SCA custom rules and PHP identifiers
I just discovered this the hard way and want to share it with you all.
PHP identifiers are case insensitive while Source Code Analyzer is case sensitive. It appears that to accomodate for the fact, SCA internally lowercases all identifiers in PHP code. When writing custom rules for PHP you have to specify function names in lowercase, otherwise rules will not match.
If someone from the Fortify team reads this, maybe you can add a note to the custom rules documentation. This would have helped me a lot.
Re: SCA custom rules and PHP identifiers
Okay, I figured out the correct way to do it. The <Pattern> tag in a rule supports an attribute caseInsensitive. As in:
With this it works properly for all ways PHP allows you to spell mYsOuRcE.