Is your feature request related to a problem?

Yes. When writing code like the following, it's flagged as unescaped (WordPress.Security.EscapeOutput.OutputNotEscaped):

printf(
    'Foo %d Bar',
    $id
);

With some string formats, the format itself can provide adequate sanitising/escaping support. Specifically, any format which does not treat the input as a string: b

As a part of a project I'm working on, I need something like this for each sniff. Essentially, for each sniff:

• Explanation
• Resolution
• Reference

Does this already exist, or should I keep working on my reference?

Also, I'm aware the wiki might be a bett

Following the comments on #28, and the following the example of pretty good open source tools like those:
https://find-sec-bugs.github.io/bugs.htm
https://security-code-scan.github.io/#Rules

We need to have non-inline documentation that tells a story about:

• Why this is marked as an issue (vulnerability explanation)
• How to correct it (vulnerability remediation)
• Give outside documentat

The Symfony coding strandard documentation states:

Add PHPDoc blocks for all classes, methods, and functions (though you may be asked to remove PHPDoc that do not add value);

For example the inherited methods should not contain any PHPDoc comments, except if we want to add additional details.

use section does not actually need \ at the beginning of the classpath (leading backslash).
Let’s enforce it by static tests to prevent appearing such cases in future

Originally posted by @ihor-sviziev in magento/magento2#26129 (comment)

https://github.com/stevegrunwell/wp-enforcer/blob/develop/bin/hooks/pre-commit#L9

This line is hard-coded and does not respect the -c flag of the CLI.

# Determine if we have a phpcs.xml file
if [[ -f ./phpcs.xml ]]; then
	standard="--standard=./phpcs.xml"
else
	standard=''
fi

The above needs to be updated to accept an arg when -c is set in the CLI.

The Underscorejs output escaping sniff checks for <%=, but it's possible that <%= _.escape(...) would also sufficiently escape the output.

I don't know UnderscoreJS, so this needs looking into, but it may help remove some false positives.

As the title says, the ruleset.xml.example file seems out of date:

• Missing at least one "policy code" (if not more)
• Missing various customizable ruleset properties.

Issue Overview

When requesting a report for a specific version of a plugin, if Tide doesn't yet have a report for it it'll start to generate one and return a <p>pending</p> response.

That response then gets cached, and will return the <p>pending</p> response until it expires.
Suffixing a ?1 to the URL to bypass the URL caching then results in being able to access it.

Steps to R

Currently the int params and returns are being updated to integer. Same from bool to boolean.

The following doc (right):

/**
 * @param int $n
 *
 * @return int
 */
public function a(int $n):int
{
	return 2 * $n;
}

is updated to it (wrong):

/**
 * @param integer $n
 *
 * @return integer
 */
public function a(int $n):int
{
	return 2 * $n;
}
`

• Add code examples for each sniff. Done
• Show how to run individual sniffs or exclude individual sniffs.
• For each sniff show how to customize if applicable.
• Explain why, benefits of why you'd want each sniff.

Our project has its own phpcs.xml that points to a custom ruleset "Drupal Module".

Please document how we configure codeclimate to use our own ruleset.