PHP packaging
Your PHP applications must meet specific compilation requirements before you can submit them for scanning.
See Supported languages and platforms for instructions for other platforms.
You can analyze applications using Veracode Static Analysis or Veracode Software Composition Analysis (SCA) upload and scan, if licensed. For SCA agent-based scan requirements, see Using Veracode SCA with Programming Languages.
Automated packaging
Auto-packaging simplifies the packaging process for PHP projects.
Supported PHP versions
| Language | Supported versions |
|---|---|
| PHP | 5.2–7.4, 8.0-8.3 |
Supported PHP frameworks
| Framework | Versions |
|---|---|
| Laravel | 5.x-10.x |
| Zend | 1, 2, 3 |
| Symfony | 5.x, 6.x |
| NOTE Initial support for Symfony 6.x. |
Template engines
| Name | Supported versions |
|---|---|
| Smarty | 2.6, 3.1 |
Packaging guidance
Upload a compressed ZIP archive of your PHP code. You can omit third-party PHP code, such as the vendor folder. If you are using Software Composition Analysis (SCA), include the composer.lock file in the root of your ZIP archive. To get the most accurate results, include the composer.json file. Do not upload individual PHP files.
Veracode precompiles all PHP code uploaded to the Veracode Platform prior to analysis. The submitted PHP code must be able to compile. Otherwise, the prescan returns a compilation error.
Submitting third-party libraries for unsupported PHP frameworks may result in additional findings and longer analysis times.
Veracode only attempts to compile files ending in these extensions:
- PHP
- MODULE
- INC
- HTML
- HTM
- PROFILE
- INSTALL
- ENGINE
- THEME
- PHP4
- PHP5
- PHP7
- PHTML
Analysis limitations
Veracode PHP analysis does not interpret PHP configuration settings in PHP.INI, build options passed to PHP configure script, ini_set, assert, or HTTP server-specific configuration, which are options that you pass to PHP at runtime or specify in server configuration files. Veracode analysis makes these assumptions:
- All applications are web applications.
- stdout goes to an HTTP client.
Register_globalsis set to OFF.register_argc_argv,always_populate_raw_post_data, andregister_long_arraysare ON.- All
magic_quotesconfiguration options are OFF.