search

silverstripe / recipe-reporting-tools

Add extra CMS reporting tools to your Silverstripe project
BSD 3-Clause "New" or "Revised" License
4 stars 2 forks source link

Installed modules report - 'Check for updates' does not run silverstripe-composer-security-checker #10

Closed brynwhyman closed 4 years ago

brynwhyman commented 4 years ago

Overview

This recipe is recommended for all CWP sites and site owners are suggested to use the installed modules report to keep up to date with disclosed security vulnerabilities for modules being used on their site.

Expected result

When accessing this report, and clicking the 'Check for updates' button I'd expect it to run and eventually automatically populate the report with the following information (should any be true):

  1. fill the report with all installed dependancies
  2. fill the report with the current and latest version of each dependancy
  3. highlight dependancies where the current version is known to have known security vulnerabilities

Actual results

After clicking the 'Check for updates' button, I will eventually see (1) the installed dependancies and (2) the latest version, but I do not see the report populated with any security notices even though I know my site to be running vulnerable versions.

Versions and environments

a. I've tested this locally, with silverstripe/recipe-reporting-tools 1.3.0, silverstripe/cms 4.4.0 and do not see the security vulnerabilities in the report until I manually run sake dev/tasks/SecurityAlertCheckTask

b. I've tested this on CWP platform, with silverstripe/recipe-reporting-tools 1.5.0-rc1, silverstripe/cms 4.5.0-rc1 and do not see the security vulnerabilities in the report. Attempting to manually run the following through the CMS Jobs section results in the job pausing due to an error: BringYourOwnIdeas\SecurityChecker\Jobs\SecurityAlertCheckJob

Help

I'm unsure if any additional set up is required to have this check perform correctly on a production website. I'm hoping for some assistance in confirming if my expected result should be what is actually expected.

Pull requests

brynwhyman commented 4 years ago

Screenshot for reference of the report and (clicked) button image

Cheddam commented 4 years ago

PR raised here to resolve the issue with the SecurityAlertCheckJob.

spekulatius commented 4 years ago

Hey @Cheddam and @brynwhyman,

sorry for the slow turn around on the issue with the silverstripe-composer-security-checker. It's merged now!

Peter

brynwhyman commented 4 years ago

Thanks @spekulatius!

Related to this, do you have any thoughts on whether the following would be a suitable enhancement? https://github.com/bringyourownideas/silverstripe-composer-security-checker/issues/52

brynwhyman commented 4 years ago

I'm going to close this issue. I think the best step forward is looking at bringyourownideas/silverstripe-composer-security-checker#52