Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
user42 Absent Member.
Absent Member.
4531 views

SCA custom rules and PHP identifiers

Hi,

 

I just discovered this the hard way and want to share it with you all.

 

PHP identifiers are case insensitive while Source Code Analyzer is case sensitive. It appears that to accomodate for the fact, SCA internally lowercases all identifiers in PHP code. When writing custom rules for PHP you have to specify function names in lowercase, otherwise rules will not match.

 

If someone from the Fortify team reads this, maybe you can add a note to the custom rules documentation. This would have helped me a lot.

 

Cheers!

Labels (1)
0 Likes
2 Replies
user42 Absent Member.
Absent Member.

Re: SCA custom rules and PHP identifiers

Oh, just for the record, I'm using these versions:

Fortify 3.80

Static Code Analyzer 5.15.0.0059

0 Likes
user42 Absent Member.
Absent Member.

Re: SCA custom rules and PHP identifiers

Okay, I figured out the correct way to do it. The <Pattern> tag in a rule supports an attribute caseInsensitive. As in:

 

    <FunctionName>
        <Pattern caseInsensitive="true">mySource</Pattern>
    </FunctionName>

 

With this it works properly for all ways PHP allows you to spell mYsOuRcE.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.