Closed nickbabkin closed 3 years ago
Hi @nickbabkin
For php --build
argument is required.
https://slscan.io/en/latest/getting-started/#language-specific-scans
You can also set an environment variable SCAN_DEBUG_MODE=debug which will produce useful debug output. It is turned off by default.
@prabhu thanks, missed this small detail.
We have some internal dependencies in composer (to be fetched from private github repositories), hence build process fails. Which environmental variable shall I set for scan to be able to fetch these dependencies?
I guess GITHUB_TOKEN won't do the job will it?
You can set an environment variable called COMPOSER_AUTH
with a json like below and a PAT
COMPOSER_AUTH='{"github-oauth": {"github.com": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"}}'
Also set the same token as GITHUB_TOKEN
so that we can package lookup for depscan
-t php,depscan
@prabhu is it possible to workaround --build phase for PHP projects and just statically lint the code that already exists in the repository (without fetching composer dependencies and building it) and produce reports?
In our case, we have strict network policies to avoid code leakage and we're gonna run scans with --network none for build containers.
Originally, PHP linters that we incorporate in SAST-SCAN don't require building the project.
Thanks.
Yes without --build scan would try it's best to lint but looks like both the php tools are crashing without it. Can you fetch all the dependencies upfront before running scan or have a different environment of some sort?
@prabhu currently without --build in place scan doesn't produce any php reports.
Fetching all dependencies upfront might theoretically be possible, but I'd appreciate if we could find a workaround here. I can help you with debugging this, saw you were looking for people that use scan for PHP projects, well I'm the one :)
Sounds good. Can you email me prabhu @ shiftleft.io and we can setup a zoom session?
@prabhu there seems to be a workaround indeed:
Will you be able to send a PR? You can build scan image locally using dev-build.sh
I'll see what I can do here. Let's also discuss during our meeting.
I actually got the above error fixed by simply deleting composer.json, and now the scanner is running without --build! But now I'm getting the following error:
Uncaught UnexpectedValueException: Could not find file for gg\dbcomponentbundle\component\gedmo\timestampableentity in /opt/phpsast/vendor/vimeo/psalm/src/Psalm/Internal/Codebase/Scanner.php:223
Ah ok. Yes, let's go through during the call. The above might be due to our workarounds and may not be the tool error.
Hi! Second issue during the day for me.
I'm trying to scan PHP application by running a simple docker-based scan. SAST-Scan is running without any issues and detecting the language correctly, however reports for audit-php and taint-php are not produced are results are not shown in CLI:
Any ideas why this may be happening?