| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
|
| |
|
|
| |
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
|
| |
|
|
|
|
|
| |
The action will otherwise pull dev-master and this can break easily as
we just experience.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| | |
|
| |
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| | |
|
| |
|
|
|
|
| |
Ref https://github.com/vimeo/psalm/issues/5144
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|
|
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/
It also adds a plugin for adding input into AppFramework.
The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning
**Q&A:**
Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.
Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/
Q: We should run this on apps!
A: Yes.
Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.
Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
