Comments (11)
Ocramius
commented on July 3, 2024
4
Propel alpha is sadly very widespreadly used, so it's probably stable software that is not declared as such.
IMO valid to notify users that they are running something harmful.
from security-advisories.
fabpot
commented on July 3, 2024
2
The whole code is now Open-Source at https://github.com/fabpot/local-php-security-checker (server + client code, so no more API calls). Feel free to submit a PR there to fix this bug.
from security-advisories.
fabpot
commented on July 3, 2024
1
We should not have entries for alpha versions IMHO.
from security-advisories.
stof
commented on July 3, 2024
1
@thirdender as this targets composer packages, it should support things that composer accepts.
from security-advisories.
Ocramius
commented on July 3, 2024
1
Related: Roave/SecurityAdvisoriesBuilder#98 - @slash3b worked quite a lot to add support for patch version modifiers, should you need inspiration.
from security-advisories.
thirdender
commented on July 3, 2024
It looks to me like the security-advisory lists the correct versions, but the tool you're using doesn't understand the "-alphaX" portion of the version string. I think an issue needs to be raised for the symfony/cli repo to address the tool that is parsing the version strings.
from security-advisories.
dereuromark
commented on July 3, 2024
The false positive is still present though it seems - the source of the problem seems still to be that the tool cannot properly see the order of non trivial release versions, e.g. alpha, beta, RC:
2.0.0-alpha1 < 2.0.0-alpha11 < 2.0.0-alpha2
the tool thinks - which is incorrect.
from security-advisories.
thirdender
commented on July 3, 2024
I think I'm in agreement with @fabpot that there should not be any alpha/beta/rc identifiers. The SemVer spec does not consider these pre-release tags when comparing versions. See https://interrupt.memfault.com/blog/release-versioning for a good write-up of SemVer. Ideally the Propel2 library should increment the patch version number and not the "alpha" number.
from security-advisories.
stof
commented on July 3, 2024
semver definitely considers pre-release tags. But the official semver spec requires a . between the prerelease identifier (alpha) and the prerelease version (so 2.0.0-alpha.11).
from security-advisories.
thirdender
commented on July 3, 2024
Hmm, the article and SemVer library I'm using are both wrong then. Thanks for digging that up, looks like I have some more research to do.
from security-advisories.
stof
commented on July 3, 2024
I opened fabpot/local-php-security-checker#9 on the checker project itself to track this, in case someone wants to contribute.
from security-advisories.
Related Issues (20)
- TYPO3 extension advisories HOT 4
- Using exact version constraint without boundaries are faling the validation HOT 5
- Advisories didn't pushed
- simplesamlphp v1.17.8 reported as insecure HOT 2
- alterphp/easyadmin-extension-bundle/2018-10-02.yaml HOT 2
- Would it be possible to add TYPO3 Extensions as well? HOT 8
- Consider adding a vulnerability id for non CVEs HOT 2
- Mr
- Add level of severity for PHP Security Advisories HOT 3
- Flag unsupported versions HOT 1
- Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129 HOT 4
- Work with Github to fix their Advisory Database importer? HOT 3
- facade/ignition seems to be fixed in 2.4.2 HOT 3
- [Discussion] Adopt OSV unified vulnerability schema for open source HOT 1
- Typosquatting Malware symfont/process HOT 3
- Import advisories from the Github security vulnerability database automatically HOT 10
- PHP Deprecated: Return type of Composer\Repository\ArrayRepository::count() should either be compatible with Countable::count() HOT 2
- Support for Composer 1 is deprecated and some packages will not be available. HOT 5
- Missing api-platform CVE HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-advisories.