Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #15015 Initiate usage of Psalm taint analysis feature
    Actions
    Infos
    #15015
    Thomas Gerbet (tgerbet)
    2020-11-06 17:01
    2020-06-25 09:30
    16265
    Details
    Initiate usage of Psalm taint analysis feature
    Psalm 3.11.7/3.12.0 has (officially) announced its taint analysis capability, see the introductory blogpost [0] to see what it's all about.

    The goal is going to make it usable and useful with the Tuleap codebase. This request will cover the first stage:
    * making it work
    * configuring it enough via annotations/custom plugins so we can catch straightforward SQL injections. Basically introducing issues like request #14770 must be become much harder for the developer
    * adding it somewhere in a CI pipeline



    [0] https://psalm.dev/articles/detect-security-vulnerabilities-with-psalm
    Dev tools
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-10-15
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #14817 Tuleap Releases 11.17 Delivered 2020-23-07 10:57 Manuel Vacelet (vaceletm)
    rel #14819 Tuleap Releases 12.0 Delivered 2020-30-09 09:53 Manuel Vacelet (vaceletm)
    rel #16163 Tuleap Releases 12.1 Delivered 2020-14-10 16:30 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #15015

    Git commit

    tuleap/tuleap/stable

    Psalm can be launched in the taint analysis mode f1479a5151
    User avatar Thomas Gerbet (tgerbet) , 2020-06-25 09:30
    Stop loading the database.inc into the global scope eb6c9fe646
    User avatar Thomas Gerbet (tgerbet) , 2020-07-02 22:16
    Exclude legacy trackers from Psalm taint analysis d9d1df69d7
    User avatar Thomas Gerbet (tgerbet) , 2020-07-07 14:30
    Remove taint analysis false positives in TLP doc 48597d1a1b
    User avatar Thomas Gerbet (tgerbet) , 2020-07-07 14:53
    Stop loading the local.inc into the global scope b60960432b
    User avatar Thomas Gerbet (tgerbet) , 2020-07-07 10:50
    Correct syntax error in mail/index f45551c902
    User avatar Marie Ange Garnier (marieange) , 2020-07-10 09:23
    Fix SA issues in TLP doc 9540df216e
    User avatar Thomas Gerbet (tgerbet) , 2020-07-10 09:25
    LDAP welcome page still relies on settings being available in $GLOBALS 5e87ad2616
    User avatar Thomas Gerbet (tgerbet) , 2020-07-12 20:55
    DB/integration testsuite fails due to an improperly cleaned setup 478d4b38d1
    User avatar Thomas Gerbet (tgerbet) , 2020-07-15 09:41
    Move remaining configuration settings accessed via the global scope to \ForgeConfig 0efc5b6637
    User avatar Thomas Gerbet (tgerbet) , 2020-07-14 01:50
    Fix false positive issues identified by Psalm taint analysis 2ed8472fc4
    User avatar Thomas Gerbet (tgerbet) , 2020-07-13 15:36
    Crash when \Response::sendStatusCode() is called 005e702e23
    User avatar Thomas Gerbet (tgerbet) , 2020-07-16 22:36
    Fix issues found by Psalm's taint analysis after the upgrade to 3.13 93c82268aa
    User avatar Thomas Gerbet (tgerbet) , 2020-08-04 12:28
    Mark \Codendi_Request::get() as an input source e94fa67ee3
    User avatar Thomas Gerbet (tgerbet) , 2020-07-27 12:14
    Mark Tuleap legacy DB interfaces as SQL sinks 32fc0be33e
    User avatar Thomas Gerbet (tgerbet) , 2020-08-18 17:24
    Mark SQL sinks on the EasyDB interface a1e453511b
    User avatar Thomas Gerbet (tgerbet) , 2020-09-03 13:23
    Run Psalm taint analysis in a CI pipeline 1c647614a2
    User avatar Thomas Gerbet (tgerbet) , 2020-10-15 13:42
    Display settings

    Follow-ups