| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Add Psalm Security Analysis
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/
It also adds a plugin for adding input into AppFramework.
The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning
**Q&A:**
Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.
Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/
Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/
Q: We should run this on apps!
A: Yes.
Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.
Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
|
|/
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
|
|
| |
Signed-off-by: Julius Härtl <jus@bitgrid.net>
|
| |
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
| |
|
|
|
|
| |
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
|
|
|
|
| |
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
This reverts commit 2e912990ff63ca364a070243594b174e0ec9868b.
|
|
|
|
|
|
|
| |
It is needed for #22314 and I will revert it right away afterwards.
Sorry for the trouble.
See the answer in https://stackoverflow.com/questions/59560214/github-action-works-on-push-but-not-scheduled
|
|
|
|
|
|
|
| |
For debugging purposed due to a GitHub bug.
See #22325
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
| |
|
|
|
|
|
| |
It is needed for https://github.com/nextcloud/server/pull/22314 and I will revert it right away afterwards.
Sorry for the trouble.
|
|
|
|
|
|
| |
itself
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
| |
|
|
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|\
| |
| | |
Add text about subscribing issues and sync introduction to feature request
|
| |
| |
| |
| | |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|/
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Joas Schilling <coding@schilljs.com>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
|
|
| |
all nextcloud repos.
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Gary Kim <gary@garykim.dev>
|
|\
| |
| | |
Lint on github actions
|
| |
| |
| |
| | |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|/
|
|
|
|
| |
The action is slower plus we can use more actions this way ;)
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
| |
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
|
|
|
|
|
|
| |
Saves checking out the whole tree.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
|
|
| |
Thanks to nextcloud/calendar
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|
|
|
|
| |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
|
|
|
|
|
|
| |
Colon outside of italics in the bug report issue template when in every similar instance of this in this file it is inside.
Signed-off-by: Rillian Grant <rillian.grant@hotmail.com>
|
|\
| |
| | |
security@nextcloud.com is not being monitored and mails are being dro…
|
| |
| |
| |
| | |
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
|