From 3187ef1ac3a5fd0dafb24760e7ba566cedff810a Mon Sep 17 00:00:00 2001 From: Peter Jaap Blaakmeer Date: Tue, 19 Nov 2024 09:30:19 +0100 Subject: [PATCH 1/4] Add allow-list functionality to securitychecker_enlightn --- src/Task/SecurityCheckerEnlightn.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php index 614e41ec..e01950dc 100644 --- a/src/Task/SecurityCheckerEnlightn.php +++ b/src/Task/SecurityCheckerEnlightn.php @@ -24,10 +24,12 @@ public static function getConfigurableOptions(): ConfigOptionsResolver $resolver->setDefaults([ 'lockfile' => './composer.lock', 'run_always' => false, + 'allow_list' => [] ]); $resolver->addAllowedTypes('lockfile', ['string']); $resolver->addAllowedTypes('run_always', ['bool']); + $resolver->addAllowedTypes('allow_list', ['array']); return ConfigOptionsResolver::fromOptionsResolver($resolver); } @@ -50,6 +52,11 @@ public function run(ContextInterface $context): TaskResultInterface $arguments = $this->processBuilder->createArgumentsForCommand('security-checker'); $arguments->add('security:check'); $arguments->addOptionalArgument('%s', $config['lockfile']); + if (!empty($config['allow_list'])) { + foreach ($config['allow_list'] as $allowListItem) { + $arguments->addOptionalArgument('--allow-list %s', $allowListItem); + } + } $process = $this->processBuilder->buildProcess($arguments); $process->run(); From a93588453e752d39ec4668edfad67847c40e2a8d Mon Sep 17 00:00:00 2001 From: Peter Jaap Blaakmeer Date: Tue, 19 Nov 2024 09:32:29 +0100 Subject: [PATCH 2/4] Update enlightn.md --- doc/tasks/securitychecker/enlightn.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/tasks/securitychecker/enlightn.md b/doc/tasks/securitychecker/enlightn.md index 3c51ccca..a87c5989 100644 --- a/doc/tasks/securitychecker/enlightn.md +++ b/doc/tasks/securitychecker/enlightn.md @@ -19,6 +19,10 @@ grumphp: securitychecker_enlightn: lockfile: ./composer.lock run_always: false + allow_list: + - CVE-2018-15133 + - CVE-2024-51755 + - CVE-2024-45411 ``` **lockfile** From 9026e69e094c4d5d720f5c7675538189ac33348b Mon Sep 17 00:00:00 2001 From: peterjaap Date: Tue, 3 Dec 2024 09:08:42 +0100 Subject: [PATCH 3/4] Use addArgumentArrayWithSeparatedValue() --- src/Task/SecurityCheckerEnlightn.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php index e01950dc..bbe9412b 100644 --- a/src/Task/SecurityCheckerEnlightn.php +++ b/src/Task/SecurityCheckerEnlightn.php @@ -52,11 +52,7 @@ public function run(ContextInterface $context): TaskResultInterface $arguments = $this->processBuilder->createArgumentsForCommand('security-checker'); $arguments->add('security:check'); $arguments->addOptionalArgument('%s', $config['lockfile']); - if (!empty($config['allow_list'])) { - foreach ($config['allow_list'] as $allowListItem) { - $arguments->addOptionalArgument('--allow-list %s', $allowListItem); - } - } + $arguments->addArgumentArrayWithSeparatedValue('--allow-list', $config['allow_list'] ?? []); $process = $this->processBuilder->buildProcess($arguments); $process->run(); From bed10e9e7314b95226767443a7a579f406ff9e64 Mon Sep 17 00:00:00 2001 From: peterjaap Date: Tue, 3 Dec 2024 09:15:43 +0100 Subject: [PATCH 4/4] Added test case for usage of --allow-list --- test/Unit/Task/SecurityCheckerEnlightnTest.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/test/Unit/Task/SecurityCheckerEnlightnTest.php b/test/Unit/Task/SecurityCheckerEnlightnTest.php index a15104a3..35377574 100644 --- a/test/Unit/Task/SecurityCheckerEnlightnTest.php +++ b/test/Unit/Task/SecurityCheckerEnlightnTest.php @@ -107,5 +107,16 @@ public function provideExternalTaskRuns(): iterable './composer.lock', ] ]; + + yield 'with_allow_list' => [ + ['allow_list' => ['allow_advisory_1', 'allow_advisory_2']], + $this->mockContext(RunContext::class, ['composer.lock']), + 'security-checker', + [ + 'security:check', + './composer.lock', + '--allow-list=allow_advisory_1,allow_advisory_2' + ] + ]; } }