Benchmarking Static Analysis for PHP Applications Security.

IF 2 3区物理与天体物理 Q2 PHYSICS, MULTIDISCIPLINARY

Entropy Pub Date : 2025-09-03 DOI:10.3390/e27090926

Jiazhen Zhao, Kailong Zhu, Canju Lu, Jun Zhao, Yuliang Lu

{"title":"Benchmarking Static Analysis for PHP Applications Security.","authors":"Jiazhen Zhao, Kailong Zhu, Canju Lu, Jun Zhao, Yuliang Lu","doi":"10.3390/e27090926","DOIUrl":null,"url":null,"abstract":"<p><p>PHP is the most widely used server-side programming language, but it remains highly susceptible to diverse classes of vulnerabilities. Static Application Security Testing (SAST) tools are commonly adopted for vulnerability detection; however, their evaluation lacks systematic criteria capable of quantifying information loss and uncertainty in analysis. Existing approaches, often based on small real-world case sets or heuristic sampling, fail to control experimental entropy within test cases. This uncontrolled variability makes it difficult to measure the information gain provided by different tools and to accurately differentiate their performance under varying levels of structural and semantic complexity. In this paper, we have developed a systematic evaluation framework for PHP SAST tools, designed to provide accurate and comprehensive assessments of their vulnerability detection capabilities. The framework explicitly isolates key factors influencing data flow analysis, enabling evaluation over four progressive dimensions with controlled information diversity. Using a benchmark instance, we validate the framework's feasibility and show how it reduces evaluation entropy, enabling the more reliable measurement of detection capabilities. Our results highlight the framework's ability to reveal the limitations in current SAST tools, offering actionable insights for their future improvement.</p>","PeriodicalId":11694,"journal":{"name":"Entropy","volume":"27 9","pages":""},"PeriodicalIF":2.0000,"publicationDate":"2025-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12468223/pdf/","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Entropy","FirstCategoryId":"101","ListUrlMain":"https://doi.org/10.3390/e27090926","RegionNum":3,"RegionCategory":"物理与天体物理","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"PHYSICS, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 0

Abstract

PHP is the most widely used server-side programming language, but it remains highly susceptible to diverse classes of vulnerabilities. Static Application Security Testing (SAST) tools are commonly adopted for vulnerability detection; however, their evaluation lacks systematic criteria capable of quantifying information loss and uncertainty in analysis. Existing approaches, often based on small real-world case sets or heuristic sampling, fail to control experimental entropy within test cases. This uncontrolled variability makes it difficult to measure the information gain provided by different tools and to accurately differentiate their performance under varying levels of structural and semantic complexity. In this paper, we have developed a systematic evaluation framework for PHP SAST tools, designed to provide accurate and comprehensive assessments of their vulnerability detection capabilities. The framework explicitly isolates key factors influencing data flow analysis, enabling evaluation over four progressive dimensions with controlled information diversity. Using a benchmark instance, we validate the framework's feasibility and show how it reduces evaluation entropy, enabling the more reliable measurement of detection capabilities. Our results highlight the framework's ability to reveal the limitations in current SAST tools, offering actionable insights for their future improvement.

查看原文本刊更多论文

PHP应用程序安全性的基准静态分析。

PHP是使用最广泛的服务器端编程语言，但它仍然极易受到各种漏洞的影响。静态应用程序安全测试（SAST）工具通常用于漏洞检测；然而，它们的评估缺乏能够量化信息损失和分析不确定性的系统标准。现有的方法，通常基于小的现实世界案例集或启发式抽样，无法控制测试用例中的实验熵。这种不受控制的可变性使得测量不同工具提供的信息增益和准确区分它们在不同结构和语义复杂性水平下的性能变得困难。在本文中，我们开发了一个系统的PHP SAST工具评估框架，旨在对其漏洞检测能力提供准确和全面的评估。该框架明确地隔离了影响数据流分析的关键因素，从而能够在控制信息多样性的情况下对四个渐进维度进行评估。使用基准实例，我们验证了框架的可行性，并展示了它如何减少评估熵，从而实现更可靠的检测能力度量。我们的研究结果突出了该框架揭示当前SAST工具局限性的能力，为其未来的改进提供了可操作的见解。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Entropy PHYSICS, MULTIDISCIPLINARY-

CiteScore

4.90

自引率

11.10%

发文量

1580

审稿时长

21.05 days

期刊介绍： Entropy (ISSN 1099-4300), an international and interdisciplinary journal of entropy and information studies, publishes reviews, regular research papers and short notes. Our aim is to encourage scientists to publish as much as possible their theoretical and experimental details. There is no restriction on the length of the papers. If there are computation and the experiment, the details must be provided so that the results can be reproduced.