properties of S1808

False-Positive

• [SONARPHP-1291] - S6328 should not raise on parsing error

New Feature

• [SONARPHP-1270] - Rule S6393: Regular expressions should have valid delimiters
• [SONARPHP-1272] - Rule S6396: Superfluous curly brace quantifiers should be avoided
• [SONARPHP-1273] - Rule S6397: Character classes in regular expressions should not contain only one character
• [SONARPHP-1274] - Rule S6323: Alternation in regular expressions should not contain empty alternatives
• [SONARPHP-1275] - Rule S6326: Regular expressions should not contain multiple spaces
• [SONARPHP-1276] - Rule S6353: Regular expression quantifiers and character classes should be used concisely
• [SONARPHP-1277] - Rule S6328: Replacement strings should reference existing regular expression groups
• [SONARPHP-1278] - Rule S6331: Regular expressions should not contain empty groups
• [SONARPHP-1279] - Rule S6395: Non-capturing groups without quantifier should not be used

False-Positive

• [SONARPHP-1268] - S3699 should not raise on arrow functions or match clauses

Bug

• [SONARPHP-1269] - CFG building should not fail when enum is encountered

Bug

• [SONARPHP-1262] - PHPStan report import should not fail on paths with class context

New Feature

• [SONARPHP-1251] - Parser should support Enums
• [SONARPHP-1252] - Parser should support `new` in initializers
• [SONARPHP-1253] - Parser should support readonly properties
• [SONARPHP-1254] - Parser should support first-class callable syntax
• [SONARPHP-1255] - Parser should support pure intersection types
• [SONARPHP-1256] - Parser should support explicit octal integer literal notation
• [SONARPHP-1260] - Parser should support final class constants
• [SONARPHP-1264] - S1144 UnusedPrivateMethodCheck should raise on enum private and protected methods
• [SONARPHP-1265] - Parser should allow enums as inner statements

Improvement

• [SONARPHP-1261] - Move to Java 11

Bug

• [SONARPHP-1250] - Secondary locations for regex rules are not present in UI

False-Positive

• [SONARPHP-1249] - Regex parser should not raise error on syntactical correct expression

Bug

• [SONARPHP-1240] - Regex parser should support PHP PCRE named groups syntax
• [SONARPHP-1241] - Regex parser should support PHP PCRE backreferences syntax

New Feature

• [SONARPHP-1185] - Rule S5850: Alternatives in regular expressions should be grouped when used with anchors
• [SONARPHP-1188] - Rule S6019: Reluctant quantifiers in regular expressions should be followed by an expression that can't match the empty string
• [SONARPHP-1192] - Rule S5867: Unicode-aware versions of character classes should be preferred
• [SONARPHP-1193] - Rule S6001: Back references in regular expressions should only refer to capturing groups that are matched before the reference
• [SONARPHP-1198] - Rule S5857: Character classes should be preferred over reluctant quantifiers in regular expressions
• [SONARPHP-1200] - Rule S6002: Regex lookahead assertions should not be contradictory
• [SONARPHP-1201] - Rule S5843: Regular expressions should not be too complicated
• [SONARPHP-1204] - Rule S5856: Regular expressions should be syntactically valid

New Feature

• [SONARPHP-1180] - Add PCRE recursion feature to regex parser
• [SONARPHP-1189] - Rule S6035: Single-character alternations in regular expressions should be replaced with character classes
• [SONARPHP-1190] - Rule S5996: Regex boundaries should not be used in a way that can never be matched
• [SONARPHP-1191] - Rule S5855: Regex alternatives should not be redundant
• [SONARPHP-1194] - Rule S5868: Unicode Grapheme Clusters should be avoided inside regex character classes
• [SONARPHP-1196] - Rule S5869: Character classes in regular expressions should not contain the same character twice
• [SONARPHP-1199] - Rule S5994: Regex patterns following a possessive quantifier should not always fail
• [SONARPHP-1202] - Rule S5842: Regex repetition pattern's body should not match the empty String
• [SONARPHP-1203] - Rule S5361: `str_replace` should be preferred to `preg_replace`

Task

• [SONARPHP-1216] - Collect statistics to recognize and identify time consumers

Improvement

• [SONARPHP-1182] - Parse regex flags after delimiter
• [SONARPHP-1183] - Add PCRE conditional subpatterns feature to regex parser
• [SONARPHP-1209] - Parser should match PHP POSIX style expressions
• [SONARPHP-1220] - Map regex character location to location in files
• [SONARPHP-1227] - Fix location of characters when using escape sequences
• [SONARPHP-1229] - Handle whitespaces before delimiter
• [SONARPHP-1230] - S5361: Add secondary location on regex pattern

False-Positive

• [SONARPHP-1219] - S1808 NamespaceAndUseStatementCheck does not consider group use statements
• [SONARPHP-1234] - Rule S4792: Invalid exceptions for error_reporting

New Feature

• [SONARPHP-1179] - Rule S6339: Secret keys and salt values should be robust
• [SONARPHP-1206] - Rule S6341: WordPress theme and plugin editors are security-sensitive
• [SONARPHP-1207] - Rule S6342: Allowing themes and plugins to be managed in WordPress admin area is security-sensitive
• [SONARPHP-1208] - Rule S6343: Disabling automatic updates is security-sensitive
• [SONARPHP-1210] - Rule S6344: Constants should not be redefined
• [SONARPHP-1211] - Rule S6345: Allowing all external requests from a WordPress server is security-sensitive
• [SONARPHP-1212] - Rule S6346: Allowing unauthenticated database repair in WordPress is security-sensitive
• [SONARPHP-1213] - Rule S6347: WordPress options should not be defined at the end of "wp-config.php"
• [SONARPHP-1214] - Rule S6348: Allowing unfiltered HTML content in WordPress is security-sensitive
• [SONARPHP-1215] - Rule S6349: WordPress option names should not be misspelled

Improvement

• [SONARPHP-1176] - WordPress: S4507 should consider WP_DEBUG option
• [SONARPHP-1177] - WordPress: S5332 should consider FORCE_SSL_ADMIN and FORCE_SSL_LOGIN options

Bug

• [SONARPHP-1151] - LoopExecutingAtMostOnceCheck crashes on loop inside "declare" statement
• [SONARPHP-1152] - NullPointerException in S4824 UnsetForeachReferenceVariableCheck
• [SONARPHP-1156] - Symbols should be created for the right hand side of constant declarations
• [SONARPHP-1171] - Empty method check fails when JVM's default locale uses Eastern Arabic digits

New Feature

• [SONARPHP-1154] - SonarPHP should load external PHPStan JSON reports
• [SONARPHP-1155] - SonarPHP should load external Psalm reports

Improvement

• [SONARPHP-1175] - Collect errors when importing reports and display them in UI

Bug

• [SONARPHP-1120] - [S1121] Fix rule description

Improvement

• [SONARPHP-812] - [S1313] Detect IPv6 addresses only at the beginning of strings

False-Positive

• [SONARPHP-1140] - [S1488] False Positives when Assigned Value Depends on the Variable Itself

Task

• [SONARPHP-1139] - Drop dependency on commons-io

New Feature

• [SONARPHP-952] - Rule S2755: XML parsers should not be vulnerable to XXE attacks
• [SONARPHP-1102] - Rule S5332: Using clear-text protocols is security-sensitive
• [SONARPHP-1103] - Rule S5042: Expanding archive files is security-sensitive
• [SONARPHP-1104] - Rule S5808: Authorizations should be based on strong decisions
• [SONARPHP-1105] - Rule S2612: Setting loose file permissions is security-sensitive
• [SONARPHP-1106] - Rule S4502: Disabling CSRF protections is security-sensitive
• [SONARPHP-1107] - Rule S5693: Allowing requests with excessive content length is security-sensitive
• [SONARPHP-1112] - Rule S5122: Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
• [SONARPHP-1114] - Rule S5876: A new session should be created during user authentication

Task

• [SONARPHP-1125] - Remove deprecated API: PHPCustomRulesDefinition

Bug

• [SONARPHP-1073] - Parsing issue message should be readable
• [SONARPHP-1084] - Parse error on named argument using keyword value
• [SONARPHP-1116] - No symbol is created for lower case superglobals
• [SONARPHP-1121] - Qualified name of class member symbol should be case sensitive

Improvement

• [SONARPHP-896] - Update S126 to add an exception
• [SONARPHP-1087] - Deactivate ASP-like opening tags in parser

False-Positive

• [SONARPHP-1115] - Revise rule S3358 to exclude shorthand ternary operator
• [SONARPHP-1117] - FP on S2115 where a variable is reassigned using "list"

