Open spekulatius opened 9 years ago
This could even be a configuration flag like notification_email
that devs could set to true to an email address and we could just automatically compile a list of new CVEs that are detected during the import process, and have that fired off - thoughts on that?
That would be awesome @robbieaverill. I guess devs aren't going to check the reports often unless asked to do. An email could help to get more attention to it.
In addition to a queuedjob, something should be printed to stdout/browser when invoking composer install
/ composer update
in a similar vain to friendsofsilverstripe/release-notifications
. It can even be a shell script run from composer.json
in a "scripts" block.
There is the https://github.com/Roave/SecurityAdvisories package that you can install that will create composer conflicts with composer packages with known security vulnerabilities. That might interest you?
We're working on making sure that the known list of vulnerabilities (https://www.silverstripe.org/download/security-releases/) is accessible to modules like that one.
Writing a queuedjob to check regularly and sending results via email to a defined address