PHP Analysis

HCL AppScan on Cloud scans PHP with an optimized scanner, making scans faster, easier to leverage, and available on MacOS as well Windows and Linux.

PHP analysis details

The addition of an optimized scanner for scanning PHP brings additional functionality to HCL AppScan on Cloud:
  • To take advantage of the PHP scanner, all plugins and the Static Analyzer Command Line Utility must be up-to-date:
    • Plugins automatically download the latest Static Analyzer Command Line Utility when they run.
    • If you try to prepare code for scanning using Static Analyzer Command Line Utility version 7.x or earlier, you see an error message. Upgrade to the latest Static Analyzer Command Line Utility based on your operating system (Windows, Linux, Mac).
    • If you are using AppScan Go!, accept and install the latest update if an update is offered.
  • The PHP scanner uploads all your PHP code to AppScan on Cloud as part of analysis, not just an intermediate representation of the code.
  • The PHP scanner extracts code from the scan target as part of analysis. Practically, this allows you to see the exact PHP expression that needs to be addressed.
  • The AppScan on Cloud client utility prepares PHP code for scanning faster than before thanks to an updated scan configuration.
  • PHP analysis is now available on Macs in addition to Windows and Linux.

PHP analysis examples

Prior to implementation of the optimized PHP scanner, scan results might look something like this:

With the optimized PHP scanner, the same scan might look something like this:

While the analysis using the optimized scanner no longer displays the trace, the location of the exploit ($out = shell_exec($cmd);) in the code (line 14) is still there. It is indicated before the result with the DF and after with the code extract.

Additional information

Keep the following in mind as you work with the PHP scanner:
  • PHP issues produced by the optimized scanner will not be identified as matching issues from previous iterations of the scanner. This may result in previously triaged issues appearing as “New”.
  • Data flow is no longer available for PHP findings as Trace findings are not provided.
We welcome your feedback on how the PHP scanner is working for you. If you have questions or requests for enhancments to the scanner, please reach out to HCL through the support portal.