Page MenuHomePhabricator

Phan-taint-check-plugin not available for PHP > 7.0
Open, Needs TriagePublic


In an effort to investigate T207343 I tried to install phan-taint-check-plugin for the first time locally, by running composer require --dev mediawiki/phan-taint-check-plugin and I got the following error message:

Could not find package mediawiki/phan-taint-check-plugin at any version matching your PHP version

Event Timeline

Huji created this task.Oct 17 2018, 10:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 17 2018, 10:49 PM
Huji renamed this task from Phan not available for PHP 7.1.17 to Phan-taint-check-plugin not available for PHP 7.1.17.Oct 17 2018, 10:49 PM
Huji added a comment.Oct 27 2018, 1:17 PM

I updated the git working copy of SecurePoll and reran the above and now I get this error message:

  Package mediawiki/phan-taint-check-plugin at version  has a PHP requirement incompatible with your PHP version (7.2.10)

While the primary goal of this task to help me figure out how to install phan :) I think it is worth noting that it says ... at version has a PHP requirement ... (note that version is missing and this needs to be fixed too)

Huji added a subscriber: Reedy.Oct 27 2018, 1:18 PM

@Reedy can I ask you to kindly take a look at this?

It currently has a hard dependency on php7.0

Daimona renamed this task from Phan-taint-check-plugin not available for PHP 7.1.17 to Phan-taint-check-plugin not available for PHP > 7.0.Mar 18 2019, 11:05 AM

@Bawolff Is there a specific reason to require PHP 7.0.0, or it's just because the plugin is untested with other versions?

@Daimona I believe it's just a matter of being developed against a specific version of phan and php-ast. It could stand to be updated, but @Bawolff is the only maintainer right now (I'm trying to get up to speed to help out) so it's slow going. Regardless, the CI docker image builds out the dependencies nicely and the sec-check plugin _should_ be able to run against any PHP 7.x code. I've got a local, modified version of it that I run manually against codebases (along with some other automated security tools) when I perform security audits.

@sbassett Thanks for the reply. I'm trying to understand how phan, AST etc. work to see if I can start bumping the phan version. For now I'm trying to get to phan ^0.8 and ast ^0.1.5, although it won't be fast and I cannot guarantee anything.

@Daimona I've played around with version-bumping minimally without any success. Specific versions of phan and php-ast seem fairly tightly coupled, unfortunately. Good luck!

yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.

@sbassett Well, actually I'm facing several breaking changes even with 0.8.0 => 0.8.13. The most important is the addition of UnaddressableTypedElement (which also doesn't have a true context but just a FileRef), which breaks several things in TaintednessBaseVisitor. More specifically, I'm talking about this commit.

I'm giving up with the upgrade. Phan doesn't comply with semver at all, and thus as I was saying above you'll face plenty of breaking changes even for x.x.y => x.x.z upgrades. At this point, I think seccheck needs a major rewrite in order to work with 1.2.6. If instead, you want to do it gradually, I suggest bumping to 0.9.6 first (which is roughly the same as 0.8.13), then switch to PluginV2 and slowly move on to 1.2.6.