Hi there, I’m using SonarQube v10.2.1.78527 on my local development machine which I’ve recently upgraded from PHP 7.4 to PHP 8.3. With PHP 8(.3), many array functions are a lot stricter on type, i.e. no nulls or empty strings where an array is expected, e.g.:
$var = null;
$result = implode(',', $var);
triggers an error where previously I believe this was a warning. It’s easily solved of course with a null coalesce, e.g.:
$var = null;
$result = implode(',', $var ?? []);
but, does anyone know, is it possible to configure SonarQube to flag these patterns (or should it flag them automatically on my particular, or a later, version)? Many thanks in advance to the community for any assistance.
Hi Ann, thanks a mil for your reply and warm welcome! I’ve just upgraded to v10.7.0.96327 and unfortunately the issue still isn’t flagging up. The line of code in question did actually flag up initially:
But once I e.g. error_log($result); immediately after - that flag disappears and no other issue is raised. I would say this is a pretty common paradigm, e.g. a simple HTML form POSTing an array to PHP and then immediately attempting to perform an array function on it, e.g. count(…) or implode(…) and so on and now in PHP 8, if that array is null, it will spring an error. Thanks again Ann, really appreciate your help.
Exactly Ann. That issue disappearing is correct behaviour but I would expect (or hope) for a separate issue to flag indicating that we’re passing a non-array to our array function. I just mentioned about the other issue flagging up to confirm that the scan’s scope covers the problematic code. Thanks again Ann, hugely appreciated.
thanks for creating this thread and suggesting your idea.
We thought this was an interesting rule idea, and looked into implementing it. Unfortunately, some limitations in our PHP analyzer prevent the implementation of such a rule.
We would need to know the signature of the methods we want to target.
This is not easily solvable, as the method’s origin can either be in the same file, cross-file, or from a library.
We would need to know the type of the variable that is being passed to the function.
Because PHP is a dynamically typed language, this as well poses a significant challenge requiring a run time analysis, which our analyzer is not capable of.
All in all, the request is fair but it has so many prerequisites that we wouldn’t be able to implement it in any reasonable timeframe.
Hi @jonas.wielage - thanks a million for your note, fully understood and I appreciate the detailed response. I did suspect it would pose a technical challenge given the nature of PHP, but, thanks anyway for looking into it. All the best.
