I have been working on a few security rules for SonarPHP.
Those rules might not perform as well as the ones used in SAST software (no taint or call flow analyses) but they help enforcing security good practices.
Some rules have been designed for Drupal 7 & Drupal 8 codebase.
Here is a list of the rules already written:
- Functions used for system command execution are forbidden.
- TLS trust chain verification should not be disabled.
- TLS configuration should not be changed dynamically.
- Namespace importing should be preferred over include/require functions.
- unserialize function should not be used on untrusted data.
- Superglobal variable that contains user input should not be used directly. Prefer using the filter_input() function.
- filter_input() should not be used with FILTER_DEFAULT nor FILTER_UNSAFE_RAW filter option.
- Drupal static query should use proper argument substitution.
- Drupal dynamic query should use proper argument substitution.
- Drupal Form API unsanitized user input should not be used.
Are those types of rules wanted on the SonarPHP rules set?