I like to point to a tool that will be useful for developing my application: Pixy. This tool takes the same approach that I want to take to return feedback about vulnerabilities in PHP-applications. If you have read my application you probably took a look at it already.
For those who did not, here is a tiny overview. The PHP-files are parsed by JFlex and Cup to construct a parse tree. This tree is transformed into a linear form resembling three-acces code. This is the form on which the flow-sensitive, interprocedural, context-sensitive analysis is conducted. For more details I recommend reading the short paper.
Pixy performs well, but has at least one major limitation, it does not support the object-oriented features of PHP. The online services of the scouts organisation of the Netherlands are almost completely OO, but cannot be scanned. I hope to solve this limitation with my solution.
The advantage of Pixy is that it uses the original Flex and Bison specifications. Stratego requires a SDF, so let's get started!