-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Composer Audit: ability to ignore vulnerabilities #11298
Comments
Maybe instead of an opt-out feature - which sounds pretty bad if we consider that we are talking about known security vulnerabilities - the community would need something like this. I'd use Feedbacks are welcomed, I've just built this quickly. https://packagist.org/packages/mxr576/composer-audit-changes |
Yeah I mean generally speaking I don't think it should block your pipeline if you have vulnerabilities. It should be a reported failure but not a hard fail blocking deployment, that's way too disturbing to the daily business and might cause you bigger troubles. But that's up to people and how they integrate things.. So if you do make it fail hard I can see that you may want to be able to ignore some specific vulnerabilities if you have had a look and determined you are not affected. |
See #11556 if anyone wants to review |
Hm, #11556 has been merged sooner as I expected. I am sorry that I did not have time earlier to share my 2 cents. The PR also did not get feedback from the community. Nonetheless, please allow me to share why I would not have added #11556 as solution to Composer. (2.6.0 is not out yet, maybe there is a chance for a rollback?) I strongly believe that security advisories is not something that anybody would like to ignore. However, definitely there are real life scenarios where the combination of:
I think we need to understand the root of the problem and react to that. My understand is that The solution introduced in #11556 is problematic because:
The |
For what it's worth, I share @mxr576 opinion. I've seen the GitHub pull request come by and thought I'd type out my concerns after my vacation (instead of from a mobile phone like now). 🤞 |
I am of a different opinion on two points:
So I think different people have different preferences in terms of workflow, and offering the option to ignore is sensible. Maybe not for you tho but that's ok you don't have to use everything. |
It depends. We use If you don’t agree with the current implementation, you're safe not to use it in any way. Unless you change your configuration, the behavior does not change |
Surely there are opinions and opinionated workflows. I can be also convinced that #11556 is the right direction if it follows industry standards and there are precedents for this kind of features in other package managers (auditing tools) - I dd not do my homework. Maybe my expectations are also misaligned... What I would expected from Composer (as the de-facto package manager for PHP) is strong guidance on best practices, incl. security ones. With this ignore list feature, the intentions were definitely good, but you can be also sure that it is going to be abused several times. This is what I am worried about the most. Not about those ppl who know what they are doing and aware of consequences, but about those who do not. By the way, the described workflow by @Seldaek is not different from what I would also do... My gut says whoever needed a feature like this, could already achieved by running So maybe a simple documentation about filtering Composer audit results would have been enough for a start and see the reactions. Because "no is temporary, yes is forever." , so if #11556 gets released in 2.6.0 there is no way to get rid of it. However, if an alternative approach gets suggested and it fails, #11556 can still be added and everybody will be happy. |
I have to agree with @mxr576 that this seems like a bad idea - especially from a compliance perspective. Rather than an "audit.ignored config setting to ignore security advisories" perhaps we could agree on this compromise: "audit.pass config setting to exit(0) for certain security advisories" (but still list them in the console output). That way, if somebody is reviewing the "audit log" then they won't have to wonder whether some entries are missing. |
Really good idea! 👍 And see how easy was changing the current implementation to match the expected behavior... #11605 🤞 |
Discussed in #11294
Originally posted by ivancli February 4, 2023
Hi guys, we use composer audit in a CI pipeline of our project to check vulnerabilities. However once a vulnerability is discovered, the pipeline fails and blocks the subsequent processes, e.g. deployment.
Just wondering if composer has a built-in functionality to ignore a list of vulnerabilities by CVE IDs.
If not, will this be considered to be implemented in the near future?
You can find similar functionality in Aqua Trivy which ignores vulnerabilities specified in the .trivyignore file.
I agree it probably makes sense to have an option to dismiss some vulns by CVE id or something.
The text was updated successfully, but these errors were encountered: