phpcs-security-audit

phpcs-security-audit is a set of PHP_CodeSniffer rules that find vulnerabilities and weaknesses related to security in PHP code.

It currently has core PHP rules as well as Drupal 7 specific rules.

The tool also checks for CVE issues and security advisories related to CMS/framework. Using it, you can follow the versioning of components during static code analysis.

The main reason for this project for being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems. It is also able to find security bugs that are not detected with object-oriented analysis (like in RIPS or PHPMD).

phpcs-security-audit is backed by Floe design + technologies and written by Jonathan Marcil.

Chanelog v2.0.1

• Making this to publish on Packagist with the few bug fixes we did in the last year or so as reported on #39.

Install

Requires PHP CodeSniffer version 3.x with PHP 5.4 or higher.

Because of the way PHP CodeSniffer works, you need to put the Security/ folder from phpcs-security-audit in /usr/share/php/PHP/CodeSniffer/Standards or do a symlink to it.

The easiest way to install is to git clone and use composer that will create the symlink for you:

git clone https://github.com/FloeDesignTechnologies/phpcs-security-audit.git

cd FloeDesignTechnologies/phpcs-security-audit

composer install

./vendor/bin/phpcs --standard=example_base_ruleset.xml tests.php

The package is also on Packagist:

composer require pheromone/phpcs-security-audit

sh vendor/pheromone/phpcs-security-audit/symlink.sh

./vendor/bin/phpcs --standard=./vendor/pheromone/phpcs-security-audit/example_base_ruleset.xml ./vendor/pheromone/phpcs-security-audit/tests.php

If you want to integrate it all with Jenkins, go see http://jenkins-php.org/ for extensive help.

Usage

Simply point to any XML ruleset file and a folder:

phpcs --extensions=php,inc,lib,module,info --standard=example_base_ruleset.xml /your/php/files/

Specifying extensions is important since, for example, PHP code is within .module files in Drupal.

To have a quick example of the output you can use the provided tests.php file:

$ phpcs --extensions=php,inc,lib,module,info --standard=example_base_ruleset.xml tests.php



FILE: tests.php

--------------------------------------------------------------------------------

FOUND 16 ERROR(S) AND 15 WARNING(S) AFFECTING 22 LINE(S)

--------------------------------------------------------------------------------

  6 | WARNING | Possible XSS detected with . on echo

  6 | ERROR   | Easy XSS detected because of direct user input with $_POST on

    |         | echo

  8 | WARNING | db_query() is deprecated except when doing a static query

  8 | ERROR   | Potential SQL injection found in db_query()

  9 | WARNING | Usage of preg_replace with /e modifier is not recommended.

Drupal note

For the Drupal AdvisoriesContrib you need to change your /etc/php5/cli/php.ini to have:

short_open_tag = On

in order to get rid of “No PHP code was found in this file” warnings.

Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking will probably won’t work and will generate a warning.

More…

Author:  jmarcil && Valentin Backofen