False positive: Pattern found#24 - PHP execution operator: backticks (``) about jedchecker HOT 6 CLOSED

The problem is in very simple regex in JAMSS (\$\w[^;=\)]*=[^;=\)]*`.*`), unlikely it may be fixed easily. The proper way is to use token_get_all and search for ` token there, but it's out of JAMSS approach.

from jedchecker.

The sample code does not seem to have the ` or what am I missing...

from jedchecker.

@dryabov A new case related to backticks and images:

#001 /joomhelper360/assets/css/ajax-loader.gif in line: 26
? Pattern found#24 - PHP execution operator: backticks (``)

from jedchecker.

I know, there is a lot of false-positives with this rule, because it just finds $ followed by = and two `s (at any distances). That's why the warning message may contain a code that doesn't contain ` at all, because of it may be located many lines below (usually inside of a quoted string).

from jedchecker.

in that case, just giving the file path and not the code will be more helpful... so that we do self investigation. Since seeing the code, and not seeing the issue make one ignore it, and that is bad.

from jedchecker.

My current idea is to implement a concept of "scopes" for JAMSS rules, e.g. the check of PHP embedded into a GIF file requires to analyze the entire file (a "full" scope), and this check for backticks requires to analyze PHP code only (a "code" scope, i.e. excluding HTML and quoted strings). As a result, most of false-positives will be eliminated.

from jedchecker.