mirror of
https://github.com/nextcloud/server.git
synced 2026-04-15 22:11:17 -04:00
47ac8e0028
This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning **Q&A:** Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch> |
||
|---|---|---|
| .. | ||
| template | ||
| OC_API.php | ||
| OC_App.php | ||
| OC_DB.php | ||
| OC_DB_StatementWrapper.php | ||
| OC_Defaults.php | ||
| OC_EventSource.php | ||
| OC_FileChunking.php | ||
| OC_Files.php | ||
| OC_Helper.php | ||
| OC_Hook.php | ||
| OC_Image.php | ||
| OC_JSON.php | ||
| OC_Response.php | ||
| OC_Template.php | ||
| OC_User.php | ||
| OC_Util.php | ||