The PHP security engine uses PHPDoc to find more vulnerabilities

Hello PHP developers,

A couple of months ago, we decided to use type hints as source of knowledge for our PHP security engine to better infer the runtime types of a variable.

Today, we are happy to announce that we also consider PHPDoc to infer types.

In the following example we were previously saying nothing:

This was linked to the fact that $connection is not initialized in this file so we have no idea by looking at the code itself what’s the type of $connection.
With the update we made in our PHP security engine, we look at the PHPDoc and get the information that $connection is having the type \Doctrine\DBAL\Connection and we can raise the expected issue.


This feature is available on SonarCloud, and will be included in SonarQube 8.7 Developer Edition.