Improvement

• [SONARPHP-1086] - S1862: Add a message on the secondary location
• [SONARPHP-1089] - S1763: Add a message on the secondary location
• [SONARPHP-1090] - S1192: Add a message on the secondary location
• [SONARPHP-1091] - S1117: Add a message on the secondary location
• [SONARPHP-1092] - S1142: Add a message on the secondary location
• [SONARPHP-1093] - S110: Add a message on the secondary location
• [SONARPHP-1094] - S1045: Add a message on the secondary location
• [SONARPHP-1095] - S5632: Add a message on the secondary location
• [SONARPHP-1096] - S930: Add a message on the secondary location
• [SONARPHP-1097] - S5708: Add a message on the secondary location
• [SONARPHP-1098] - S5713: Add a message on the secondary location
• [SONARPHP-1099] - S3699: Add a message on the secondary location
• [SONARPHP-1100] - S3415: Add a message on secondary locations
• [SONARPHP-1101] - S3801: Add a message on the secondary location

Bug

• [SONARPHP-1081] - Parsing error on capitalized __Construct method with property promotion
• [SONARPHP-1083] - NPE in S2001 "PHPDeprecatedFunctionUsageCheck"

New Feature

• [SONARPHP-1082] - Add fully-qualified class names to declared types.

Improvement

• [SONARPHP-1072] - Update SSLR to 1.24

False-Positive

• [SONARPHP-1079] - FP on EmptyMethodCheck for PHP 8 Constructor Property Promotion
• [SONARPHP-1080] - FP on UnusedFunctionParametersCheck for PHP 8 Constructor Property Promotion

Bug

• [SONARPHP-1055] - S1451 should not crash on short files
• [SONARPHP-1077] - OufOfMemory in InheritanceDepthCheck

Task

• [SONARPHP-1060] - Update README with PHP 8 support
• [SONARPHP-1075] - S4784 should be deprecated because it's too noisy

Improvement

• [SONARPHP-1034] - Parser should handle union types
• [SONARPHP-1035] - Parser should handle new nullsafe operator syntax
• [SONARPHP-1036] - Parser should handle named arguments
• [SONARPHP-1037] - Parser should handle new annotation attribute syntax
• [SONARPHP-1038] - Parser should handle match expression
• [SONARPHP-1039] - Parser should handle constructor property promotion
• [SONARPHP-1040] - Parser should handle new static return type
• [SONARPHP-1041] - Parser should handle new mixed type
• [SONARPHP-1042] - Parser should handle new throw expression syntax
• [SONARPHP-1044] - Parser should handle ::class on objects
• [SONARPHP-1045] - Parser should handle non-capturing catches
• [SONARPHP-1046] - Parser should handle trailing comma in parameter lists
• [SONARPHP-1047] - Parser should handle trailing comma in closure use lists
• [SONARPHP-1054] - Adapt existing rules to named arguments

Bug

• [SONARPHP-983] - Object instantiation with method should raise parser error
• [SONARPHP-1032] - S3699: Issue message contains "null" due to wrong method name resolving
• [SONARPHP-1033] - StackOverflow in S1764 IdenticalOperandsInBinaryExpressionCheck
• [SONARPHP-1052] - StackOverflow when scanning Abantecart

Task

• [SONARPHP-1048] - Fix outdated URLs in pom.xml
• [SONARPHP-1050] - Update orchestrator to version 3.30.0.2630

False-Positive

• [SONARPHP-885] - S2077: Resolve variable constant values to avoid noisy issues
• [SONARPHP-973] - Rule S5527 should not raise when CURLOPT_SSL_VERIFYHOST is set to 1/TRUE
• [SONARPHP-1028] - Revise rule S125 to reduce false positive noise
• [SONARPHP-1030] - S1172 shoudn't raise issues on functions which call "func_get_args"
• [SONARPHP-1031] - Reduce noise of S1172 unused function parameters should be removed
• [SONARPHP-1049] - Private constant's are reported as unused when used before init

False Negative

• [SONARPHP-754] - UseOfUninitializedVariableCheck should use a CFG to find new issues

Bug

• [SONARPHP-1022] - Regex in S1186 implementation leads to a StackOverflowError
• [SONARPHP-1024] - NCLOC and other metrics should not be fed for PHP test files

New Feature

• [SONARPHP-371] - S110: Inheritance tree of classes should not be too deep
• [SONARPHP-1009] - S930: The number of arguments passed to a function should match the number of parameters

Task

• [SONARPHP-1025] - Compliant and Noncompliant code examples of S5915 are the same.

Improvement

• [SONARPHP-1010] - S3699: consider cross-file knowledge of method declarations to get possible returns
• [SONARPHP-1011] - S2234: consider cross-file knowledge of function declarations to get parameter order
• [SONARPHP-1018] - S100: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1019] - S107: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1020] - S1172: exclude overriding methods based on cross-file resolution of hierarchy
• [SONARPHP-1021] - Log the currently analyzed file name when a StackOverflowError happens
• [SONARPHP-1023] - S1186: Check only comments that are directly above the method

Bug

• [SONARPHP-1024] - NCLOC and other metrics should not be fed for PHP test files

New Feature

• [SONARPHP-984] - Add rule S2699: Tests should include assertions
• [SONARPHP-986] - Add rule S2187: TestCases should contain tests
• [SONARPHP-987] - Add rule S5785: PHPUnit assertTrue/assertFalse should be simplified to the corresponding dedicated assertion
• [SONARPHP-989] - Add rule S3415: Assertion arguments should be passed in the correct order
• [SONARPHP-990] - Add rule S2701: Literal boolean values should not be used in assertions
• [SONARPHP-991] - Add rule S5783: Only one method invocation is expected when testing checked exceptions
• [SONARPHP-992] - Add rule S1607: Tests should not be ignored
• [SONARPHP-993] - Add rule S5779: Assertion methods should not be used within the try block of a try-catch catching an Exception
• [SONARPHP-994] - Add rule S5899: Test methods should be discoverable
• [SONARPHP-995] - Add rule S5863: Assertions should not compare an object to itself
• [SONARPHP-999] - Add rule S3360: Test class names should end with "Test"
• [SONARPHP-1006] - Create an abstract PhpUnitCheck class
• [SONARPHP-1007] - Add rule S5935: Framework-provided functions should be used to test exceptions
• [SONARPHP-1008] - Add rules S5915: Assertions should not be made at the end of blocks expecting an exception

Improvement

• [SONARPHP-1005] - Enable checks on project test files

Release Notes - Version 3.7

New Feature

• [SONARPHP-976] - Rule S5708: Caught Exceptions must derive from Throwable
• [SONARPHP-977] - Rule S1045: All "catch" blocks should be able to catch exceptions
• [SONARPHP-978] - Rule S5713: A subclass should not be in the same "catch" clause as a parent class
• [SONARPHP-979] - Rule S5632: Raised Exceptions must derive from Throwable
• [SONARPHP-1000] - RSPEC-5911 Class of caught exception should be defined

Improvement

• [SONARPHP-980] - S3984 should check whether a class extends Exception
• [SONARPHP-981] - Fix issue message for S2166
• [SONARPHP-982] - S2166 detects exception classes case-insensitive

Bug

• [SONARPHP-735] - Parse error: use an array to invoke a method
• [SONARPHP-903] - Parse error on indirect call from constant
• [SONARPHP-928] - Parsing error when calling function called 'null'
• [SONARPHP-968] - Crash in DataEncryptionCheck

New Feature

• [SONARPHP-822] - Rule S4824: References used in "foreach" loops should be "unset"
• [SONARPHP-935] - Update S4830 to match new RSPEC content
• [SONARPHP-936] - Rule S5527: Server hostnames should be verified during SSL/TLS connections
• [SONARPHP-938] - Rule S5547: Cipher algorithms should be robust
• [SONARPHP-940] - RSPEC-5542 Encryption algorithms should be used with secure mode and padding scheme

Task

• [SONARPHP-971] - Update dependencies on Apache commons-lang

Improvement

• [SONARPHP-939] - Deprecate S2278 in favor of S5547
• [SONARPHP-941] - Deprecate S2277 in favor of S5542
• [SONARPHP-967] - Rule S4790: its content should be replaced by S2070
• [SONARPHP-969] - Update commons.io.version to 2.7+
• [SONARPHP-970] - Improve S1192 to reduce noise of duplicated string literals
• [SONARPHP-972] - Rule S4790 should raise when insecure algos are passed to hash(), hash_init(), hash_pbkdf2(), mhash()

