First off, thanks for taking time to contribute ! 🎉👍
Provide at each time your inputs:
- PHP version
- Progpilot version
- Configuration of progpilot
- Files or code you are trying to analyze
That will allow the ability of contributors to reproduce the bug.
All php code must adhere to PSR-2 standard (except for tests).
Developers can use GrumPHP to ensure each progpilot commit reaches code style (phpcs) requirements.
Most of the time the analysis of progpilot can be extended simply with adding the corresponding sources, sinks, validators and sanitizers: look at how it was done for current frameworks.
A new functionality must be testable, to do that:
- Select the category of your functionality in the dataProvider function in projects/tests/RunAll.php
- For example ooptest.php if your functionality extends oop analysis
- Add your test in projects/tests/tests/oop folder
- Edit projects/tests/ooptest.php and add the expected output of your test:
[
"./tests/oop/simple27.php",
[["\$_GET[\"p\"]", "8", "xss"],
["\$_GET[\"t\"]", "17", "xss"]]
]- the first element of the array is the name of your file created in step 3
- the second element is an array:
- it is the list of detected vulnerabilities in the correct order, each vulnerability has an array:
- the source name, the source line number, and the type of vulnerability (attack)
- if several sources participate to the vulnerability add them like this: [array("$var5", "$var6"), array("3", "4") , "xss"]
- it is the list of detected vulnerabilities in the correct order, each vulnerability has an array: