有一个用于PHP脚本漏洞的静态源代码分析器。RIPS的源代码可以在SourceForge上找到。

来自RIPS网站:

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

PHP Mess Detector非常棒，而且速度很快。

有一个用于PHP脚本漏洞的静态源代码分析器。RIPS的源代码可以在SourceForge上找到。

来自RIPS网站:

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

参见Semantic Designs的克隆检测工具CloneDR，它可以发现复制/粘贴/编辑的代码。

它将找到精确的和接近错误的代码片段，尽管有空白，注释，甚至变量重命名。PHP的检测报告样本可以在网站上找到。(我是作者。)

PHP PMD(编程错误检测器)和PHP CPD(复制/粘贴检测器)作为PHPUnit的前一部分。

为了完整起见，还要检查phpCallGraph。