According to w3tech WordPress is used by around 65% of all websites whose CMS they could identify.
Despite WordPress’ popularity, our PHP security analysis has no specific knowledge yet about functions exposed by the WordPress core. This becomes increasingly important if WordPress plugins or themes are scanned on their own (i.e., without the WordPress core codebase). However, even if the WordPress core codebase is part of the analysis, having predefined knowledge configured in our analyzer, would make the analysis more precise and faster.
The WordPress core contains a vast collection of functions and methods that can be used by plugin and theme developers in their code. Some of these can be sources, sanitizers/validators, sinks, or simply passthroughs. We will extend the PHP analysis in SonarSecurity with this knowledge.
While for some functions it is simply a matter of adding them to the configuration files, some others will require emulating their behavior with stubs.
See tickets linked to this MMF.