Hi,

Right now the include file detection for php is based on the basename of the file.
This results in a major PITA when using standard frameworks - like the zend framework - who deliver a big set of Interface.php, Abstract.php and the like.

It would be great if the path / dirname of a required path could be used as well.
I.e.:
If you are looking for a file with the include / require statement
require_once 'patha_1/patha_2/Abstract.php', please check if there is a match not only including "Abstract.php", but 'patha_1/patha_2'.

Right now i'd see a select field including
patha_0/patha_1/patha_2/Abstract.php
pathb_0/pathb_1/pathb_2/Abstract.php
pathc_0/pathc_1/Abstract.php
...
From a php point of view, only a match for patha_1/patha_2/Abstract.php is technically possible.

I am not able to scan a bigger zend framework based project right now due to this issue.

Thanks for your support,
best regards

Johann-Peter Hartmann

Hi Johann-Peter,

We have identified that in some frameworks under PHP CodeScan can have sub-optimal detection of include files, especially in large or complex projects.

We are actively working on this issue, and are looking to roll out improved file detection over the next couple of releases - and will be sure to include Zend framework applications for testing within this process.

In the mean time, manual include detection does save include file location once it has been detected. So for future scans, previously found include files will be scanned automatically. While the first scan of a project may be arduous, future scans of the same project will be much less hassle.

You can also disable the prompt for missing include files. This will allow CodeScan to complete scans, but without scanning any include files that it cannot automatically detect. While this does reduce the scanning coverage, such a scan may assist you in identifying problem areas which warrant further investigation. To disable this prompt, select "Options", then unselect the "Prompt for Missing Includes" option.

Kind Regards,
Matt Weston
CodeScan Support

Hi Matt,

thanks for your answer.
Manual includes are not an option, i just spend 5 hours to include 800 files, with 1000 files to go - my developers would hate me if i'd assign them to "just do the manual workaround to get codescan working for a couple of days" ;-).
Ignoring the files is not an option, too, since - in zend framework applications - the zf plays the major role in data flow and execution path.
I am looking forward for your updates. Feel free to contact us if you are interested in additional beta testers, MS debugging knowledge included.

Thanks for your help,
Johann

PS: We already found some issues in phpmyfaq using codescan (beneath a mountain of false positives, but that's expected behavior with static code analysis), so the first impression of codescan is rather good. Nevertheless zf is the default framework at our company, so right now codescan does not work for 90% of our software.

Hi Johann,

Fair enough :-) We'll add you to our beta testing list - we're always happy to provide Beta releases, especially when debugging knowledge is available.

We're also always interested in what people find in OSS with CodeScan - let us know when you release the advisory.

It is possible within CodeScan to identify sanitizing functions to reduce the false positive rate - Select File, Configure Project, then select the "Custom Filters" tab. Click the new icon in the top left of that window to create one - and allocate a score (0 - no cleaning to 100 - fully cleaned) to each category. You can then use the filter threshold in the vulnerability list to exclude results above a certain level of confidence. Pretty handy if you have one (or a few) generic CleanString() type function implemented within a project.

Thanks,
Matt