mirror of
https://github.com/nextcloud/server.git
synced 2026-04-15 22:11:17 -04:00
47ac8e0028
This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch> |
||
|---|---|---|
| .. | ||
| .ci-conf | ||
| integration | ||
| psalm | ||
| stubs | ||
| .htaccess | ||
| autoloaderchecker.sh | ||
| build.xml | ||
| buildjsdocs.sh | ||
| ca-bundle-checker.sh | ||
| compile-handlebars-templates.sh | ||
| files-checker.php | ||
| gen-coverage-badge.php | ||
| htaccess-checker.php | ||
| image-optimization.sh | ||
| jsdocs9.tar.bz2 | ||
| license.php | ||
| OCPSinceChecker.php | ||
| package-lock.json | ||
| package.json | ||
| phpDocumentor.sh | ||
| psalm-baseline.xml | ||
| signed-off-checker.php | ||
| translation-checker.php | ||
| triple-dot-checker.php | ||
| update-apps.sh | ||
| update.sh | ||
| vue-builds.sh | ||