PhpSourcerer (static code analysis tool) versus CVE-2016-10033 (PHPMailer < 5.2.18 Remote Code Execution)

CVE-2016-10033-phpsourcerer.txt

$ php phpsourcerer.php --version

PhpSourcerer 0.1.1

$ cat ~/tmp/PHPMailer-5.2.17/CVE-2016-10033.php 
<?php

$mail = new PHPMailer;
$mail->setFrom($_POST['a'], $_POST['b']);


$ php phpsourcerer.php  -i ~/tmp/PHPMailer-5.2.17 -o /tmp/output --gc-disabled -T 0 -M 2G --force


$ ls -l /tmp/output/vulnerabilities/
razem 20
drwx------ 6 redeemer redeemer 4096 gru 28 11:46 PHP::echo_POST
drwx------ 3 redeemer redeemer 4096 gru 28 11:46 Standard::fwrite_POST
drwx------ 3 redeemer redeemer 4096 gru 28 11:46 Standard::ini_set_POST
drwx------ 3 redeemer redeemer 4096 gru 28 11:46 Standard::mail_POST
drwx------ 4 redeemer redeemer 4096 gru 28 11:46 Standard::popen_POST


$ ls -l /tmp/output/vulnerabilities/Standard\:\:mail_POST/
razem 4
drwx------ 2 redeemer redeemer 4096 gru 28 11:46 class.phpmailer.php:700


$ cat /tmp/output/vulnerabilities/Standard\:\:mail_POST/class.phpmailer.php\:700/Standard\:\:mail_POST 
// ############################################################
// # 2016-12-28 11:46:10
// Sink: Standard::mail (cmdexec)
// Risk variable: _POST [/CVE-2016-10033.php:4]
// Callstack: 
//  PHPMailer::mailSend   [/class.phpmailer.php:1454]
//  PHPMailer::mailPassthru   [/class.phpmailer.php:700]


// ############################################################
// # 2016-12-28 11:46:11
// Sink: Standard::mail (cmdexec)
// Risk variable: _POST [/CVE-2016-10033.php:4]
// Callstack: 
//  PHPMailer::mailSend   [/class.phpmailer.php:1458]
//  PHPMailer::mailPassthru   [/class.phpmailer.php:700]

Your blogpost & tool look amazing. I had the idea of starting a similar project like this. Wondering if you're going to open source it?
And did you use nikic/php-parser for parsing the php into a syntax tree?