Symbolic Analysis allows to be more precise and powerful when tracking taint values across a project. Enabling it for PHP will allow the analysis to be field-sensitive, which is a known drawback of the current fixpoint analysis: it will significantly reduce the number of FP that we are seeing while keeping TP found with fixpoint.
Furthermore, having a more precise tracking of values will allow to fine-tune rules to further reduce the number of FP in the future.
Given that both engines run on our intermediate representation (UCFGs), switching from one to the other should be a minimal effort.
The Symbolic Analysis engine is a result of merging the current SonarSecurity analyzer with the advanced technology coming from RIPS DJaVu. The current engine runs for Java on the UCFGs generated by the java-security-frontend plugin. The goal here is to reuse the engine and the UCFGs generated by the csharp-security-frontend to switch the PHP analysis to use symbolic analysis.
- Updating the engine to run Symbolic Analysis by default for the PHP language.
- Specific "Stubs" will have to be written for collections, as was done for Java. These "Stubs" will allow to correctly create an ArraySymbol when a collection is instantiated inside UCFGs.
- Investigate IT & peach results