Security advisories seem not to be working as expected

[phansys]

Currently, the command composer audit is not detecting any issue in my installed dependencies:

composer audit --locked --abandoned ignore --format json
{
    "advisories": [],
    "abandoned": []
}

But, the weird things are:

• A CVE related to the symfony/var-dumper package was reported early in my CI environment:

  Found 1 security vulnerability advisory affecting 1 package:
  +-------------------+----------------------------------------------------------------------------------+
  | Package           | symfony/var-dumper                                                               |
  | Severity          | high                                                                             |
  | CVE               | CVE-2024-36610                                                                   |
  | Title             | Symfony's VarDumper vulnerable to unsafe deserialization                         |
  | URL               | https://github.com/advisories/GHSA-cg28-v4wq-whv5                                |
  | Affected versions | >=7.0.0,<7.0.4|<6.4.4                                                            |
  | Reported at       | 2024-11-29T21:31:04+00:00                                                        |
  +-------------------+----------------------------------------------------------------------------------+
  

• My installed version of symfony/var-dumper is in the range of the reported CVE:

  composer show symfony/var-dumper
  
  name     : symfony/var-dumper
  descrip. : Provides mechanisms for walking through any arbitrary PHP variable
  keywords : debug, dump
  versions : * v7.0.0
  released : 2023-11-27, 1 year ago
  type     : library
  license  : MIT License (MIT) (OSI approved) https://spdx.org/licenses/MIT.html#licenseText
  homepage : https://symfony.com
  source   : [git] https://github.com/symfony/var-dumper.git cf0220fc7607476fd0d001ab3ed9e830d1fdda56
  dist     : [zip] https://api.github.com/repos/symfony/var-dumper/zipball/cf0220fc7607476fd0d001ab3ed9e830d1fdda56 cf0220fc7607476fd0d001ab3ed9e830d1fdda56
  path     : /var/www/html/ndd/vendor/symfony/var-dumper
  names    : symfony/var-dumper
  
  support
  source : https://github.com/symfony/var-dumper/tree/v7.0.0
  
  autoload
  files
  psr-4
  Symfony\Component\VarDumper\ => .
  exclude-from-classmap
  
  requires
  php >=8.2
  symfony/polyfill-mbstring ~1.0
  
  requires (dev)
  ext-iconv *
  symfony/console ^6.4|^7.0
  symfony/http-kernel ^6.4|^7.0
  symfony/process ^6.4|^7.0
  symfony/uid ^6.4|^7.0
  twig/twig ^3.0.4
  
  conflicts
  symfony/console <6.4

• There actually is a CVE reported for symfony/var-dumper: GHSA-cg28-v4wq-whv5
• The Packagist advisories API is currently not reporting any CVE related to symfony/var-dumper

  $ curl --url https://packagist.org/api/security-advisories/?packages[]=symfony/var-dumper
  {"advisories":{"symfony\/var-dumper":[]}}

Is this an error or am I missing something?

[glaubinix]

There are two Symfony advisories that were specifically ignored on packagist.org via #1493 after Symfony mentioned that they are invalid: https://phpc.social/@wouterj/113588554019692959

[phansys]

Thank you for the quick response @glaubinix! ❤️

Please, feel free to close the whenever you want.