Merge remote-tracking branch 'upstream/master'

Author: jmarcil

README.md

@@ -122,7 +122,7 @@ Annoyances
 As any security tools, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.
 
 * It's a generator of false positives. This can actually help you learn what are the weak functions in PHP. Paranoia mode will fix that by doing a major cut-off on warnings when set to 0.
-* It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure cli/php.ini to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for .info parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometime around 5 minute. You can only use one core in PHP since no multithreading is available. Possible workaround is to use phpcs --ignore=folder to skip scanning of those parts.
+* It's slow. On big Drupal modules and core it can take too much time (and RAM, reconfigure cli/php.ini to use 512M if needed) to run. Not sure if it's because of bugs in PHPCS or this set of rules, but will be investigated last. Meanwhile you can configure PHPCS to ignore big contrib modules (and run another instance of PHPCS for .info parsing only for them). An example is og taking hours, usually everything runs under 1-2 minutes and sometime around 5 minute. You can try using the `--parallel=8` (or another number) option to try and speed things up on supported OSes. Possible workaround is to use phpcs --ignore=folder to skip scanning of those parts.
 * For Drupal advisories checking: a module with multiple versions might be secure if a lesser fixed version exists and you'll still get the error or warning. Keep everything updated at latest as recommended on Drupal's website.
 
 

example_base_ruleset.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="Drupal7">
+<ruleset name="PHPSecurity">
  <description>Rules for standard PHP projects</description>
 
 <!-- Code Reviews Rules -->
@@ -12,7 +12,7 @@
 
 <!-- Global properties -->
 <!-- Please note that not every sniff uses them and they can be overwritten by rule -->
-<!-- Paranoya mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
+<!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
 <config name="ParanoiaMode" value="1"/>
 
 <!-- BadFunctions -->

example_drupal7_ruleset.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0"?>
-<ruleset name="Drupal7">
+<ruleset name="Drupal7Security">
  <description>Rules for Drupal 7 projects</description>
 <!-- Code Reviews Rules -->
 <!--
@@ -13,7 +13,7 @@
 <!-- Please note that not every sniff uses them and they can be overwritten by rule -->
 <!-- Framework or CMS used. Must be a class under Security_Sniffs. -->
 <config name="CmsFramework" value="Drupal7"/>
-<!-- Paranoya mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
+<!-- Paranoia mode: Will generate more alerts but will miss less vulnerabilites. Good for assisting manual code review. -->
 <config name="ParanoiaMode" value="1"/>
 
 <!-- BadFunctions -->