DeepSource no longer reports security related issues on (my) PHP projects


I have been evaluating DeepSource’s PHP capabilities a few month ago (on a free plan) using some PHP scripts with obvious vulnerabilities (and other random issues). Today, when I checked back, DeepSource (using the same code samples) no longer reported any issues relating to PHP-Axxxx rules (especially/for instance, no longer complaining about the use of eval statements). Is this a bug, a misconfiguration (on my end) – or does the free plan no longer include security-related checks?

Kind regards,

Hey @fbahr,

There’s no restriction on detection capabilities of Analyzers based on plans, and it doesn’t require any extra configuration.

Can you please check the following for the repository on DeepSource?

  1. Reporting security issues is enabled
    Repository’s Settings tab → Quality Gates

  2. There’s no ignore rules created for any of the PHP-Axxxx rules
    You can check this under Ignore rules in the Settings tab.

We recently improved the detection capabilities of some security issues in PHP, and fixed some false positives too.
If the settings I mentioned above are looking good, can you please help me with a sample snippet, and your repository name?

Thanks for the quick reply!

In my case/configuration: all issues should be reported, no rules are selected to be ignored.

I have, for instance, this file – 129bdf1ed69f2e6a3e167af5c4bcfd88_original.txt.php – which includes two injection vectors (via user-controlled request parameters command and php). Originally, DeepSource at least notified me that using eval most likely is a bad idea (PHP-A1000).

For a “slightly” more complicated example, 315bce26c92c3d36f0a7286350ad9bb9_original.txt.php, DeepSource previously reported a ton of PHP-A1009 violations (for calling passthru, system, shell_exec, exec, a.s.o.), didn’t like the use of md5 (PHP-A1004) or insecure file access permissions (PHP-A1006) – and more. Now, most of the (rightful) “complaints” are missing.

The issue report for this repository now only includes bug risks and anti-patterns.

Thanks for the details!

I was able to reproduce this and we are getting this looked at. We’ll post an update here once the fix for this is live.

1 Like

Hey @fbahr,

We have pushed a hotfix and have also triggered a sync for the repo you shared with us.
We had to disable the SQL injection check temporarily, which is going to be re-enabled in our next update.

Here’s the updated result:

If you have any other private repository, you can trigger a sync by deactivating and activating the analysis from your settings tab.

Thanks for your patience with this!

1 Like