BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Register now with early bird tickets.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Register now with early bird tickets.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News JetBrains Adds Taint Analysis for PHP to Qodana Code Quality Platform

DevOps

JetBrains Adds Taint Analysis for PHP to Qodana Code Quality Platform

Bookmarks

Mar 10, 2023 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

Qodana, JetBrains' code quality platform, now provides support for PHP taint analysis in early preview. The feature aims to allow developers to detect taints in their programs, i.e. spots that are vulnerable to malicious inputs.

A taint is any variable that can be modified based on data provided by an external user. Depending on their context, taints could be exploited to cause SQL injection, arithmetic overflow, cross-site scripting, and other kinds of undesired effects.

The word taint hints at the property of a taint to make suspicious, that is convert into a taint, any other variable with which it has any relation. This means that taints form a chain or list that spreads potentially vulnerable locations throughout a program.

Taint analysis consists thus in analyzing the flow of untrusted user input to identify vulnerable locations with the objective of either sanitizing the data or validate it before using it or further propagating it through the system.

PHP taint analysis in Qodana can generate a dataflow graph to visualize the taint flow and is integrated with JetBrains PHP IDE PhpStorm to make it easier to jump to taint locations in your code. Qodana is able to display the taint flow both as a graph or by annotating your code.

On Twitter, JetBrains explained they will provide Qodana access for free to all open-source projects once it is out of early preview. While PHP is the first language for which Qodana is supporting taint analysis, JetBrains plans to extend this feature to other languages based on feedback received by PHP users. Most likely, JetBrains says, support for Java and Kotlin taint analysis will come next. An official roadmap is not available, yet, though.

Qodana for PHP can be tried out using an evaluation Docker image, through a GitHub action that can be used to scan a GitHub repo, or by integrating it directly into a CI pipeline.

If you are interested in taint analysis for PHP, you could find it interesting to know that there are a few open source static analysis tools that have provided it for a number of years, including PHPStan and Psalm.

About the Author

Sergio De Simone

Show moreShow less

Rate this Article

Adoption
Style

This content is in the DevOps topic

Related Topics:
BT