Merge pull request #11399 from danog/always_run_taint_analysis

danog · web-flow · commit c697053590ab · 2025-04-21T21:00:56.000+02:00
Always run taint analysis by default
diff --git a/config.xsd b/config.xsd
@@ -78,7 +78,7 @@
         <xs:attribute name="skipChecksOnUnresolvableIncludes" type="xs:boolean" default="false" />
         <xs:attribute name="sealAllMethods" type="xs:boolean" default="true" />
         <xs:attribute name="sealAllProperties" type="xs:boolean" default="true" />
-        <xs:attribute name="runTaintAnalysis" type="xs:boolean" default="false" />
+        <xs:attribute name="runTaintAnalysis" type="xs:boolean" default="true" />
         <xs:attribute name="usePhpStormMetaPath" type="xs:boolean" default="true" />
         <xs:attribute name="allowInternalNamedArgumentCalls" type="xs:boolean" default="true" />
         <xs:attribute name="allowNamedArgumentCalls" type="xs:boolean" default="true" />
diff --git a/docs/running_psalm/configuration.md b/docs/running_psalm/configuration.md
@@ -387,7 +387,7 @@ When `true`, Psalm will treat all classes as if they had sealed properties, mean
 >
 ```
 
-When `true`, Psalm will run [Taint Analysis](../security_analysis/index.md) on your codebase. This config is the same as if you were running Psalm with `--taint-analysis`.
+When `true` (the default), Psalm will run [Taint Analysis](../security_analysis/index.md) on your codebase. This config is the same as if you were running Psalm with `--taint-analysis`.
 
 #### reportInfo
 
diff --git a/src/Psalm/Config.php b/src/Psalm/Config.php
@@ -388,7 +388,7 @@ final class Config
 
     public bool $find_unused_issue_handler_suppression = true;
 
-    public bool $run_taint_analysis = false;
+    public bool $run_taint_analysis = true;
 
     public bool $use_phpstorm_meta_path = true;
 
diff --git a/tests/EndToEnd/PsalmEndToEndTest.php b/tests/EndToEnd/PsalmEndToEndTest.php
@@ -115,6 +115,10 @@ public function testAlter(): void
     {
         $this->runPsalmInit();
 
+        $psalmXml = file_get_contents(self::$tmpDir . '/psalm.xml');
+        $psalmXml = str_replace('<psalm', '<psalm runTaintAnalysis="false"', (string)$psalmXml);
+        file_put_contents(self::$tmpDir . '/psalm.xml', $psalmXml);
+
         $this->assertStringContainsString(
             'No errors found!',
             $this->runPsalm(['--alter', '--issues=all'], self::$tmpDir, false, true)['STDOUT'],
@@ -126,13 +130,21 @@ public function testAlter(): void
     public function testPsalter(): void
     {
         $this->runPsalmInit();
+        $psalmXml = file_get_contents(self::$tmpDir . '/psalm.xml');
+        $psalmXml = str_replace('<psalm', '<psalm runTaintAnalysis="false"', (string)$psalmXml);
+        file_put_contents(self::$tmpDir . '/psalm.xml', $psalmXml);
+
         (new Process([PHP_BINARY, $this->psalter, '--alter', '--issues=InvalidReturnType'], self::$tmpDir))->mustRun();
         $this->assertSame(0, $this->runPsalm([], self::$tmpDir)['CODE']);
     }
 
     public function testPsalm(): void
     {
         $this->runPsalmInit(1);
+        $psalmXml = file_get_contents(self::$tmpDir . '/psalm.xml');
+        $psalmXml = str_replace('<psalm', '<psalm runTaintAnalysis="false"', (string)$psalmXml);
+        file_put_contents(self::$tmpDir . '/psalm.xml', $psalmXml);
+
         $result = $this->runPsalm([], self::$tmpDir, true);
         $this->assertStringContainsString(
             'Target PHP version: 7.1 (inferred from composer.json)',
@@ -169,6 +181,10 @@ public function testPsalmDiff(): void
         copy(__DIR__ . '/../fixtures/DummyProjectWithErrors/diff_composer.lock', self::$tmpDir . '/composer.lock');
 
         $this->runPsalmInit(1);
+        $psalmXml = file_get_contents(self::$tmpDir . '/psalm.xml');
+        $psalmXml = str_replace('<psalm', '<psalm runTaintAnalysis="false"', (string)$psalmXml);
+        file_put_contents(self::$tmpDir . '/psalm.xml', $psalmXml);
+
         $result = $this->runPsalm(['--diff', '-m'], self::$tmpDir, true);
         $this->assertStringContainsString('InvalidReturnType', $result['STDOUT']);
         $this->assertStringContainsString('InvalidReturnStatement', $result['STDOUT']);
@@ -268,7 +284,7 @@ public function testPsalmWithNoProgressDoesNotProduceOutputOnStderr(): void
 
         $psalmXml = file_get_contents(self::$tmpDir . '/psalm.xml');
         assert($psalmXml !== false);
-        $psalmXml = (string) preg_replace('/findUnusedCode="(true|false)"/', '', $psalmXml, 1);
+        $psalmXml = (string) preg_replace('/findUnusedCode="(true|false)"/', 'runTaintAnalysis="false"', $psalmXml, 1);
         file_put_contents(self::$tmpDir . '/psalm.xml', $psalmXml);
 
         $result = $this->runPsalm(['--no-progress'], self::$tmpDir);

Original file line number	Diff line number	Diff line change
@@ -387,7 +387,7 @@ When `true`, Psalm will treat all classes as if they had sealed properties, mean
`387`	`387`	`>`
`388`	`388`	```
`389`	`389`
`390`		-When `true`, Psalm will run [Taint Analysis](../security_analysis/index.md) on your codebase. This config is the same as if you were running Psalm with `--taint-analysis`.
	`390`	+When `true` (the default), Psalm will run [Taint Analysis](../security_analysis/index.md) on your codebase. This config is the same as if you were running Psalm with `--taint-analysis`.
`391`	`391`
`392`	`392`	`#### reportInfo`
`393`	`393`