Closed andrewholgate closed 8 years ago
I believe phpcs-security-audit does not handle this. This is a feature of phpcs, you should instruct it to scan .inc file as documented at https://github.com/Pheromone/phpcs-security-audit#usage
While I agree Feature generated code should not be scanned, you don't write it and should not manually edit it, you need to hanle this yourself while running phpcs with the phpcs-secuirty-audit rules set..
Ah ah! That rule was just there to put warning when usage of the tool didn't follow one on my main objective: to have the more code coverage possible. If you are not scanning your .inc that are included, then you don't cover code that will be executing. Even if you'd say that the file is empty or something, it could always be used to store backdoor on a production server (yes phpcs-security-audit can be used in prod to detect backdoors).
That said, if you really want to avoid it and not scan that code, you just can remove it from the config file (I don't see it in master so you either added it yourself or it's a bug):
<rule ref="Security.Misc.IncludeMismatch"/>
or you could tweak it to not scan your Drupal files with that rule (not recommended):
<rule ref="Security.Misc.IncludeMismatch">
<exclude-pattern>(?<\.module)$</exclude-pattern>
</rule>
A common way to develop projects is to use Features and put all of the custom code into the .module file.
Features automatically added the following include to all .module files on the 7th line:
Which produces the following warning for all Features using the Drupal7 Standard: