{"id":13505105,"url":"https://github.com/psecio/parse","last_synced_at":"2025-05-16T03:06:00.413Z","repository":{"id":22984582,"uuid":"26334899","full_name":"psecio/parse","owner":"psecio","description":"Parse: A Static Security Scanner","archived":false,"fork":false,"pushed_at":"2018-08-07T08:33:28.000Z","size":372,"stargazers_count":370,"open_issues_count":18,"forks_count":41,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-04-13T04:04:23.042Z","etag":null,"topics":["php","scanner","security"],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/psecio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-07T19:39:53.000Z","updated_at":"2025-04-04T22:17:21.000Z","dependencies_parsed_at":"2022-09-12T02:11:46.788Z","dependency_job_id":null,"html_url":"https://github.com/psecio/parse","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psecio%2Fparse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psecio%2Fparse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psecio%2Fparse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/psecio%2Fparse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/psecio","download_url":"https://codeload.github.com/psecio/parse/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["php","scanner","security"],"created_at":"2024-08-01T00:00:58.614Z","updated_at":"2025-05-16T03:05:55.404Z","avatar_url":"https://github.com/psecio.png","language":"PHP","readme":"Parse: A PHP Security Scanner\n=============================\n\n[![Packagist Version](https://img.shields.io/packagist/v/psecio/parse.svg?style=flat-square)](https://packagist.org/packages/psecio/parse)\n[![Build Status](https://img.shields.io/travis/psecio/parse/master.svg?style=flat-square)](https://travis-ci.org/psecio/parse)\n\n\u003e **PLEASE NOTE:** This tool is still in a very early stage. The work continues...\n\nThe *Parse* scanner is a static scanning tool to review your PHP code for potential security-related\nissues. A static scanner means that the code is not executed and tested via a web interface (that's\ndynamic testing). Instead, the scanner looks through your code and checks for certain markers and notifies\nyou when any are found.\n\nFor example, you really shouldn't be using [eval](http://php.net/eval) in your code anywhere if you can\nhelp it. When the scanner runs, it will parse down each of your files and look for any `eval()` calls.\nIf it finds any, it adds that match to the file and reports it in the results.\n\n\nInstallation\n------------\nInstall as a development dependency in your project using [composer](https://getcomposer.org/):\n\n    composer require --dev psecio/parse\n\nThe path to the installed executable may vary depending on your\n[bin-dir](https://getcomposer.org/doc/04-schema.md#config) setting. With the\ndefault value parse is located at `vendor/bin/psecio-parse`.\n\nFor a system-wide installation use:\n\n    composer global require psecio/parse\n\nMake sure you have `~/.composer/vendor/bin/` in your path.\n\n\nUsage\n-----\n\u003e **NOTE:** In version **0.6** the executable was renamed **psecio-parse**. In earlier\n\u003e versions the tool was simply named **parse**.\n\n\u003e **NOTE:** In version **0.4** and earlier the `--target` option was used to specify the\n\u003e project path, this is no longer supported. Use the syntax below.\n\nTo use the scanner execute it from the command line:\n\n    psecio-parse scan /path/to/my/project\n\nFor more detailed information see the `help` and `list` commands.\n\n    psecio-parse help scan\n\n### Output formats\n\nCurrently console (dots), xml and json output formats are available. Set format with the `--format` option.\n\n    psecio-parse scan --format=xml /path/to/my/project\n    psecio-parse scan --format=dots /path/to/my/project\n    psecio-parse scan --format=json /path/to/my/project\n\nThe console formats supports setting the verbosity using the `-v` or `-vv` switch.\n\n    psecio-parse scan -vv /path/to/my/project\n\nIf your platform does not support ANSI codes, or if you want to redirect the console output\nto a file, use the `--no-ansi` option.