Feature/phpcs

README.md

@@ -62,6 +62,7 @@ Currently, performance analysis consists of:
     * [GitLeaks][Gitleaks]
 * PHP
     * [Semgrep][Semgrep]
+    * [PHPCS][PHPCS]
 * C/C++
     * [Semgrep][Semgrep]
     * [Flawfinder][Flawfinder]
@@ -187,3 +188,4 @@ This project exists thanks to all the [contributors]((https://github.com/ZupIT/h
 [Semgrep]: https://github.com/returntocorp/semgrep
 [EsLint]: https://github.com/eslint/eslint
 [Flawfinder]: https://github.com/david-a-wheeler/flawfinder
+[PHPCS]: https://github.com/FloeDesignTechnologies/phpcs-security-audit

deployments/dockerfiles/phpcs/.semver.yaml

@@ -0,0 +1,4 @@
+alpha: 0
+beta: 0
+rc: 0
+release: v0.0.1

deployments/dockerfiles/phpcs/Dockerfile

@@ -0,0 +1,25 @@
+# Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM php:7.4-alpine
+
+RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
+
+RUN composer global config bin-dir /usr/local/bin
+
+RUN composer global require "squizlabs/php_codesniffer=*"
+
+RUN composer require --dev pheromone/phpcs-security-audit
+
+RUN phpcs --config-set installed_paths /vendor/pheromone/phpcs-security-audit/Security

development-kit/pkg/entities/analyser/c/result_test.go

@@ -0,0 +1,82 @@
+package c
+
+import (
+	"github.com/ZupIT/horusec/development-kit/pkg/enums/severity"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetDetails(t *testing.T) {
+	result := &Result{
+		Warning:    "test",
+		Suggestion: "test",
+		Note:       "test",
+	}
+
+	t.Run("should success get details", func(t *testing.T) {
+		details := result.GetDetails()
+
+		assert.NotEmpty(t, details)
+		assert.Equal(t, "test test test", details)
+	})
+
+}
+
+func TestGetSeverity(t *testing.T) {
+	result := &Result{
+		Level: "0",
+	}
+
+	t.Run("should get severity low", func(t *testing.T) {
+		assert.Equal(t, severity.Low, result.GetSeverity())
+
+		result.Level = "1"
+		assert.Equal(t, severity.Low, result.GetSeverity())
+
+		result.Level = "2"
+		assert.Equal(t, severity.Low, result.GetSeverity())
+	})
+
+	t.Run("should get severity medium", func(t *testing.T) {
+		result.Level = "3"
+		assert.Equal(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "4"
+		assert.Equal(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "2"
+		assert.NotEqual(t, severity.Medium, result.GetSeverity())
+
+		result.Level = "5"
+		assert.NotEqual(t, severity.Medium, result.GetSeverity())
+	})
+
+	t.Run("should get severity high", func(t *testing.T) {
+		result.Level = "5"
+		assert.Equal(t, severity.High, result.GetSeverity())
+
+		result.Level = "6"
+		assert.Equal(t, severity.High, result.GetSeverity())
+
+		result.Level = "1"
+		assert.NotEqual(t, severity.High, result.GetSeverity())
+
+		result.Level = "4"
+		assert.NotEqual(t, severity.High, result.GetSeverity())
+	})
+}
+
+func TestGetFilename(t *testing.T) {
+	result := &Result{
+		File: "./test.c",
+	}
+
+	t.Run("should success get filename", func(t *testing.T) {
+		filename := result.GetFilename()
+
+		assert.NotEmpty(t, filename)
+		assert.NotContains(t, filename, "./")
+		assert.Equal(t, "test.c", filename)
+	})
+
+}

development-kit/pkg/entities/analyser/php/phpcs/message.go

@@ -0,0 +1,26 @@
+package phpcs
+
+import (
+	"strconv"
+	"strings"
+)
+
+type Message struct {
+	Message string `json:"message"`
+	Line    int    `json:"line"`
+	Column  int    `json:"column"`
+	Type    string `json:"type"`
+}
+
+func (m *Message) GetLine() string {
+	return strconv.Itoa(m.Line)
+}
+
+func (m *Message) GetColumn() string {
+	return strconv.Itoa(m.Column)
+}
+
+func (m *Message) IsValidMessage() bool {
+	return m.Type == "ERROR" &&
+		!strings.Contains(m.Message, "This implies that some PHP code is not scanned by PHPCS")
+}

development-kit/pkg/entities/analyser/php/phpcs/message_test.go

@@ -0,0 +1,52 @@
+package phpcs
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestGetLine(t *testing.T) {
+	message := &Message{
+		Line: 1,
+	}
+
+	t.Run("should success get line", func(t *testing.T) {
+		line := message.GetLine()
+
+		assert.NotEmpty(t, line)
+		assert.Equal(t, "1", line)
+	})
+}
+
+func TestGetColumn(t *testing.T) {
+	message := &Message{
+		Column: 1,
+	}
+
+	t.Run("should success get column", func(t *testing.T) {
+		column := message.GetColumn()
+
+		assert.NotEmpty(t, column)
+		assert.Equal(t, "1", column)
+	})
+}
+
+func TestIsValidMessage(t *testing.T) {
+	t.Run("should return false if invalid message", func(t *testing.T) {
+		message := &Message{
+			Message: "This implies that some PHP code is not scanned by PHPCS",
+			Type:    "ERROR",
+		}
+
+		assert.False(t, message.IsValidMessage())
+	})
+
+	t.Run("should return true if valid message", func(t *testing.T) {
+		message := &Message{
+			Message: "",
+			Type:    "ERROR",
+		}
+
+		assert.True(t, message.IsValidMessage())
+	})
+}

development-kit/pkg/entities/analyser/php/phpcs/result.go

@@ -0,0 +1,5 @@
+package phpcs
+
+type Result struct {
+	Messages []Message `json:"messages"`
+}

development-kit/pkg/enums/languages/languages.go

@@ -46,6 +46,7 @@ func ParseStringToLanguage(value string) (l Language) {
 	return Unknown
 }
 
