Improve phpcs-security-audit vulnerability report descriptions
Problem to solve
We currently use phpcs-security-audit for conducting static security analysis of PHP code. The descriptions it includes in its vulnerability reports aren't always clear, and aren't documented anywhere. This is confusing for customers.
For more context see https://gitlab.com/gitlab-org/gitlab-ee/issues/6081
Proposal
Improve the descriptions given by phpcs-security-audit by writing our own. We've already done this for our TypeScript analyzer.
This will require looking at each of the "Sniffs" used by phpcs-security-audit to detect vulnerabilities, and writing a description that better describes the corresponding vulnerability. The Sniffs live here, and the corresponding ruleset that we use is here. We only need descriptions for Sniffs that are used in the ruleset.
What does success look like, and how can we measure that?
We can ask the user who initially raised the issue, see that no further issues related to the descriptions are raised, and see whether we get an increase in PHP projects using SAST in the coming months.