Commit Graph

41 Commits

Author SHA1 Message Date
Roeland Jago Douma cc18213c98 Have psalm analysis directly on github
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-02-10 14:57:36 +01:00
Roeland Jago Douma 08cae2ec44
Revert "Pin Psalm version to an older one" 2021-02-02 22:08:01 +01:00
Lukas Reschke f1d2dcdaa5 Pin Psalm version to an older one
Ref https://github.com/vimeo/psalm/issues/5144

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-02-02 13:54:18 +00:00
Roeland Jago Douma c96bb21ab9
Merge pull request #24903 from nextcloud/enh/psalm-ocp
Add dedicated baseline for OCP
2020-12-30 13:23:25 +01:00
Roeland Jago Douma fe65f8facf
Add dedicated baseline for OCP
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-12-30 11:06:00 +01:00
Julius Härtl c42385ef0f
Cleanup bundle files before checking the rebuild
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-12-29 12:20:32 +01:00
Julius Härtl c7a320d880 jsunit: Run jsunit with chromium/puppeteer on github actions
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-12-29 08:42:27 +01:00
Morris Jobke 6811274cfd
Merge pull request #24246 from LukasReschke/add-taint-flow-analysis
Add Psalm Security Analysis
2020-11-21 00:04:37 +01:00
Lukas Reschke 47ac8e0028
Add Psalm Taint Flow Analysis
This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/

Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2020-11-20 23:12:00 +01:00
Roeland Jago Douma 12f322d804
Also lint php8
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-11-20 16:49:09 +01:00
Joas Schilling a524e83be0
Fix naming of jobs and steps
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-10 21:39:19 +01:00
Julius Härtl 2050517d44
Add github action for oci8
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-11-10 15:34:35 +01:00
John Molakvoæ 1e7a82d99e
Fix php lint action 2020-11-05 09:34:04 +01:00
Morris Jobke bb05f0e4eb
Do not commit updated composer dependencies in psalm baseline update
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-10-30 10:48:01 +01:00
Morris Jobke f18d9cd310
Update daily "update psalm baseline" job to composer psalm
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-10-29 09:58:25 +01:00
Morris Jobke 106c8d719c
Do not fail on changes to baseline.xml
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-10-13 21:55:37 +02:00
Christoph Wurst 081e9ac47f
Use own psalm instead of a global one
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-10-13 17:55:37 +02:00
John Molakvoæ (skjnldsv) 91e463ff00
Move to automated dependabot merging
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2020-09-07 14:45:53 +02:00
Morris Jobke 886466d510
Run psalm-baseline.xml update once a day
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-20 12:51:51 +02:00
Morris Jobke 458320e8d7
Revert "This is just to trigger the GitHub scheduled actions registration"
This reverts commit 2e912990ff.
2020-08-20 12:50:57 +02:00
Morris Jobke 2e912990ff
This is just to trigger the GitHub scheduled actions registration
It is needed for #22314 and I will revert it right away afterwards.

Sorry for the trouble.

See the answer in https://stackoverflow.com/questions/59560214/github-action-works-on-push-but-not-scheduled
2020-08-20 12:50:27 +02:00
Morris Jobke ebc80dba78
Run update-psalm-baseline action every 5 minutes
For debugging purposed due to a GitHub bug.

See #22325 

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-20 12:44:03 +02:00
Morris Jobke 27157051aa
Revert "This is just to trigger the GitHub scheduled actions registration" 2020-08-20 12:41:47 +02:00
Morris Jobke f255f42991
This is just to trigger the GitHub scheduled actions
It is needed for https://github.com/nextcloud/server/pull/22314 and I will revert it right away afterwards.

Sorry for the trouble.
2020-08-20 12:40:42 +02:00
Morris Jobke 50784a7c51
Generate psalm-baseline.xml PR instead of requiring this from the PR author itself
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-20 12:34:29 +02:00
Morris Jobke 4db7829f43
Better psalm CI output
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-19 18:16:35 +02:00
Morris Jobke 42bb6cd7d7
Check only the baseline.xml and exclude the psalm.xml from the file check
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-18 13:01:10 +02:00
Morris Jobke 80056e081a
Add a check for fixes in the psalm baseline
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2020-08-18 13:01:05 +02:00
Daniel Kesselberg 7257793fc4
Hello psalm
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2020-08-18 08:58:19 +02:00
Daniel Kesselberg 08cb4b8172
Run cs:check a second time to show diff
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2020-07-15 15:35:58 +02:00
Daniel Kesselberg f64b47c36a
Report php-cs-fixer errors to GitHub
Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>
2020-07-13 16:04:31 +02:00
Christoph Wurst 9e6fcd585b
Show a hint for the php-cs fix when the check fails
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-14 22:11:41 +02:00
Christoph Wurst c9980ed099
Add php-cs check action
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-04-14 17:44:08 +02:00
Gary Kim 907a27897a
Move Compile Handlebars CI to GitHub Actions
Signed-off-by: Gary Kim <gary@garykim.dev>
2020-02-23 12:13:48 +08:00
Roeland Jago Douma df4ca949f5 Merge pull request #19384 from nextcloud/enh/actions/lint
Lint on github actions
2020-02-10 11:39:29 +01:00
Roeland Jago Douma 64665c98e1
Lint on github actions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-10 09:32:45 +01:00
Roeland Jago Douma ae75e17eff
Lets just use the fixup bot
The action is slower plus we can use more actions this way ;)

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-10 09:20:20 +01:00
Christoph Wurst b267409d38
Add webpack-based js tests
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2020-02-07 16:56:35 +01:00
Roeland Jago Douma 582ab20e9d
Use checkout v2 for npm build action
Saves checking out the whole tree.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-03 21:55:24 +01:00
Roeland Jago Douma e639e11de3
Move npm build to github actions
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-02-03 09:42:23 +01:00
Roeland Jago Douma 31dfe01d96
Move away from fixupbot
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-12-06 11:46:10 +01:00