diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2020-11-20 11:19:59 +0000 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2020-11-20 23:12:00 +0100 |
| commit | 47ac8e0028d88f3f103412df1574eb8212d57765 (patch) | |
| tree | 2523d7de0fd78007244faabfa991d30662fa7e8c /resources/codesigning | |
| parent | 7fd7601016ca08cfcb5ad7281310d9272de61509 (diff) | |
| download | nextcloud-server-47ac8e0028d88f3f103412df1574eb8212d57765.tar.gz nextcloud-server-47ac8e0028d88f3f103412df1574eb8212d57765.zip | |
Add Psalm Taint Flow Analysis
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/
It also adds a plugin for adding input into AppFramework.
The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning
**Q&A:**
Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.
Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/
Q: We should run this on apps!
A: Yes.
Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.
Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'resources/codesigning')
0 files changed, 0 insertions, 0 deletions