Hello Pierre-Loup,
I created RSPEC-4830 and RSPEC-4831 from your rule suggestion.
I believe there is a typo in your Compliant Code.
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, true) should not be considered as safe because “true” is casted to ‘1’ which is not a secure configuration. CURLOPT_SSL_VERIFYHOST should be configured to ‘2’.
Thanks