Comments (15)
this is related to the discussion happening in Roave/SecurityAdvisories#54
The root cause of the issue here is that the Drupal ecosystem has actually 2 different repositories (one for drupal 7 and one for drupal 8), which can use the same version numbers for packages while the code is not the same (due to their 8.x-1.x
vs 7.x-1.x
internal versioning).
from security-advisories.
The http://security.sensiolabs.org/check_lock
endpoint will be removed soon, you must not use it anymore.
from security-advisories.
@fabpot according to Roave/SecurityAdvisories#54 (comment) the new endpoint is also affected by the fact that the Drupal ecosystem reuses the same version for composer packages in the 7 and 8 repositories (while they are not affected the same by advisories).
So I suggest reverting #371.
from security-advisories.
@Pton can you give more details about the tool you used to check that ? Was it the online checker at https://security.symfony.com/, the local check using the Symfony CLI client (https://symfony.com/download) or the composer conflict rules of roave/security-advisories
?
from security-advisories.
I'm using v5.0.2
of the sensiolabs/security-checker
from security-advisories.
OK, so that means using the https://security.symfony.com/ API
from security-advisories.
@Pton I tested "drupal/search_api_solr:^1"
with security-checker
(from master
branch) and can't reproduce the issue.
from security-advisories.
@Pton my bad (i got 1.x-dev when I try with ^1
). I can reproduce the issue with composer require "drupal/search_api_solr:1.2.0"
Symfony Security Check Report
=============================
1 packages have known vulnerabilities.
drupal/search_api_solr (1.2.0)
------------------------------
* [CVE-NONE-0001][]: Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065
[CVE-NONE-0001]: https://www.drupal.org/sa-contrib-2018-065
Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.
This is weird considering drupal/entity
excludes fine.
from security-advisories.
@stof probably because of drupal/entity
version. The 8.x version is 1.0-rc1
and the 7.x SA is only between 1.0.0
and 1.9.0
from security-advisories.
I checked our CI script which runs the security checker. We're utilize the --end-point
option as such:
vendor/bin/security-checker security:check composer.lock --verbose --end-point=http://security.sensiolabs.org/check_lock
.
I'm not sure if that's anything different than the https://security.symfony.com/ API or how this would change the issue I'm raising here.
from security-advisories.
Two solutions here: reverting #371 or filtering Drupal advisories until we find a solution to make it work.
from security-advisories.
Well, filtering them out would have to be done in all places using that DB. that would make them useless in the DB in my opinion. See Roave/SecurityAdvisories#54 (comment) for my argument. Composer relies on name + version
to identify packages. This repo should be able to do the same, which rules out the drupal-contrib ecosystem which breaks that assumption.
from security-advisories.
#371 reverted now
from security-advisories.
Although I'm disappointed the drupal contrib modules won't be checked by the security checker. I'm happy the builds can run again without false positives.
Thank you everyone for jumping on this so quickly and fixing the issue at hand ❤️
from security-advisories.
Thank you!
@Pton For Drupal code, there is https://github.com/drupal-composer/drupal-security-advisories
from security-advisories.
Related Issues (20)
- Using exact version constraint without boundaries are faling the validation HOT 5
- Advisories didn't pushed
- simplesamlphp v1.17.8 reported as insecure HOT 2
- alterphp/easyadmin-extension-bundle/2018-10-02.yaml HOT 2
- Would it be possible to add TYPO3 Extensions as well? HOT 8
- Consider adding a vulnerability id for non CVEs HOT 2
- Mr
- Add level of severity for PHP Security Advisories HOT 3
- Flag unsupported versions HOT 1
- propel: 2.0.0-alpha11 HOT 11
- Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129 HOT 4
- Work with Github to fix their Advisory Database importer? HOT 3
- facade/ignition seems to be fixed in 2.4.2 HOT 3
- [Discussion] Adopt OSV unified vulnerability schema for open source HOT 1
- Typosquatting Malware symfont/process HOT 3
- Import advisories from the Github security vulnerability database automatically HOT 10
- PHP Deprecated: Return type of Composer\Repository\ArrayRepository::count() should either be compatible with Countable::count() HOT 2
- Support for Composer 1 is deprecated and some packages will not be available. HOT 5
- Missing api-platform CVE HOT 1
- Missing 2 phpseclib/phpseclib vulnerabilities (CVE-2024-27354, CVE-2024-27355)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-advisories.