Create PHP plugin to detect RCE


I’m totally new with SonarQube and I would like to leverage it to create a PHP plugin that would allow to detect RCE in a code. Indeed, I have a lot of system calls in the code, and I could like to be able, for each of them, to check if the variables injected in the system command have been sanitized properly.
I have looked at SonaQube doc and I can’t figure out if it is possible to implement such a CustomRule. Is it possible to track a variable to see where it has been defined (Are there part of the tree ?) ? Figure out if it is a user input ? Check if it has been sanitized ?

I would like to know if my project is possible with SonarQube,
Thank you for help


it is possible to write custom rules for PHP, you can check the guide here.

However, the rule you want to write is no easy feat and requires a lot of work to implement. What are you after is called taint analysis. Custom rules API will only provide you access to syntactic information, you would need to create call graph and analyse data flow to implement it.

But do not despair, actually we plan to work on this very topic this year with new SonarSecurity plugin and PHP is something we have in mind for it. Although this will be available only in paid editions.

1 Like


Thank you for your answer.
I see. But I can also write the whole tool in Python. So to what extend would SonarQube help me in this task ?

SonarPHP provides parser for PHP code and builds Abstract Syntax Tree, which can be used in custom rules.