Open spekulatius opened 9 years ago
robbieaverill
commented
6 years ago This could even be a configuration flag like notification_email that devs could set to true to an email address and we could just automatically compile a list of new CVEs that are detected during the import process, and have that fired off - thoughts on that?
spekulatius
commented
6 years ago That would be awesome @robbieaverill. I guess devs aren't going to check the reports often unless asked to do. An email could help to get more attention to it.
phptek
commented
5 years ago In addition to a queuedjob, something should be printed to stdout/browser when invoking composer install / composer update in a similar vain to friendsofsilverstripe/release-notifications. It can even be a shell script run from composer.json in a "scripts" block.
ScopeyNZ
commented
5 years ago There is the https://github.com/Roave/SecurityAdvisories package that you can install that will create composer conflicts with composer packages with known security vulnerabilities. That might interest you?
We're working on making sure that the known list of vulnerabilities (https://www.silverstripe.org/download/security-releases/) is accessible to modules like that one.
Writing a queuedjob to check regularly and sending results via email to a defined address