search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.73k stars 1.55k forks source link

Why doesn't CodeQL support auditing PHP #12376

Open ltfafei opened 1 year ago

ltfafei commented 1 year ago

Why doesn't CodeQL support auditing PHP

If you want to add PHP syntax engine later, you can write ql audit PHP source code

Thanks you very much!

ryao commented 1 year ago

I am not a CodeQL developer, but it appears to me that CodeQL is slowly expanding its language support.

Ruby support was added in 2021 and Kotlin support was added in 2022:

https://github.com/github/codeql/discussions/6922 https://github.com/github/codeql/discussions/11460

If recent commits are any indication, they will be adding swift later this year. If they continue adding one language per year, we will presumably see PHP added eventually. In the mean time, here is a list of options for static analysis of PHP:

https://analysis-tools.dev/tag/php

hmakholm commented 1 year ago

PHP is fairly high on the list of languages we want to add support for -- but unfortunately our engineering resources are limited, so we can't do everything we'd like to do immediately. We're not yet in a position to give a timeline for PHP support, so the best answer I can give is that we're certainly aware there are huge amounts of PHP code out there that desperately needs to be secured.

ltfafei commented 1 year ago

PHP is fairly high on the list of languages we want to add support for -- but unfortunately our engineering resources are limited, so we can't do everything we'd like to do immediately. We're not yet in a position to give a timeline for PHP support, so the best answer I can give is that we're certainly aware there are huge amounts of PHP code out there that desperately needs to be secured.

All right,Thank you very much!

ryao commented 1 year ago

PHP is reportedly the 7th most popular language on github, which is consistent with it being high on their list for new language support:

https://madnight.github.io/githut/#/pull_requests/2022/4

That being said, this might not be a popular opinion among those waiting for CodeQL to support their languages, but I would prefer it if they would put more effort into improving their existing language support by more aggressively addressing issues opened against existing queries. They are working on query improvements, but the rate of progress seems somewhat slow and that can only become slower when more languages are supported. :/

ltfafei commented 1 year ago

Ok, I understand

leocavalcante commented 8 months ago

Any development on this subject?

heheda123123 commented 7 months ago

PHP is still a very popular development language today.

AnttiHal commented 5 months ago

Any updates on this @hmakholm?

hmakholm commented 5 months ago

Not any I know of.

IonTulbure commented 2 months ago

Really wish to see it support PHP (Wordpress, Laravel ?)

willryan-stemcell commented 1 month ago

Really wish to see it support PHP (Wordpress, Laravel ?)

Magento too!