Skip to content

Commit

Permalink
Add allow-list config option to securitychecker_enlightn
Browse files Browse the repository at this point in the history
  • Loading branch information
peterjaap authored and veewee committed Nov 25, 2022
1 parent 279c1ff commit 938f67f
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 0 deletions.
7 changes: 7 additions & 0 deletions doc/tasks/securitychecker/enlightn.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ grumphp:
securitychecker_enlightn:
lockfile: ./composer.lock
run_always: false
allow-list: []
```
**lockfile**
Expand All @@ -32,3 +33,9 @@ If your `composer.lock` file is located in an exotic location, you can specify t
*Default: false*

When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.

**allow-list**

*Default: empty array*

When an array is set, these values (vulnerabilities) will be passed on to the security checker to ignore the given values. See [the enlightn/security-checker docs](https://github.com/enlightn/security-checker#allow-vulnerabilities) for more information.
2 changes: 2 additions & 0 deletions src/Task/SecurityChecker.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,15 @@ public static function getConfigurableOptions(): OptionsResolver
'end_point' => null,
'timeout' => null,
'run_always' => false,
'allow-list' => [],
]);

$resolver->addAllowedTypes('lockfile', ['string']);
$resolver->addAllowedTypes('format', ['null', 'string']);
$resolver->addAllowedTypes('end_point', ['null', 'string']);
$resolver->addAllowedTypes('timeout', ['null', 'int']);
$resolver->addAllowedTypes('run_always', ['bool']);
$resolver->addAllowedTypes('allow-list', ['array']);

return $resolver;
}
Expand Down
5 changes: 5 additions & 0 deletions src/Task/SecurityCheckerEnlightn.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ public static function getConfigurableOptions(): OptionsResolver
$resolver->setDefaults([
'lockfile' => './composer.lock',
'run_always' => false,
'allow-list' => []
]);

$resolver->addAllowedTypes('lockfile', ['string']);
$resolver->addAllowedTypes('run_always', ['bool']);
$resolver->addAllowedTypes('allow-list', ['array']);

return $resolver;
}
Expand All @@ -45,6 +47,9 @@ public function run(ContextInterface $context): TaskResultInterface
$arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
$arguments->add('security:check');
$arguments->addOptionalArgument('%s', $config['lockfile']);
foreach ($config['allow-list'] as $cve) {
$arguments->addOptionalArgument('--allow-list=%s', $cve);
}

$process = $this->processBuilder->buildProcess($arguments);
$process->run();
Expand Down
1 change: 1 addition & 0 deletions test/Unit/Task/SecurityCheckerEnlightnTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ public function provideConfigurableOptions(): iterable
[
'lockfile' => './composer.lock',
'run_always' => false,
'allow-list' => [],
]
];
}
Expand Down

0 comments on commit 938f67f

Please sign in to comment.