Adding missing samples

php/src/detectors/activated-debug-feature/compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=detect-activated-debug-feature@v1.0 defects=0}
+// Compliant: Debug mode is disabled
+    config(['app.debug' => 'false']);
+// {/fact}
+?>

php/src/detectors/activated-debug-feature/non-compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=detect-activated-debug-feature@v1.0 defects=1}
+// Noncompliant: Debug mode is eanbled
+    config(['app.debug' => 'true']); 
+// {/fact}
+?>

php/src/detectors/allow-url-fopen-or-include/compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=allow-url-fopen-or-include@v1.0 defects=0}
+// Compliant: `allow_url_fopen` set to `'Off'` 
+    ini_set('allow_url_fopen','Off');
+// {/fact}
+?>

php/src/detectors/allow-url-fopen-or-include/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=allow-url-fopen-or-include@v1.0 defects=1}
+// Noncompliant: `allow_url_fopen` set to `'On'` 
+    ini_set('allow_url_fopen','On');
+// {/fact}
+
+?>

php/src/detectors/assert-use/compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=assert-use@v1.0 defects=0}
+// Compliant : assert input is not tainted
+    $tainted = $_GET['userinput'];
+    assert('2 > 1');
+// {/fact}
+?>

php/src/detectors/assert-use/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=assert-use@v1.0 defects=1}
+// NonCompliant: the userinput is not sanitized
+    $tainted = $_GET['userinput'];
+    assert($tainted);
+// {/fact}
+?>

php/src/detectors/avoid-exit-die/compliant.php

@@ -0,0 +1,16 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=avoid-exit-die@v1.0 defects=0}
+// Compliant: Exception thrown in a compliant way.
+function compliant($param)  {
+    if ($param == 42) {
+      throw new Exception('Value 42 is not expected.');
+    }
+}
+// {/fact}
+?>

php/src/detectors/avoid-exit-die/non-compliant.php

@@ -0,0 +1,16 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=avoid-exit-die@v1.0 defects=1}
+// Noncompliant : exit() is used to terminate the script
+function nonCompliant($param)  {
+    if ($param === 42) {
+        exit(23);
+    }
+}
+// {/fact}
+?>

php/src/detectors/coral-csrf-rule/compliant.php

@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=coral-csrf-rule@v1.0 defects=0}
+// Compliant: CSRF protection enabled
+$resolver->setDefaults([
+    'csrf_protection' => true
+  ]);
+// {/fact}
+?>

php/src/detectors/coral-csrf-rule/non-compliant.php

@@ -0,0 +1,14 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=coral-csrf-rule@v1.0 defects=1}
+// Noncompliant: CSRF protection is disabled
+$resolver->setDefaults(array(
+    'csrf_protection' => false
+  ));
+// {/fact}
+?>

php/src/detectors/dangerous-function-usage/compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=dangerous-function-usage@v1.0 defects=0}
+// Compliant: `openssl_encrypt` function to perform encryption using the OpenSSL library.
+    openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv, $tag);
+// {/fact}
+?>

php/src/detectors/dangerous-function-usage/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=dangerous-function-usage@v1.0 defects=1}
+// Noncompliant: `mcrypt_ecb` function to perform encryption using the ECB 
+    mcrypt_ecb(MCRYPT_BLOWFISH, $key, base64_decode($input), MCRYPT_ENCRYPT);
+// {/fact}
+
+?>

php/src/detectors/improper-access-control/compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=improper-access-control@v1.0 defects=0}
+// Compliant: The session prefix is used to prevent 
+    $_SESSION['prefix' . $_POST['input']] = true;
+//{/fact}
+
+?>

php/src/detectors/improper-access-control/non-compliant.php

@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+
+//{fact rule=improper-access-control@v1.0 defects=1}
+// Noncompliant: tainted session variable is used in a session 
+    $inputA = $_POST['input'];
+	$_SESSION[$inputA] = true;
+//{/fact}
+
+?>

php/src/detectors/insecure-connection/compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=0}
+// Compliant: CURLOPT_SSL_VERIFYPEER is set to true
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+// {/fact}
+
+?>

php/src/detectors/insecure-connection/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-connection@v1.0 defects=1}
+// Noncompliant: CURLOPT_SSL_VERIFYPEER is set to false
+curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
+// {/fact}
+
+?>

php/src/detectors/insecure-cryptography/compliant.php

@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cryptography@v1.0 defects=0}
+// Compliant : SHA-256 is secure hashing algorithm
+function compliant($value) {
+    $pass = hash('sha256', $value);
+    $user->setPassword($pass);
+}
+// {/fact}
+?>

php/src/detectors/insecure-cryptography/non-compliant.php

@@ -0,0 +1,15 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-cryptography@v1.0 defects=1}
+// Noncompliant: Weak hashing algorithm MD5 is used
+function nonCompliant($value) { 
+    $pass = hash('md5', $value);
+    $user->setPassword($pass);
+}
+// {/fact}
+?>

php/src/detectors/insecure-object-attribute-modification/compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-object-attribute-modification@v1.0 defects=0}
+// Compliant: guarded model initialised with value
+protected $guarded = ['name', 'email'];
+// {/fact}
+?>

php/src/detectors/insecure-object-attribute-modification/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=insecure-object-attribute-modification@v1.0 defects=1}
+// Noncompliant: use of guarded array property.
+protected $guarded = [];
+// {/fact}
+
+?>

php/src/detectors/ldap-bind-without-password/compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=ldap-bind-without-password@v1.0 defect=0}
+// Compliant: username and passwrod provided
+ldap_bind($ldapconn, "username", "password");
+//{fact}
+?>

php/src/detectors/ldap-bind-without-password/non-compliant.php

@@ -0,0 +1,12 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+//{fact rule=ldap-bind-without-password@v1.0 defect=1}
+// Noncompliant: username and password is missing  
+ldap_bind($ldapconn, NULL, NULL);
+// {fact}
+?>

php/src/detectors/log-injection/compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+    // {fact rule=log-injection@v1.0 defects=0}
+    // Compliant: `log_errors` is set to `'1'`, PHP will log errors to the error log file.
+    ini_set('log_errors', '1');
+    // {/fact}
+
+?>

php/src/detectors/log-injection/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+    // {fact rule=log-injection@v1.0 defects=1}
+    // Noncompliant: `log_errors` is set to `'0'`, PHP will not log errors to the error log file.
+    ini_set('log_errors', '0');
+    // {/fact}
+
+?>

php/src/detectors/origins-verified-cross-origin-communications/compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=origins-verified-cross-origin-communications@v1.0 defects=0}
+// Compliant: Custom header with a wildcard value does not pose a risk to cross-origin communication
+header("Other-Property: *");
+// {/fact}
+
+?>

php/src/detectors/origins-verified-cross-origin-communications/non-compliant.php

@@ -0,0 +1,13 @@
+<?php
+
+/* 
+*  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+*  SPDX-License-Identifier: Apache-2.0
+*/
+
+// {fact rule=origins-verified-cross-origin-communications@v1.0 defects=1}
+// Noncompliant: Access-Control-Allow-Origin` header to `*` can allow any origin to access sensitive resources without proper verification.
+header('Access-Control-Allow-Origin: *');
+// {/fact}
+
+?>