Closed exploide closed 1 year ago
Thanks for sharing, but as you already said and as already mentioned/discussed in #28: version detection for extensions is a nightmare, because developers do what they want.
Unfortunately, I dont have any idea how this could be fixed. Maybe I will put a warning somewhere that the version detection for extensions is unreliable.
Version 1.1.3 adds a warning. I also added a section in the readme.
Thanks. As I also don't see a better way forward for now, I'll close this issue.
Describe the bug
typo3scan reported a vulnerability for the gridelements extension.
This is a false positive. The problem is, the version is inferred from the changelog file, but this hasn't been kept up to date for a while. That means the identified version and hence the detected vulnerability is incorrect.
See extension's repository at https://gitlab.com/coderscare/gridelements where the
ChangeLog
file has been modified three years ago. Instead, it just begins with the line "See https://gitlab.com/coderscare/gridelements/commits/9-0 for a list of commits".This is of course not helpful and I think it would be best if they don't keep the changelog file if it isn't used properly. But it is how it is.
On the other side, I understand that this can be a nightmare to parse for typo3scan. Just wanted to let you know about the false positive. Maybe you have a good idea about how to cope with this.