PHP error_reporting(0) false positive

odan · September 9, 2021, 12:25pm

The sonar clound fix recommends this:

According to PHP Logging Basics production, the error reporting should be set to “minimum error reporting level” which is correct, but the “recommended value” is incorrect:

Sonar cloud just copied this recommend value.

But in PHP, the minimum error reporting level is 0, and not E_ALL.

// Turn off all error reporting
error_reporting(0);

0 = Turn off all error reporting
E_ALL = Report all PHP errors
-1 = Report all PHP errors

This means the option E_ALL and -1 is only for debug mode and NOT for production because it may output all server and internal error details.

See here: error-reporting

Would it be possible to fix this insecure recommendation in Sonar lint?

https://sonarcloud.io/project/security_hotspots?id=odan_slim4-skeleton&branch=master&resolved=false&types=SECURITY_HOTSPOT

Hendrik_Buchwald · September 9, 2021, 1:53pm

Hello Daniel. Welcome to the community and thanks a lot for the report!

I have created a ticket to fix this issue (SONARPHP-1234) and a pull request to update the rule description.

Hendrik_Buchwald · September 10, 2021, 7:54am

The issue was solved, so it should likely be included in the next release (for SonarQube and SonarCloud too).

odan · September 10, 2021, 12:18pm

Awesome! Thank you

system · September 17, 2021, 12:18pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.