+//nolint
 func SupportedLanguages() []Language {
 	return []Language{
 		Go,
@@ -60,6 +61,7 @@ func SupportedLanguages() []Language {
 		Generic,
 		Yaml,
 		C,
+		PHP,
 		Unknown,
 	}
 }
@@ -78,6 +80,7 @@ func (l Language) MapEnableLanguages() map[string]Language {
 		Generic.ToString():    Generic,
 		Yaml.ToString():       Yaml,
 		C.ToString():          C,
+		PHP.ToString():        PHP,
 	}
 }
 

development-kit/pkg/enums/languages/languages_test.go

@@ -27,7 +27,7 @@ func TestToString(t *testing.T) {
 
 func TestMapEnableLanguages(t *testing.T) {
 	t.Run("should map enable languages", func(t *testing.T) {
-		assert.Len(t, CSharp.MapEnableLanguages(), 12)
+		assert.Len(t, CSharp.MapEnableLanguages(), 13)
 	})
 }
 
@@ -43,6 +43,6 @@ func TestParseStringToLanguage(t *testing.T) {
 
 func TestSupportedLanguages(t *testing.T) {
 	t.Run("should return supported languages", func(t *testing.T) {
-		assert.Len(t, SupportedLanguages(), 13)
+		assert.Len(t, SupportedLanguages(), 14)
 	})
 }

development-kit/pkg/enums/tools/tools.go

@@ -36,6 +36,7 @@ const (
 	Eslint            Tool = "Eslint"
 	HorusecNodejs     Tool = "HorusecNodeJS"
 	Flawfinder        Tool = "Flawfinder"
+	PhpCS             Tool = "PhpCS"
 )
 
 func (t Tool) ToString() string {

development-kit/pkg/usecases/analysis/analysis.go

@@ -20,7 +20,6 @@ import (
 	"time"
 
 	apiEntities "github.com/ZupIT/horusec/development-kit/pkg/entities/api"
-
 	horusecEntities "github.com/ZupIT/horusec/development-kit/pkg/entities/horusec"
 	EnumErrors "github.com/ZupIT/horusec/development-kit/pkg/enums/errors"
 	"github.com/ZupIT/horusec/development-kit/pkg/enums/horusec"
@@ -181,6 +180,7 @@ func (au *UseCases) sliceTools() []interface{} {
 		tools.Eslint,
 		tools.HorusecKubernetes,
 		tools.Flawfinder,
+		tools.PhpCS,
 	}
 }
 

horusec-cli/internal/controllers/analyser/analyser.go

@@ -16,7 +16,6 @@ package analyser
 
 import (
 	"fmt"
-	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/c/flawfinder"
 	"log"
 	"os"
 	"os/signal"
@@ -25,6 +24,9 @@ import (
 	"strings"
 	"time"
 
+	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/c/flawfinder"
+	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/php/phpcs"
+
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/csharp/horuseccsharp"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/javascript/horusecnodejs"
 	"github.com/ZupIT/horusec/horusec-cli/internal/services/formatters/yaml/horuseckubernetes"
@@ -191,6 +193,7 @@ func (a *Analyser) mapDetectVulnerabilityByLanguage() map[languages.Language]fun
 		languages.Generic:    a.detectVulnerabilityGeneric,
 		languages.Yaml:       a.detectVulnerabilityYaml,
 		languages.C:          a.detectVulnerabilityC,
+		languages.PHP:        a.detectVulnerabilityPHP,
 	}
 }
 
@@ -260,6 +263,11 @@ func (a *Analyser) detectVulnerabilityC(projectSubPath string) {
 	go flawfinder.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
 }
 
+func (a *Analyser) detectVulnerabilityPHP(projectSubPath string) {
+	a.monitor.AddProcess(1)
+	go phpcs.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)
+}
+
 func (a *Analyser) detectVulnerabilityGeneric(projectSubPath string) {
 	a.monitor.AddProcess(1)
 	go semgrep.NewFormatter(a.formatterService).StartAnalysis(projectSubPath)

horusec-cli/internal/services/formatters/php/phpcs/config.go

@@ -0,0 +1,26 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package phpcs
+
+const (
+	ImageName = "horuszup/horusec-phpcs"
+	ImageTag  = "v0.0.1"
+	// nolint
+	ImageCmd = `
+		phpcs --report=json --standard=/vendor/pheromone/phpcs-security-audit/example_drupal7_ruleset.xml . > /tmp/result-ANALYSISID.json
+		cat /tmp/result-ANALYSISID.json
+		chmod -R 777 .
+  	`
+)