False positive: Pattern found#24 - PHP execution operator: backticks (``)

[anibalsanchez]

Hi,

This piece of code fired the rule:

    /**
     * Подсчитывает количество товаров в массиве
     * @return int
     *
     * @since 1.0.0
     */
    public function getTotal() : int
    {
        if (!empty($this->products))
        {
            return count($this->products);
        } else{
            return 0;
        }
    }

@dryabov

[dryabov]

The problem is in very simple regex in JAMSS (\$\w[^;=\)]*=[^;=\)]*`.*`), unlikely it may be fixed easily. The proper way is to use token_get_all and search for ` token there, but it's out of JAMSS approach.

[Llewellynvdm]

The sample code does not seem to have the ` or what am I missing...

[anibalsanchez]

@dryabov A new case related to backticks and images:

#001 /joomhelper360/assets/css/ajax-loader.gif in line: 26
? Pattern found#24 - PHP execution operator: backticks (``)

[dryabov]

I know, there is a lot of false-positives with this rule, because it just finds $ followed by = and two `s (at any distances). That's why the warning message may contain a code that doesn't contain ` at all, because of it may be located many lines below (usually inside of a quoted string).

[Llewellynvdm]

in that case, just giving the file path and not the code will be more helpful... so that we do self investigation. Since seeing the code, and not seeing the issue make one ignore it, and that is bad.

[dryabov]

My current idea is to implement a concept of "scopes" for JAMSS rules, e.g. the check of PHP embedded into a GIF file requires to analyze the entire file (a "full" scope), and this check for backticks requires to analyze PHP code only (a "code" scope, i.e. excluding HTML and quoted strings). As a result, most of false-positives will be eliminated.