Update ruleset.xml to disable Security.Misc.IncludeMismatch
Rule Security.Misc.IncludeMismatch
attempts to ensure that all PHP files are analyzed by its scanner.
It does so by verifying that the extensions for every include()
'd file is part of list of extensions to be scanned.
For example, if it comes across:
include('test.phtml'); // assuming `phtml` is not yet part of the scanned extensions
It will suggest to add phtml
to the list of extensions to scan and re-run the tool to provide better coverage.
The problem is that this check fails short in some cases:
include_once("/some/path/".$env."/file.php");
In this case, the scanner is unable to find the file extension for "/some/path/"
and will report this as a vulnerability.
Those are not true vulnerabilities and more warnings about the tool being potentially misconfigured.
Therefore I would suggest to remove this rule from the default ruleset to improve the out-of-the-box experience for most users.