Signed-off-by: Julius Härtl <jus@bitgrid.net>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: Robin Appelman <robin@icewind.nl>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

this ensures that the same composer version is used by everyone (and ci)

Signed-off-by: Robin Appelman <robin@icewind.nl>

Signed-off-by: GitHub <noreply@github.com>

This adds the Psalm Security Analysis, as described at
https://psalm.dev/docs/security_analysis/

It also adds a plugin for adding input into AppFramework.

The results can be viewed in the GitHub Security tab at
https://github.com/nextcloud/server/security/code-scanning

**Q&A:**

Q: Why do you not use the shipped Psalm version?
A: I do a lot of changes to the Psalm Taint behaviour. Using released
versions is not gonna get us the results we want.

Q: How do I improve false positives?
A: https://psalm.dev/docs/security_analysis/avoiding_false_positives/

Q: How do I add custom sources?
A: https://psalm.dev/docs/security_analysis/custom_taint_sources/



Q: We should run this on apps!
A: Yes.

Q: What will change in Psalm?
A: Quite some of the PHP core functions are not yet marked to propagate
the taint. This leads to results where the taint flow is lost. That's
something that I am currently working on.

Q: Why is the plugin MIT licensed?
A: Because its the first of its kind (based on GitHub Code Search) and
I want other people to copy it if they want to. Security is for all :)

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

Bumps [vimeo/psalm](https://github.com/vimeo/psalm) from 4.1.1 to 4.2.0.
- [Release notes](https://github.com/vimeo/psalm/releases)
- [Commits](https://github.com/vimeo/psalm/compare/4.1.1...4.2.0

)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>

Signed-off-by: GitHub <noreply@github.com>

frame-ancestors doesn't fall back to default-src. So when we apply a
very restricted CSP we should make sure to set it to 'none' and not
leave it empty.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>

This avoids the need to keep the default values in the integration tests
in sync with the code, and also makes possible to reset values with
"dynamic" defaults (defaults that depend on other values).

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

Updates the requirements on [behat/behat](https://github.com/Behat/Behat) to permit the latest version.
- [Release notes](https://github.com/Behat/Behat/releases)
- [Changelog](https://github.com/Behat/Behat/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Behat/Behat/compare/v3.7.0...v3.8.0

)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: Morris Jobke <hey@morrisjobke.de>

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Joas Schilling <coding@schilljs.com>

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>

Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de>

Signed-off-by: GitHub <noreply@github.com>