PHP download

Download the PHP package pdrakeweb/phpcs-security-audit without Composer

On this page you can find all versions of the php package pdrakeweb/phpcs-security-audit. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

Table of contents
Download pdrakeweb/phpcs-security-audit
More information about pdrakeweb/phpcs-security-audit
Files in pdrakeweb/phpcs-security-audit

Vendor pdrakeweb
Package phpcs-security-audit
Short Description phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks.
License gpl-v2

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:

If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.

Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
To use Composer is sometimes complicated. Especially for beginners.
Composer needs much resources. Sometimes they are not available on a simple webspace.
If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.

Please rate this library. Is it a good library?

Example code of pdrakeweb/phpcs-security-audit

Informations about the package phpcs-security-audit

About

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds flaws or weaknesses related to security in PHP and its popular CMS or frameworks.

It currently has core PHP rules as well as Drupal 7 specific rules. Next planned CMS/framework is Symfony 2.

As a bonus set of rules, the tool also check for CVE issues and security advisories related to CMS/framework. You can use it in order to follow the versioning of components during static code analysis.

The main reasons of this project for being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems and to be able to find security bugs that are not detected with object oriented analysis (like in RIPS or PHPMD).

phpcs-security-audit is backed by Phéromone and written by Jonathan Marcil.

Usage

You need http://pear.php.net/package/PHP_CodeSniffer/ with PHP 5.4 or later installed first.

Because of the way PHP CodeSniffer works, you need to put the Security/ folder from phpcs-security-audit in /usr/share/php/PHP/CodeSniffer/Standards or do a symlink to it.

Then all you need to do is to configure or use a XML rule file and run it over your code:

Specifying extensions is important since for example PHP code is within .module files in Drupal.

If you want to integrate it all with Jenkins, go see http://jenkins-php.org/ for extensive help.

To have a quick example of output you can use the provided tests.php file:

Drupal details

For the Drupal AdvisoriesContrib you need to change your /etc/php5/cli/php.ini to have:

in order to get rid of "No PHP code was found in this file" warnings.

Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking will probably won't work and will generate warning.

Customize

As in normal PHP CodeSniffer rules, customization is provided in the XML files that are in the top folder of the project.

The example_subset_ruleset.xml file will give you all the possible choices and let you customize them or removing the ones you don't like.

These parameters are common in many rules (this is a PHP CodeSniffer limitation, sorry for redundency):

ParanoiaMode: set to 1 to add more checks. 0 for less.
CmsFramework: set to the name of a folder containings rules and Utils.php (such as Drupal7, Symfony2).

Specialize

If you want to fork and help or just do your own sniffs you can use the utilities provided by phpcs-security-audit rules in order to facilitate the process.

Let's say you have a custom CMS function that is taking user input from $_GET when a function call to get_param() is done.

You have to create a new Folder in Sniffs/ that will be the name of your framework. Then you'll need to create a file named Utils.php that will actually be the function that will specialise the generic sniffs. To guide you, just copy the file from another folder such as Drupal7/.

The main function you'll want to change is is_direct_user_input where you'll want to return TRUE when get_param() is seen:

Don't forget to set the occurrence of param "CmsFramework" in your XML base configuration in order to select your newly added utilities.

You are not required to do your own sniffs for the modification to be useful, since you are specifying what is a user input for other rules, but you could use the newly created directory to do so.

If you implement any public cms/framework customization please make a pull request to help the project grows.

Annoyances

As any security tools, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.

It's a generator of false positives. This can actually help you learn what are the weak functions in PHP. Paranoia mode will fix that by doing a major cut-off on warnings when set to 0.
It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure cli/php.ini to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for .info parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometime around 5 minute. You can only use one core in PHP since no multithreading is available. Possible workaround is to use phpcs --ignore=folder to skip scanning of those parts.
For Drupal advisories checking: a module with multiple versions might be secure if a lesser fixed version exists and you'll still get the error or warning. Keep everything updated at latest as recommended on Drupal's website.

All versions of phpcs-security-audit with dependencies

PHP Build Version

Package Version

Version 1.0 Release 02. Jun 2014
create-project require 0 people choosed require and
0 people choosed create-project.

Download

Download latest version of phpcs-security-audit from vendor pdrakeweb

No informations.

Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package pdrakeweb/phpcs-security-audit contains the following files

Loading the files please wait ....