Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore bogus advisories #756

Merged
merged 2 commits into from
Dec 3, 2024
Merged

Ignore bogus advisories #756

merged 2 commits into from
Dec 3, 2024

Conversation

jderusse
Copy link
Contributor

@jderusse jderusse commented Dec 3, 2024
edited
Loading

By design, anyone can register a CVE, and sometimes these are false positive. Like the one in cURL https://curl.se/docs/CVE-2023-52071.html

Sadly, it's almost impossible to discard a CVE. This PR aims to ignore a list of advisories in roave/security-advisories, in a similar way packagist does composer/packagist#1493 and how this repository already patches some entries

SecurityAdvisoriesBuilder/src/Roave/SecurityAdvisories/Rule/RuleProviderFactory.php

Line 43 in d0f7f8f

'too aggressive `laminas/laminas-form` affected range in published advisory' => [

side note: This PR does not use the RuleProviderFactory because I believe "matching only the package/version" could be an issue: If one day another CVE (a real one) is open with the same original constraint the rule will patch it. As a result, the output will miss the original constraint

@xabbuh xabbuh mentioned this pull request Dec 3, 2024
Closed
@Ocramius Ocramius self-assigned this Dec 3, 2024
@Ocramius
Copy link
Member

Ocramius commented Dec 3, 2024

@jderusse some minor adjustments needed, then shippable

@Ocramius Ocramius mentioned this pull request Dec 3, 2024
Closed
@jderusse jderusse marked this pull request as draft December 3, 2024 13:52
@jderusse
Copy link
Contributor Author

jderusse commented Dec 3, 2024

maybe not needed, Github security team might withdraw the 2 advisories.
github/advisory-database#5046 (comment)

xabbuh referenced this pull request in Roave/SecurityAdvisories Dec 3, 2024
@Ocramius
Committing generated "composer.json" file as per "2024-12-02T21:04:40…
759d73e 
…+00:00"

Original commit: "FriendsOfPHP/security-advisories@0386c23"
@Ocramius
Copy link
Member

Ocramius commented Dec 3, 2024

That's generally the best course of action

@Ocramius Ocramius marked this pull request as ready for review December 3, 2024 14:32
@Ocramius Ocramius merged commit d6fdfd2 into Roave:latest Dec 3, 2024
7 checks passed
@Ocramius
Copy link
Member

Ocramius commented Dec 3, 2024

Thanks @jderusse!

@jdreesen jdreesen mentioned this pull request Dec 3, 2024
Closed
@jderusse jderusse deleted the ignore-advisories branch December 3, 2024 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@Ocramius Ocramius

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jderusse @Ocramius