mcp-server-semgrep/semgrep-rules/php/lang/security/mcrypt-use.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: mcrypt-use
  patterns:
  - pattern: $FUNC(...);
  - metavariable-regex:
      metavariable: $FUNC
      regex: (mcrypt_|mdecrypt_).+
  message: >-
    Mcrypt functionality has been deprecated and/or removed in recent PHP
    versions. Consider using Sodium or OpenSSL.
  metadata:
    cwe:
    - 'CWE-676: Use of Potentially Dangerous Function'
    references:
    - https://www.php.net/manual/en/intro.mcrypt.php
    - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php
    category: security
    technology:
    - php
    subcategory:
    - audit
    likelihood: LOW
    impact: MEDIUM
    confidence: LOW
  languages: [php]
  severity: ERROR