In an effort to investigate T207343 I tried to install phan-taint-check-plugin for the first time locally, by running composer require --dev mediawiki/phan-taint-check-plugin and I got the following error message:
[InvalidArgumentException] Could not find package mediawiki/phan-taint-check-plugin at any version matching your PHP version 7.1.17.0
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Open | None | T207344 Phan-taint-check-plugin not available for PHP > 7.0 | ||
| Open | None | T216974 Update phan-taint-check-plugin to a newer phan (1.3.1) | ||
| Open | None | T218719 Upgrade php-ast to 0.1.4 | ||
| Resolved | Daimona | T218721 Have CI run seccheck tests |
I updated the git working copy of SecurePoll and reran the above and now I get this error message:
[InvalidArgumentException] Package mediawiki/phan-taint-check-plugin at version has a PHP requirement incompatible with your PHP version (7.2.10)
While the primary goal of this task to help me figure out how to install phan :) I think it is worth noting that it says ... at version has a PHP requirement ... (note that version is missing and this needs to be fixed too)
@Bawolff Is there a specific reason to require PHP 7.0.0, or it's just because the plugin is untested with other versions?
@Daimona I believe it's just a matter of being developed against a specific version of phan and php-ast. It could stand to be updated, but @Bawolff is the only maintainer right now (I'm trying to get up to speed to help out) so it's slow going. Regardless, the CI docker image builds out the dependencies nicely and the sec-check plugin _should_ be able to run against any PHP 7.x code. I've got a local, modified version of it that I run manually against codebases (along with some other automated security tools) when I perform security audits.
@sbassett Thanks for the reply. I'm trying to understand how phan, AST etc. work to see if I can start bumping the phan version. For now I'm trying to get to phan ^0.8 and ast ^0.1.5, although it won't be fast and I cannot guarantee anything.
@Daimona I've played around with version-bumping minimally without any success. Specific versions of phan and php-ast seem fairly tightly coupled, unfortunately. Good luck!
yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.
@sbassett Well, actually I'm facing several breaking changes even with 0.8.0 => 0.8.13. The most important is the addition of UnaddressableTypedElement (which also doesn't have a true context but just a FileRef), which breaks several things in TaintednessBaseVisitor. More specifically, I'm talking about this commit.
I'm giving up with the upgrade. Phan doesn't comply with semver at all, and thus as I was saying above you'll face plenty of breaking changes even for x.x.y => x.x.z upgrades. At this point, I think seccheck needs a major rewrite in order to work with 1.2.6. If instead, you want to do it gradually, I suggest bumping to 0.9.6 first (which is roughly the same as 0.8.13), then switch to PluginV2 and slowly move on to 1.2.6.