Continuous integration/Phan/phan-taint-check-plugin

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in MediaWiki extensions.

It is primarily intended for use with MediaWiki extensions, but also has a generic mode for general PHP projects. It can also be used with MediaWiki core.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins
You can test any extension in Wikimedia version control by writing a comment  on a gerrit patch.

Wikimedia jenkins decides what version of phan-taint-check-plugin to run by looking at the  field of composer.json. This is so that the version can be specified, without requiring phan-taint-check-plugin and thus causing the extension to depend on phan-taint-check-plugin's dependency of php >= 7.0. For example (From InputBox)

Running locally with docker
The docker file used by Wikimedia Jenkins can also be used locally. See https://gerrit.wikimedia.org/r/plugins/gitiles/integration/config/+/master/dockerfiles/mediawiki-phan-seccheck for more info.

Checkout a copy of MediaWiki, with whichever extension/skins you want to scan checked out in the appropriate directory.

Run

Running locally manually

 * Run (from the root directory of your project):


 * For mediawiki extension, add the following to :
 * For a generic PHP project add:
 * For MediaWiki core add:

You can then run:

For more details see the plugin's README

Dependencies
The versions before 2.0.0 depend on PHP 7.0 (exactly - 7.1 doesn't work) and  <=0.1.4 extension. From 2.0.0 on, it depends on PHP >= 7.0 and php-ast >= 1.0.0. For information on how to install these dependencies, see Continuous_integration/Phan.