Continuous integration/Phan/Phan-taint-check-plugin

phan-taint-check-plugin is a Phan plugin meant to use static analysis to find certain types of security vulnerabilities in PHP code.

It can be used on any PHP project, and it has a couple of features specific to MediaWiki code.

This page is just a stub so far, for more information, see README.

Running on Wikimedia Jenkins[edit]

You can test any extension in Wikimedia version control by writing a comment check experimental on a gerrit patch. The best way to add taint-check is requiring mediawiki-phan-config >= 0.10.2, and ensuring that the phan CI job is installed for your repo.

Running locally[edit]

If you already require mediawiki-phan-config >= 0.10.0, you should follow the instructions for running phan.

Otherwise, see the README for manual installation (this is discouraged, though).

Dependencies[edit]

The plugin has the same dependencies as mediawiki-phan-config. Namely:

• phan/phan (the version is pinned and constantly updated)
• PHP >= 7.2
• Optionally, php-ast (install instructions) will make it faster (it worths the pain of compiling/installing the extension!)

External links[edit]

• Browse source code (Gerrit)
• Other projects
  • Fedora packages can use kiskadee (depends on RPM, Fedora event bus), Red Hat has something more internally
  • Debian has lintian