feat: support const init and const invoke

internal/languages/php/.snapshots/TestConst--main.yml

@@ -0,0 +1,30 @@
+low:
+    - rule:
+        cwe_ids: []
+        id: php_rule_logger_test
+        title: ""
+        description: ""
+        documentation_url: ""
+      line_number: 7
+      full_filename: main.php
+      filename: main.php
+      source:
+        location:
+            start: 7
+            end: 7
+            column:
+                start: 10
+                end: 38
+      sink:
+        location:
+            start: 7
+            end: 7
+            column:
+                start: 10
+                end: 38
+        content: hash( self::ALGO, $content )
+      parent_line_number: 7
+      snippet: hash( self::ALGO, $content )
+      fingerprint: b1e6825cdfdbf302da0f7c9887efd995_0
+      old_fingerprint: b1e6825cdfdbf302da0f7c9887efd995_0
+

internal/languages/php/analyzer/analyzer.go

@@ -1,6 +1,8 @@
 package analyzer
 
 import (
+	"slices"
+
 	sitter "github.com/smacker/go-tree-sitter"
 
 	"github.com/bearer/bearer/internal/scanner/ast/tree"
@@ -45,6 +47,8 @@ func (analyzer *analyzer) Analyze(node *sitter.Node, visitChildren func() error)
 		return analyzer.analyzeGenericConstruct(node, visitChildren)
 	case "switch_label":
 		return visitChildren()
+	case "const_declaration":
+		return analyzer.analyzeConstDeclaration(node, visitChildren)
 	case "dynamic_variable_name":
 		return analyzer.analyzeDynamicVariableName(node, visitChildren)
 	case "subscript_expression":
@@ -197,6 +201,27 @@ func (analyzer *analyzer) analyzeSubscript(node *sitter.Node, visitChildren func
 	return visitChildren()
 }
 
+func (analyzer *analyzer) analyzeConstDeclaration(node *sitter.Node, visitChildren func() error) error {
+	child := node.NamedChild(0)
+
+	if child.Type() == "visibility_modifier" {
+		child = node.NamedChild(1)
+	}
+
+	left := child.NamedChild(0)
+	right := child.NamedChild(1)
+	analyzer.lookupVariable(right)
+
+	err := visitChildren()
+
+	if left.Type() == "name" {
+		analyzer.builder.Alias(left, right)
+		analyzer.scope.Declare("self::"+analyzer.builder.ContentFor(left), right)
+	}
+
+	return err
+}
+
 // catch(FooException | BarException $e) {}
 func (analyzer *analyzer) analyzeCatchClause(node *sitter.Node, visitChildren func() error) error {
 	return analyzer.withScope(language.NewScope(analyzer.scope), func() error {
@@ -258,7 +283,7 @@ func (analyzer *analyzer) withScope(newScope *language.Scope, body func() error)
 }
 
 func (analyzer *analyzer) lookupVariable(node *sitter.Node) {
-	if node == nil || node.Type() != "variable_name" {
+	if node == nil || !slices.Contains([]string{"variable_name", "class_constant_access_expression"}, node.Type()) {
 		return
 	}
 

internal/languages/php/php_test.go

@@ -22,6 +22,9 @@ var loggerRule []byte
 //go:embed testdata/scope_rule.yml
 var scopeRule []byte
 
+//go:embed testdata/md.yml
+var mdRule []byte
+
 func TestFlow(t *testing.T) {
 	testhelper.GetRunner(t, loggerRule, "PHP").RunTest(t, "./testdata/testcases/flow", ".snapshots/flow/")
 }
@@ -30,6 +33,10 @@ func TestScope(t *testing.T) {
 	testhelper.GetRunner(t, scopeRule, "PHP").RunTest(t, "./testdata/scope", ".snapshots/")
 }
 
+func TestConst(t *testing.T) {
+	testhelper.GetRunner(t, mdRule, "PHP").RunTest(t, "./testdata/md", ".snapshots/")
+}
+
 func TestAnalyzer(t *testing.T) {
 	for _, test := range []struct{ name, code string }{
 		{"foreach", `<?php

internal/languages/php/testdata/md.yml

@@ -0,0 +1,11 @@
+type: "risk"
+languages:
+  - php
+patterns:
+  - pattern: |
+      hash($<ALGORITHM>$<...>)
+    filters:
+      - variable: ALGORITHM
+        string_regex: md\d
+metadata:
+  id: php_rule_logger_test

internal/languages/php/testdata/md/main.php

@@ -0,0 +1,10 @@
+<?php
+class ContentsHasher {
+	private const ALGO = 'md4';
+
+	public static function getFileContentsHash( $content ) {
+
+		return hash( self::ALGO, $content );
+	}
+}
+?>