We are evaluating SonarQube for a replacement to a much more expensive SAST solution. Our application is using Oracle’s OCI8 calls in our PHP code. The incumbent system detects the OCI calls and will flag some elements of bad calls. SonarQube with the PHP scanner (using Developer Edition trial license) does not catch any of the OCI calls / faults.
Are we missing something on getting the PHP scanner to detect usage of OCI or are we just out of luck on this?