A Drupal integration for Psalm focused on security scanning (SAST) taint analysis.
.module
and .theme
files\Drupal::service()
This plugin is meant to be used on your Drupal site, for the scanning of custom modules. Note that if you follow this guide and run it on a contrib module, and you find a valid result, you should report your findings to the Drupal Security Team.
To install the plugin:
composer require mortenson/psalm-plugin-drupal:dev-master
cd web
, cd docroot
).psalm.xml
file in the root of your Drupal installation like:
<?xml version="1.0"?>
<psalm
errorLevel="6"
resolveFromConfigFile="true"
runTaintAnalysis="true"
autoloader="../vendor/mortenson/psalm-plugin-drupal/scripts/autoload.php"
>
<fileExtensions>
<extension name=".php" />
<extension name=".module" />
<extension name=".theme" />
<extension name=".inc" />
</fileExtensions>
<projectFiles>
<directory name="modules/custom"/>
</projectFiles>
<plugins>
<pluginClass class="Psalm\SymfonyPsalmPlugin\Plugin">
<containerXml>DrupalContainerDump.xml</containerXml>
</pluginClass>
<pluginClass class="mortenson\PsalmPluginDrupal\Plugin">
<containerXml>DrupalContainerDump.xml</containerXml>
<extensions>
<!-- List your modules explicitly here, as the scan may happen without a database -->
<module name="my_custom_module" />
<module name="my_module_dependency" />
</extensions>
</pluginClass>
</plugins>
</psalm>
php ../vendor/mortenson/psalm-plugin-drupal/scripts/dump_script.php && ../vendor/bin/psalm .
Note that the path to vendor
may change based on your Drupal installation.
Drupal's code paths aren't always clear, especially in Drupal 8. Because of this, things like Controller methods (aka route callbacks) will not be analyzed when running Psalm.
To have Psalm analyze these paths, you'll need to generate an entrypoint file that executes the methods you want to test.
A script has been included for you to generate this entrypoint for you. To use it, do the following:
php ../vendor/mortenson/psalm-plugin-drupal/scripts/generate_entrypoint.php <comma separated paths to your custom modules>
<file name="psalm_drupal_entrypoint.module"></file>
to your
psalm.xml
file, under the <projectFiles>
node.Currently, only routing.yml
files are parsed to generate the entrypoint,
focusing on Controller and Form methods.
Tests use Codeception via weirdan/codeception-psalm-module.
You can run tests with composer run test
.
To write tests, edit tests/acceptance/PsalmPluginDrupal.feature and add a new Scenario.
To run a single failing test, add the @failing
tag above the Scenario:
line, then run composer run test-failing
.
Code style should be checked before committing code.
To do this, run composer run cs-check
, or composer run cs-fix
to
automatically fix issues with phpcbf
.