From 47ac8e0028d88f3f103412df1574eb8212d57765 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Fri, 20 Nov 2020 11:19:59 +0000 Subject: Add Psalm Taint Flow Analysis This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke --- psalm.xml | 3 +++ 1 file changed, 3 insertions(+) (limited to 'psalm.xml') diff --git a/psalm.xml b/psalm.xml index 4e3bced149c..b90af78022a 100644 --- a/psalm.xml +++ b/psalm.xml @@ -7,6 +7,9 @@ xsi:schemaLocation="https://getpsalm.org/schema/config" errorBaseline="build/psalm-baseline.xml" > + + + -- cgit v1.2.3