Absent Member.
Absent Member.
8475 views

PHP parsing issue with constructor method chaining

Jump to solution

On a new PHP project I'm developing, I'm running into a problem where SCA seems to be unable to parse a PHP file with valid syntax.  I'm a bit unclear as to whether that means SCA completely ignored translating/analyzing the files with that parsing exception, or if it means it was simply unable to evaluate the individual lines of code that threw warnings.

Additionally, wanted to make sure someone was aware of the bug--new here, forgive me if there's a more appropriate venue for that.

Since PHP 5.4, it's valid syntax to chain methods directly off of a new object constructor (documented as an official new feature of 5.4), e.g.:

$var = (new Foo)->methodCall();

Unfortunately, SCA seems to be reporting the object operator (->) on the chained method call as a parse error.

In the meantime, I'll probably have to refactor the code to do it the old-fashioned, less-efficient way to get the project out the door, but it would be very nice if it could be fixed in a future release.

Tags (2)
0 Likes
1 Solution

Accepted Solutions
Vice Admiral
Vice Admiral

Unfortunately that is to be expected with current versions of SCA -- the latest version right now 16.10 only claims support for PHP version 5.3. There may be some coverage with files that don't use anything newer than PHP 5.3 in your project, but syntax features from newer versions will likely result in parse errors.


We have an enhancement request open for newer versions of PHP to be supported, I encourage you to open a ticket with our support team (email fortifytechsupport@hpe.com or use https://support.fortify.com) and let us know you're which version of PHP you're [planning on] using with SCA as the enhancements are prioritised based on customer demand. Also, if there are only a few > 5.3 syntax features that you make use of, it can help to let us know which as we may be able to prioritise supporting those initially also.

-Josh

Fortify L3 Support Engineer

View solution in original post

0 Likes
3 Replies
Vice Admiral
Vice Admiral

Unfortunately that is to be expected with current versions of SCA -- the latest version right now 16.10 only claims support for PHP version 5.3. There may be some coverage with files that don't use anything newer than PHP 5.3 in your project, but syntax features from newer versions will likely result in parse errors.


We have an enhancement request open for newer versions of PHP to be supported, I encourage you to open a ticket with our support team (email fortifytechsupport@hpe.com or use https://support.fortify.com) and let us know you're which version of PHP you're [planning on] using with SCA as the enhancements are prioritised based on customer demand. Also, if there are only a few > 5.3 syntax features that you make use of, it can help to let us know which as we may be able to prioritise supporting those initially also.

-Josh

Fortify L3 Support Engineer

View solution in original post

0 Likes
Absent Member.
Absent Member.

Josh,

Thanks very much for the reply.  That would definitely do it--wasn't aware of SCA's limit of PHP 5.3 before, but that's good to know for planning going forward.  Our current development targets PHP 5.6 for most of our applications for security; the only >5.3 feature I can think of off the top of my head that we're intentionally targeting is the constructor method chaining, but I can definitely do some review of release notes & codebases & see if we have other features we're using, then update the enhancement request.

(I'd really love to move to PHP 7 in the near future, especially considering the security enhancements to CSPRNG, but at least there's a backport of that for now.  Definitely going to be a bigger upgrade, though!)

0 Likes

I just found out about this limitation as well. We have people moving to PHP 7 already, and this is presenting a major problem.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.