Comments (10)
@Ocramius checked the mission for this repo from the README: "This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption."
So it seems this repo is not a source anyway, and its purpose is to aggregate information. So then the automated import would make sense? Maybe we can copy from your approach how to scrape Github for the advisories :)
from security-advisories.
If you want the information from both GitHub and this FriendsOfPHP repository, you can use the packagist.org database https://packagist.org/apidoc#list-security-advisories which aggregates both of them and handles de-duplication already.
from security-advisories.
@klausi FWIW, https://github.com/Roave/SecurityAdvisoriesBuilder already aggregates this repo's contents together with the Github advisories into https://github.com/Roave/SecurityAdvisories
This repo is a source of advisories, not a derived artifact 🤔
from security-advisories.
Ah ok, did not realize that.
Then my confusion comes from https://github.com/fabpot/local-php-security-checker , which does not seem to use https://github.com/Roave/SecurityAdvisories and missed the dompdf security update.
Not sure if @fabpot would want to use your database as source then for https://github.com/fabpot/local-php-security-checker ?
from security-advisories.
At that point, given that the advisories DB is already a repository, why not using that one directly?
See https://github.com/github/advisory-database - their /advisories
feed and API endpoints are produced from there.
from security-advisories.
Sweet, very good info! their JSON format contains "ecosystem": "Packagist",
, so it should be possible to get the relevant PHP stuff out. https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-x752-qjv4-c4hc/GHSA-x752-qjv4-c4hc.json
I see 2 distinct options:
- Either a Github action here imports that into FriendsOfPHP/security-advisories
- local-php-security-checker takes the Github security advisory database into account.
What is better for the PHP ecosystem? Is it valuable if security info is copied here to FriendsOfPHP/security-advisories?
from security-advisories.
Note: this repo could also adopt the OSV format, which would make collaborating much easier: #599.
from security-advisories.
Note: this repo could also adopt the OSV format, which would make collaborating much easier: #599.
Drive by comment from an OSV maintainer: ++++1 !!
Other DBs such as https://github.com/github/advisory-database also use the OSV format, which will make sharing vulnerability data (import/export) much easier.
@naderman this could also simplify the Packagist infrastructure greatly to only have to import a single, consistent format.
from security-advisories.
For what it's worth, any discussion of adopting the OSV format belongs on the issue for that topic: #576
This issue seems to be about whether this repository should pull in advisories from the Github security advisory database - but as has already been pointed out, doing so would be counter to the purpose of this repository.
I think this issue should be closed. It seems like the discussion on the topic has already been resolved.
from security-advisories.
I also think this issue can be closed now.
Then my confusion comes from https://github.com/fabpot/local-php-security-checker , which does not seem to use https://github.com/Roave/SecurityAdvisories and missed the dompdf security update.
You could switch from fabpot/local-php-security-checker
to composer audit
(supported since Composer 2.4). It uses the packagist registry which (as pointed out above) uses this project as a source.
from security-advisories.
Related Issues (20)
- Using exact version constraint without boundaries are faling the validation HOT 5
- Advisories didn't pushed
- simplesamlphp v1.17.8 reported as insecure HOT 2
- alterphp/easyadmin-extension-bundle/2018-10-02.yaml HOT 2
- Would it be possible to add TYPO3 Extensions as well? HOT 8
- Consider adding a vulnerability id for non CVEs HOT 2
- Mr
- Add level of severity for PHP Security Advisories HOT 3
- Flag unsupported versions HOT 1
- propel: 2.0.0-alpha11 HOT 11
- Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129 HOT 4
- Work with Github to fix their Advisory Database importer? HOT 3
- facade/ignition seems to be fixed in 2.4.2 HOT 3
- [Discussion] Adopt OSV unified vulnerability schema for open source HOT 1
- Typosquatting Malware symfont/process HOT 3
- PHP Deprecated: Return type of Composer\Repository\ArrayRepository::count() should either be compatible with Countable::count() HOT 2
- Support for Composer 1 is deprecated and some packages will not be available. HOT 5
- Missing api-platform CVE HOT 1
- Missing 2 phpseclib/phpseclib vulnerabilities (CVE-2024-27354, CVE-2024-27355)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-advisories.