Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-2470

[PHP] SonarSecurity knows about WordPress sources/sinks/sanitizers

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None

      Description

      According to w3tech WordPress is used by around 65% of all websites whose CMS they could identify.

      WHY

      Despite WordPress’ popularity, our PHP security analysis has no specific knowledge yet about functions exposed by the WordPress core. This becomes increasingly important if WordPress plugins or themes are scanned on their own (i.e., without the WordPress core codebase). However, even if the WordPress core codebase is part of the analysis, having predefined knowledge configured in our analyzer, would make the analysis more precise and faster. 

      WHAT

      The WordPress core contains a vast collection of functions and methods that can be used by plugin and theme developers in their code. Some of these can be sources, sanitizers/validators, sinks, or simply passthroughs. We will extend the PHP analysis in SonarSecurity with this knowledge.

      HOW

      While for some functions it is simply a matter of adding them to the configuration files, some others will require emulating their behavior with stubs.

      See tickets linked to this MMF.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: