I have been evaluating DeepSource’s PHP capabilities a few month ago (on a free plan) using some PHP scripts with obvious vulnerabilities (and other random issues). Today, when I checked back, DeepSource (using the same code samples) no longer reported any issues relating to PHP-Axxxx rules (especially/for instance, no longer complaining about the use of eval statements). Is this a bug, a misconfiguration (on my end) – or does the free plan no longer include security-related checks?
There’s no ignore rules created for any of the PHP-Axxxx rules
You can check this under Ignore rules in the Settings tab.
We recently improved the detection capabilities of some security issues in PHP, and fixed some false positives too.
If the settings I mentioned above are looking good, can you please help me with a sample snippet, and your repository name?
In my case/configuration: all issues should be reported, no rules are selected to be ignored.
I have, for instance, this file – 129bdf1ed69f2e6a3e167af5c4bcfd88_original.txt.php – which includes two injection vectors (via user-controlled request parameters command and php). Originally, DeepSource at least notified me that using eval most likely is a bad idea (PHP-A1000).
For a “slightly” more complicated example, 315bce26c92c3d36f0a7286350ad9bb9_original.txt.php, DeepSource previously reported a ton of PHP-A1009 violations (for calling passthru, system, shell_exec, exec, a.s.o.), didn’t like the use of md5 (PHP-A1004) or insecure file access permissions (PHP-A1006) – and more. Now, most of the (rightful) “complaints” are missing.
The issue report for this repository now only includes bug risks and anti-patterns.
We have pushed a hotfix and have also triggered a sync for the repo you shared with us.
We had to disable the SQL injection check temporarily, which is going to be re-enabled in our next update.