\n\n    psecio-parse scan --no-ansi /path/to/my/project \u003e filename\n\n### Listing the checks\n\nYou can also get a listing of the current checks being done with the `rules` command:\n\n    psecio-parse rules\n\n### Managing rules to run\n\nThere are several ways to control which rules are run. You can specifically include rules using\nthe `--include-rules` option, specifically exclude them with `--exclude-rules`, turn them on and\noff on a case-by-case basis using annotations, and disable annotations using\n`--disable-annotations`.\n\n#### Excluding and Including rules\n\nBy default, `psecio-parse scan` includes all available rules in its scan. By using\n`--exclude-rules` and `--include-rules`, the rules included can be reduced.\n\nAny rules specified by `--exclude-rules` are explicitly excluded from the scan, regardless of any\nother options selected. These rules cannot be added back to the scan, short of re-running the scan\nwith different options. Invalid rules are silently ignored.\n\nIf `--include-rules` is provided, only those rules specified can be used. No other rules are\nchecked. Note that rules that aren't available (whether they do not exist or `--excluded-rules` is\nused to exclude them) cannot be included. Invalid rules are silently ignored.\n\n#### Annotations\n\nRules can be enabled and disabled using DocBlock annotations. These are comments in the code being\nscanned that tells *Parse* to specifically enable or disable a rule for the block of code the\nDocBlock applies to.\n\n* `@psecio\\parse\\disable \u003crule\u003e`: Tells *Parse* to ignore the given rule for the scope of the\n  DocBlock.\n* `@psecio\\parse\\enable \u003crule\u003e`: Tells *Parse* to enable the given rule for the scope of the\n  DocBlock. This can be used to re-enable a particular rule when `@psecio\\parse\\disable` has been\n  applied to the containing scope.\n\nNote that annotations cannot enable tests that have been omitted via the command line options. If\na test is disabled at the command line, it is disabled for the entire scan, regardless of any\nannotations.\n\nComments can be added after `\u003crule\u003e` following a dobule-slash (`//`) comment separator. It is\nrecommended that comments be used to indicate why the rule has been disabled or enabled.\n\nTo disable the use of annotations, use the `--disable-annotations` option.\n\nSee the `examples` directory for some examples of the use of annotations for *Parse*.\n\nThe Checks\n----------\nHere's the current list of checks:\n\n- Warn when sensitive values are committed (as defined by a variable like \"username\" set to a string)\n- Warn when `display_errors` is enabled manually\n- Avoid the use of `eval()`\n- Avoid the use of `exit` or `die()`\n- Avoid the use of logical operators (ex. using `and` over `\u0026\u0026`)\n- Avoid the use of the `ereg*` functions (now deprecated)\n- Ensure that the second parameter of `extract` is set to not overwrite (*not* EXTR_OVERWRITE)\n- Checking output methods (`echo`, `print`, `printf`, `print_r`, `vprintf`, `sprintf`) that use variables in their options\n- Ensuring you're not using `echo` with `file_get_contents`\n- Testing for the system execution functions and shell exec (backticks)\n- Use of `readfile`, `readlink` and `readgzfile`\n- Using `parse_str` or `mb_parse_str` (writes values to the local scope)\n- Warn if a `.phps` file is found\n- Using `session_regenerate_id` either without a parameter or using false\n- Avoid use of `$_REQUEST` (know where your data is coming from)\n- Don't use `mysql_real_escape_string`\n- Avoiding use of `import_request_variables`\n- Avoid use of `$GLOBALS`\n- Ensure the use of type checking validating against booleans (`===`)\n- Ensure that the `/e` modifier isn't used in regular expressions (execute)\n- Using concatenation in `header()` calls\n- Avoiding the use of $http_raw_post_data\n\nPlenty more to come... (yup, `@todo`)\n\n\nTODO\n----\nSee the current issues list for `@todo` items...\n\nParse is covered under the MIT license.\n\n@author Chris Cornutt (ccornutt@phpdeveloper.org)\n","funding_links":[],"categories":["\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","Standalone","PHP","Static Code Analysis","Programming Languages"],"sub_categories":["\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","Bugs finders"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsecio%2Fparse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpsecio%2Fparse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpsecio%2Fparse/lists"}