Is there a list of PHP frameworks that are currently supported by SonarQube?

Is there a list of frameworks that are currently supported by SonarSource & SonarCube (my personal interest is in PHP-related frameworks)?

Besides that, is there a way in SonarSource (including paid plans as well) to define custom sinks for framework related code? Thanks in advance for pointing to potential solutions/possibilities here!


$commandUtility = $this->objectManager
$gs = $commandUtility->getCommand('gs');
$fileName = $_GET['file'];
// this GhostScript command is not complete, just for demo...
$commandUtility->exec($gs . ' -q -dBATCH -dNOPAUSE -dQUIET '
  . ' -dEmbedAllFonts=true -dSAFER -o out.png /static/path/' . $fileName);

Which actually contains a couple of vulnerabilities:

  • $commandUtility->getCommand('gs'); resolves GhostScript binary, a trigger for potential gs related RCEs (weak match)
  • $commandUtility->exec leads to shell execution & GET parameter file can be injected for RCE (strong match)

Custom Sinks

  • $this->objectManager->get(<T>) resolves to instance of <T>
  • TYPO3\CMS\Core\Utility\CommandUtility::exec($a$) calls native PHP function exec($a$)

Hi @ohader and welcome to the Community Forum!

As of today, SonarQube and SonarCloud support two PHP frameworks: Laravel and Symfony.

Customization of the security engine allows you to add custom sinks like TYPO3\CMS\Core\Utility\CommandUtility::exec.

Defining custom return types is not something we support.

We plan to have built in support for Laravel and Symfony dependency injection in the future (see MMF-1699.

1 Like