Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 105 forks source link

Craft 3 flagged as insecure, fix not reflected here. #119

Closed ameliagroen closed 1 year ago

ameliagroen commented 1 year ago

It looks like the pull request that should have resolved this issue was merged weeks ago. Also mentioned in #118 and #117

https://github.com/github/advisory-database/pull/2443

Ocramius commented 1 year ago

2 things to check here:

  1. there are possibly more advisories with a broken range. Please go and search them in the advisory DB.
  2. the build is currently broken since right before the weekend because of https://github.com/Roave/SecurityAdvisoriesBuilder/issues/735
Ocramius commented 1 year ago

For example, see https://github.com/github/advisory-database/blob/48fd502c872b60068ff2ca764142d2671cbb4ce3/advisories/github-reviewed/2023/05/GHSA-qpgm-gjgf-8c2x/GHSA-qpgm-gjgf-8c2x.json#L37

That version range seems to state that all versions below 4.4.5 are affected by security issues.

This is just an example: you'll need to search for more advisory DB entries.

/cc @LauraMontgomery @angrybrad

Ocramius commented 1 year ago

Closing here meanwhile - again, this package is just generated from upstream definitions.

angrybrad commented 1 year ago

@Ocramius I realize this is likely out of scope, but do you have any idea where last_known_affected_version_range is coming from here?

The advisory exists in our craftcms/cms repo here: https://github.com/craftcms/cms/security/advisories/GHSA-qpgm-gjgf-8c2x but there is literally no field in the UI for last_known_affected_version_range, and there are 4 GHSA's for Craft that have that populated.

I've cloned the advisory repo and searched for craftcms/cms. All of our affected product ranges are constrained properly. i.e.

"ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.6"
            }
          ]
        }

Just trying to piece together what the expected workflow is with these GHSAs and how it all works.

Ocramius commented 1 year ago

I'd suggest running Roave/SecurityAdvisoriesBuilder locally, and checking all sources there: that would give you an insight into what may produce the offending range.

brandonkelly commented 1 year ago

@Ocramius I’m trying to do that, but running into https://github.com/Roave/SecurityAdvisoriesBuilder/issues/738.