PHP scanning with OCI8 calls?

We are evaluating SonarQube for a replacement to a much more expensive SAST solution. Our application is using Oracle’s OCI8 calls in our PHP code. The incumbent system detects the OCI calls and will flag some elements of bad calls. SonarQube with the PHP scanner (using Developer Edition trial license) does not catch any of the OCI calls / faults.

Are we missing something on getting the PHP scanner to detect usage of OCI or are we just out of luck on this?


Hi Frank, welcome to the SonarSource Community!

To be clear, you’re looking for issues to be found that exist between the local PHP code and stored procedures that live in the database? If so, SonarQube is only going to be able to find issues that exist in code that’s part of the project’s code repository. Anything that lives outside the boundary of what gets checked out from a code repo won’t be analyzed.


What do you mean by “bad calls”?
SonarQube (Developer Edition) can detect SQL injection vulnerabilities which involve PHP functions such as oci_parse.
If you believe that you face false negatives (issues which SonarQube should raise but does not), can you please share code examples? If you prefer to share code privately, I can send you a private message.