False-Positive

• [SONARPHP-857] - FP S1854: "use" clause of function expression

Release Notes - SonarSource Analyzer for PHP - Version 3.5

New Feature

• [SONARPHP-693] - Rule S1226: Method parameters, caught exceptions and foreach variables' initial values should not be ignored
• [SONARPHP-751] - Rule S2166: Classes named like "Exception" should extend "Exception" or a subclass
• [SONARPHP-764] - Rule: Array values should not be replaced unconditionally
• [SONARPHP-765] - Rule: Unary prefix operators should not be repeated
• [SONARPHP-769] - Rule: Methods should not be empty
• [SONARPHP-772] - Rule: Octal values should not be used
• [SONARPHP-774] - Rule: "switch" statements should not be nested
• [SONARPHP-775] - Rule: Parameters should be passed in the correct order
• [SONARPHP-790] - Rule S1155: "empty()" should be used to test for emptiness
• [SONARPHP-791] - Rule S1940: Boolean checks should not be inverted

Release Notes - SonarPHP - Version 3.4

False-Positive

• [SONARPHP-789] - FP on S2037 (SelfKeywordUsageCheck): constant from parent class declared in another file
• [SONARPHP-853] - FP S1144 when anonymous nested class
• [SONARPHP-884] - RSPEC-1603 should not raise issues on namespaced classes
• [SONARPHP-906] - S1125 should ignore operands of ternary operator
• [SONARPHP-930] - FP on S1185 when a method defines default values for parameters
• [SONARPHP-932] - FP: CodeFollowingJumpStatementCheck should ignore PHP closing tags
• [SONARPHP-949] - False Positive S905: @phan-var statement
• [SONARPHP-959] - Rule S2068: filter string literal that contains the wordlist item
• [SONARPHP-960] - Rule S2068: filter database query parameters
• [SONARPHP-961] - FP on anonymous function for "$this should not be used in a static context"

Task

• [SONARPHP-937] - Remove rule S1536 that can be spotted by PHP interpreter
• [SONARPHP-963] - Change issue type of S3011 to code smell

Improvement

• [SONARPHP-927] - Stop logging warnings when importing test results based on 'dataProvider'
• [SONARPHP-948] - Deprecate RSPEC-2964
• [SONARPHP-951] - The progress report should report the current file instead of the next one
• [SONARPHP-956] - S2068 should detect hardcoded credentials in LDAP and database functions
• [SONARPHP-957] - Rule S2068: support URI userinfo component
• [SONARPHP-962] - Update branding to drop 'SonarPHP'
• [SONARPHP-964] - Fix performance issue on PHPTree.getLastToken()

SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.12.

Important: the minimal compatibility has change to SonarQube 6.7 LTS.

This version fixes 7 rules, feeds "Cognitive Complexity Metric" and introduces 20 new rules:

• S1110: Redundant parentheses should be removed
• S3923: All branches in a conditional structure should not have exactly the same implementation
• S2757: "=+" should not be used instead of "+="
• S3972: Conditionals should start on new lines
• S3973: Conditionally executed code should be denoted by either indentation or curly braces
• S3801: Functions should use "return" consistently
• S3699: The output of functions that don't return anything should not be used
• S2201: Return values from functions without side effects should not be ignored
• S3981: Collection sizes and array length comparisons should make sense
• S2123: Values should not be uselessly incremented
• S4144: Methods should not have identical implementations
• S3984: Exception should not be created without being thrown
• S1075: URIs should not be hardcoded
• S4142: Duplicate values should not be passed as arguments
• S1121: Assignments should not be made from within sub-expressions
• S3358: Ternary operators should not be nested
• S2737: "catch" clauses should do more than rethrow
• NoSonar: Track uses of "NOSONAR" comments
• S2251: A "for" loop update clause should move the counter in the right direction
• S836: Variables should be initialized before use

Release Notes

SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.11.

This release adds support for PHP 7.1 and PHP 7.2.

Release notes.

SNAPSHOT version of the plugin to allow users to test the plugin during the request for feedback for the release 2.10.

The main changes in this release include :

• New rule: Cognitive Complexity of functions should not be too high
• Up-to-date SonarLint integration
• Import any number of test coverage reports to SonarQube 6.2 and above

But there's much more, see the release notes: https://jira.sonarsource.com/jira/secure/ReleaseNote.jspa?projectId=10956&version=13456