SAST is not working properly

  • versions used: SonarQube 8.7.1 Developer Edition - self-hosted in k8s

GitLab SAST detects a lot of vulnerabilities in my code, e.g.

Function array_filter() that supports callback detected

while SonarQube shows 0 problems.

Code to reproduce:

    public function jsonSerialize()
        return array_filter($this->data, function ($item) {
            return !is_null($item);

Hello Vladkras,

thank you for sharing your feedback!

Gitlab SAST runs phpcs-security-audit, a tool that detects only potential weaknesses. From what I can see, the code that you provided does not contain any actual security vulnerability. The PHP built-in function array_filter() can be vulnerable if the second callback parameter is tainted with user input. But in your example, there is a harmless callback function used and there is nothing to worry about. What do you think? SonarQube raises only vulnerabilities in your code when we are sure there is something to fix.


PS: And don’t forget to update to our new SQ 8.9 to use our latest analysis :slight_smile: