aboutsummaryrefslogtreecommitdiffstats
path: root/build/psalm
Commit message (Collapse)AuthorAgeFilesLines
* Refactor AppFrameworkTainter to make it more readablejld31032023-04-051-20/+23
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* Update AppFrameworkTainter to use non-deprecated interfacejld31032023-04-051-16/+11
| | | | Signed-off-by: jld3103 <jld3103yt@gmail.com>
* ci: migrate ocp since checker to psalmDaniel Kesselberg2023-01-241-0/+115
| | | | Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
* Bump nextcloud/coding-standard from 0.3.0 to 0.5.0dependabot-preview[bot]2021-02-181-1/+1
| | | | | | | | | | Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/nextcloud/coding-standard/releases) - [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md) - [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add Psalm Taint Flow AnalysisLukas Reschke2020-11-201-0/+60
This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch>