PHP app is scanned by PHP linters, report is not produced

[nickbabkin]

Hi! Second issue during the day for me.

I'm trying to scan PHP application by running a simple docker-based scan. SAST-Scan is running without any issues and detecting the language correctly, however reports for audit-php and taint-php are not produced are results are not shown in CLI:

docker run --rm --network none -e "WORKSPACE=${PWD}" -v $PWD:/app shiftleft/scan scan
canning /app using plugins ['credscan', 'plsql', 'php', 'nodejs', 'yaml', 'bash', 'depscan']
Initializing audit-init ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with audit-php ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with taint-php ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with credscan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with source-sql ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with yamllint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with source-yaml ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--
Scanning with bash ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--   
                                                License Scan Summary (php)
╔═════════════════════════╤═════════╤════════════╤═════════════════════════════════════════════════════════════════════════════╗
║ Package                 │ Version │ License Id │ License conditions                                                          ║
╟─────────────────────────┼─────────┼────────────┼─────────────────────────────────────────────────────────────────────────────╢

╚═════════════════════════╧═════════╧════════════╧═════════════════════════════════════════════════════════════════════════════╝
Scanning with depscan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% -:--:--[15:29:21] INFO     Baseline file written to /app/reports/.sastscan.baseline
                             Security Scan Summary
╔═══════════════════════════════════╤══════════╤══════╤════════╤═════╤════════╗
║ Tool                              │ Critical │ High │ Medium │ Low │ Status ║
╟───────────────────────────────────┼──────────┼──────┼────────┼─────┼────────╢
║ Security Audit for Infrastructure │        0 │    0 │      0 │   0 │   ✅   ║
║ SQL Source Analyzer               │        0 │    0 │      0 │   0 │   ✅   ║
║ Shell Script Analysis             │        0 │    0 │      0 │   0 │   ✅   ║
╚═══════════════════════════════════╧══════════╧══════╧════════╧═════╧════════╝

Any ideas why this may be happening?

[prabhu]

Hi @nickbabkin

For php --build argument is required.

https://slscan.io/en/latest/getting-started/#language-specific-scans

[prabhu]

You can also set an environment variable SCAN_DEBUG_MODE=debug which will produce useful debug output. It is turned off by default.

[nickbabkin]

@prabhu thanks, missed this small detail.

We have some internal dependencies in composer (to be fetched from private github repositories), hence build process fails. Which environmental variable shall I set for scan to be able to fetch these dependencies?

I guess GITHUB_TOKEN won't do the job will it?

[prabhu]

You can set an environment variable called COMPOSER_AUTH with a json like below and a PAT

COMPOSER_AUTH='{"github-oauth": {"github.com": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}}'

Also set the same token as GITHUB_TOKEN so that we can package lookup for depscan

-t php,depscan

[nickbabkin]

@prabhu is it possible to workaround --build phase for PHP projects and just statically lint the code that already exists in the repository (without fetching composer dependencies and building it) and produce reports?

In our case, we have strict network policies to avoid code leakage and we're gonna run scans with --network none for build containers.

Originally, PHP linters that we incorporate in SAST-SCAN don't require building the project.

Thanks.

[prabhu]

Yes without --build scan would try it's best to lint but looks like both the php tools are crashing without it. Can you fetch all the dependencies upfront before running scan or have a different environment of some sort?

[nickbabkin]

@prabhu currently without --build in place scan doesn't produce any php reports.

Fetching all dependencies upfront might theoretically be possible, but I'd appreciate if we could find a workaround here. I can help you with debugging this, saw you were looking for people that use scan for PHP projects, well I'm the one :)

[prabhu]

Sounds good. Can you email me prabhu @ shiftleft.io and we can setup a zoom session?

[nickbabkin]

@prabhu there seems to be a workaround indeed:

https://github.com/vimeo/psalm/issues/935

[prabhu]

Will you be able to send a PR? You can build scan image locally using dev-build.sh

[nickbabkin]

I'll see what I can do here. Let's also discuss during our meeting.

[nickbabkin]

I actually got the above error fixed by simply deleting composer.json, and now the scanner is running without --build! But now I'm getting the following error:

Uncaught UnexpectedValueException: Could not find file for gg\dbcomponentbundle\component\gedmo\timestampableentity in /opt/phpsast/vendor/vimeo/psalm/src/Psalm/Internal/Codebase/Scanner.php:223

https://github.com/vimeo/psalm/issues/5251

[prabhu]

Ah ok. Yes, let's go through during the call. The above might be due to our workarounds and may not be the tool error.