Fix issue #17.

Yousha · Yousha · commit dbfda2eabbc2 · 2025-10-15T15:58:42.000+03:30
Add support for `--exclude-rules` option
diff --git a/bin/php-sl.php b/bin/php-sl.php
@@ -31,7 +31,7 @@
  * Displays command line help information for PHP Security Linter.
  *
  * Outputs formatted usage instructions, available options, and examples
- * for runningsecurity linter fromcommand line.
+ * for running security linter from command line.
  *
  * @return void Outputs directly to STDOUT
  */
@@ -42,19 +42,21 @@ function showHelp(): void
         Usage: php bin/php-sl.php [options]
 
         Options:
-          -p, --path=PATH      Path to scan (required)
-          --exclude=LIST       Comma-separated exclusions (dirs/files)
-          --help               Show this help message
+          -p, --path=PATH      Path to scan (required).
+          --exclude=LIST       Comma-separated paths to exclude.
+          --exclude-rules=LIST Comma-separated rule IDs to ignore.
+          --help               Show this help message.
 
         Examples:
           php bin/php-sl.php --path ./src
-          php bin/php-sl.php -p ./app --exclude vendor,tests
+          php bin/php-sl.php -p ./app --exclude .git,storage,vendor,tests
+          php bin/php-sl.php -p ./src --exclude-rules CIS-003,OWASP-001
 
         HELP;
 }
 
 /**
- * Outputs security scan results inspecified format.
+ * Outputs security scan results in specified format.
  *
  * A human-readable summary is displayed with file-specific details.
  *
@@ -65,8 +67,7 @@ function outputResults(array $results): void
 {
     $scannedCount = $results['_meta']['scanned_count'] ?? 0;
     $issueCount = $results['_meta']['issue_count'] ?? 0;
-    unset($results['_meta']); // Don't show meta data in file list
-
+    unset($results['_meta']); // Don't show meta data in file list.
     echo "Scan results\n";
     echo str_repeat("=", 40) . "\n\n";
 
@@ -93,6 +94,7 @@ function runCli(array $argv): int
     $longOpts = [
         'path:',
         'exclude:',
+        'exclude-rules:',
         'help',
     ];
     $options = getopt($shortOpts, $longOpts);
@@ -102,20 +104,6 @@ function runCli(array $argv): int
         return 0;
     }
 
-
-    $shortOpts = 'p:';
-    $longOpts = [
-        'path:',
-        'exclude:',
-        'help',
-    ];
-    $options = getopt($shortOpts, $longOpts);
-
-    if (isset($options['help'])) {
-        showHelp();
-        exit(0);
-    }
-
     // Validate path.
     $path = $options['p'] ?? $options['path'] ?? null;
 
@@ -124,23 +112,47 @@ function runCli(array $argv): int
         exit(0);
     }
 
-    // Process exclusions.
-    $exclude = [];
+    // Process file/dir exclusions.
+    $excludePaths = [
+        // Default exclusions.
+        'vendor',
+        '.git',
+        '.github',
+        '.gitlab',
+        '.azure-pipelines',
+        '.husky',
+        '.circleci',
+        '.vscode',
+        '.idea',
+    ];
 
     if (isset($options['exclude'])) {
-        $exclude = is_array($options['exclude'])
+        $userExclusions = is_array($options['exclude'])
             ? $options['exclude']
             : explode(',', $options['exclude']);
+        // Merge user exclusions into the default list, and ensure unique values.
+        $excludePaths = array_unique(array_merge($excludePaths, $userExclusions));
+    }
+
+    // Process rule exclusions.
+    $excludeRules = [];
+
+    if (isset($options['exclude-rules'])) {
+        $excludeRules = is_array($options['exclude-rules'])
+            ? $options['exclude-rules']
+            : explode(',', $options['exclude-rules']);
+        // Normalize and trim each rule ID.
+        $excludeRules = array_map('trim', $excludeRules);
     }
 
     try {
-        $linter = new Linter();
-        $results = $linter->scan($path, $exclude);
+        // Pass rule exclusions to Linter constructor.
+        $linter = new Linter($excludeRules);
+        $results = $linter->scan($path, $excludePaths);
         outputResults($results);
         exit(0);
     } catch (LinterException $e) {
         fwrite(STDERR, sprintf('SCAN ERROR [%d]: %s%s', $e->getCode(), $e->getMessage(), PHP_EOL));
-
         exit(2);
     } catch (Exception $e) {
         fwrite(STDERR, sprintf('FATAL ERROR: %s%s', $e->getMessage(), PHP_EOL));
diff --git a/src/Linter.php b/src/Linter.php
@@ -33,7 +33,7 @@
  * Class Linter
  *
  * This class is responsible for scanning PHP files within a directory for security vulnerabilities.
- * It applies predefined security rules to detect unsafe patterns and reportsfindings.
+ * It applies predefined security rules to detect unsafe patterns and reports findings.
  */
 final class Linter
 {
@@ -43,23 +43,32 @@ final class Linter
     private $rules = [];
 
     /**
-     * Constructor initializes security rules based on CIS and OWASP guidelines.
+     * Constructor initializes security rules based on CIS and OWASP guidelines, applying exclusions.
+     * * @param array $excludeRuleIds List of rule IDs to exclude.
      */
-    public function __construct()
-    {
-        $this->rules = array_merge(
+    public function __construct(
+        /**
+         * @var array List of rule IDs to exclude.
+         */
+        private readonly array $excludedRuleIds = []
+    ) {
+        $allRules = array_merge(
             CisRules::getRules(),
             OwaspRules::getRules()
         );
+        // Filter the rules based on the provided IDs
+        $this->rules = array_filter($allRules, fn(array $rule): bool =>
+        // Only keep the rule if its ID is NOT in the excludedRuleIds list
+        !in_array($rule['id'], $this->excludedRuleIds, true));
     }
 
     /**
-     * Scans PHP files ingiven directory for security issues.
+     * Scans PHP files in given directory for security issues.
      *
-     * @param string $path Path todirectory to scan.
+     * @param string $path Path to directory to scan.
      * @param array $exclude List of file patterns or paths to exclude from scanning.
      * @return array An associative array of detected security issues by file.
-     * @throws LinterException Ifspecified path does not exist.
+     * @throws LinterException If specified path does not exist.
      */
     public function scan(string $path, array $exclude = []): array
     {
@@ -72,20 +81,17 @@ public function scan(string $path, array $exclude = []): array
             new RecursiveDirectoryIterator($path)
         );
         $phpFiles = new RegexIterator($iterator, '/^.+\.php$/i', RegexIterator::GET_MATCH);
-
         $scannedCount = 0;
         $issueCount = 0;
 
         foreach ($phpFiles as $file) {
             $filePath = $file[0];
-
             if ($this->shouldExclude($filePath, $exclude)) {
                 continue;
             }
 
             $scannedCount++;
             $issues = $this->scanFile($filePath);
-
             if (!empty($issues)) {
                 $results[$filePath] = $issues;
                 $issueCount += count($issues);
@@ -130,9 +136,7 @@ private function shouldExclude(string $filePath, array $exclude): bool
                 continue;
             }
 
-            if (($this->isAbsolutePathMatch($filePath, $excludedPattern)) ||
-                ($this->isBasenameOrRelativePathMatch($filePath, $excludedPattern))
-            ) {
+            if (($this->isAbsolutePathMatch($filePath, $excludedPattern)) || ($this->isBasenameOrRelativePathMatch($filePath, $excludedPattern))) {
                 return true;
             }
         }
@@ -171,8 +175,8 @@ private function isAbsolutePathMatch(string $filePath, string $excludedPattern):
      */
     private function isAbsolutePath(string $path): bool
     {
-        return str_starts_with($path, '/') ||  // Unix
-            preg_match('/^[A-Za-z]:[\/\\\\]/', $path);  // Windows
+        return str_starts_with($path, '/') || // Unix
+            preg_match('/^[A-Za-z]:[\/\\\\]/', $path); // Windows
     }
 
     /**
@@ -191,8 +195,8 @@ private function isBasenameOrRelativePathMatch(string $filePath, string $exclude
     /**
      * Scans a PHP file for security vulnerabilities based on predefined rules.
      *
-     * @param string $filePath Path tofile to scan.
-     * @return array List of detected security issues withinfile.
+     * @param string $filePath Path to file to scan.
+     * @return array List of detected security issues within file.
      */
     private function scanFile(string $filePath): array
     {
@@ -208,7 +212,7 @@ private function scanFile(string $filePath): array
         foreach ($this->rules as $rule) {
             // Check full content first for better pattern matching.
             if (preg_match($rule['pattern'], $content)) {
-                // Findline number where it occurs.
+                // Find line number where it occurs.
                 $lineNumber = 1;
                 foreach ($lines as $line) {
                     if (preg_match($rule['pattern'], $line)) {
