Closed ameliagroen closed 1 year ago
2 things to check here:
That version range seems to state that all versions below 4.4.5
are affected by security issues.
This is just an example: you'll need to search for more advisory DB entries.
/cc @LauraMontgomery @angrybrad
Closing here meanwhile - again, this package is just generated from upstream definitions.
@Ocramius I realize this is likely out of scope, but do you have any idea where last_known_affected_version_range is coming from here?
The advisory exists in our craftcms/cms
repo here: https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x but there is literally no field in the UI for last_known_affected_version_range
, and there are 4 GHSA's for Craft that have that populated.
I've cloned the advisory repo and searched for craftcms/cms
. All of our affected product ranges are constrained properly. i.e.
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.4.6"
}
]
}
Just trying to piece together what the expected workflow is with these GHSAs and how it all works.
I'd suggest running Roave/SecurityAdvisoriesBuilder
locally, and checking all sources there: that would give you an insight into what may produce the offending range.
@Ocramius I’m trying to do that, but running into https://github.com/Roave/SecurityAdvisoriesBuilder/issues/738.
It looks like the pull request that should have resolved this issue was merged weeks ago. Also mentioned in #118 and #117
https://github.com/github/advisory-database/pull/2443