nextcloud

Commit Graph

Author	SHA1	Message	Date
dependabot-preview[bot]	eb502c02ff	Bump nextcloud/coding-standard from 0.3.0 to 0.5.0 Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0. - [Release notes](https://github.com/nextcloud/coding-standard/releases) - [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md) - [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>	2021-02-18 13:31:24 +01:00
Lukas Reschke	47ac8e0028	Add Psalm Taint Flow Analysis This adds the Psalm Security Analysis, as described at https://psalm.dev/docs/security_analysis/ It also adds a plugin for adding input into AppFramework. The results can be viewed in the GitHub Security tab at https://github.com/nextcloud/server/security/code-scanning Q&A: Q: Why do you not use the shipped Psalm version? A: I do a lot of changes to the Psalm Taint behaviour. Using released versions is not gonna get us the results we want. Q: How do I improve false positives? A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/ Q: How do I add custom sources? A: https://psalm.dev/docs/security_analysis/custom_taint_sources/ Q: We should run this on apps! A: Yes. Q: What will change in Psalm? A: Quite some of the PHP core functions are not yet marked to propagate the taint. This leads to results where the taint flow is lost. That's something that I am currently working on. Q: Why is the plugin MIT licensed? A: Because its the first of its kind (based on GitHub Code Search) and I want other people to copy it if they want to. Security is for all :) Signed-off-by: Lukas Reschke <lukas@statuscode.ch>	2020-11-20 23:12:00 +01:00

Author

SHA1

Message

Date

dependabot-preview[bot]

eb502c02ff

Bump nextcloud/coding-standard from 0.3.0 to 0.5.0

Bumps [nextcloud/coding-standard](https://github.com/nextcloud/coding-standard) from 0.3.0 to 0.5.0.
- [Release notes](https://github.com/nextcloud/coding-standard/releases)
- [Changelog](https://github.com/nextcloud/coding-standard/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nextcloud/coding-standard/compare/v0.3.0...v0.5.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

2021-02-18 13:31:24 +01:00

Lukas Reschke

47ac8e0028

Add Psalm Taint Flow Analysis

This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/

Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

2020-11-20 23:12:00 +01:00

2 Commits