Skip to content

/ versionscan

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve add missing workflow, update CVE checks #31

Merged
merged 6 commits into from Sep 4, 2019
Merged

Improve add missing workflow, update CVE checks #31

merged 6 commits into from Sep 4, 2019

Conversation

@lightswitch05
Copy link
Contributor

lightswitch05 commented Aug 29, 2019
edited

The 'missing' command is great for updates, but needs some TLC to make it easier to use.

  • Added option 'save-results' to allow the results to be automatically added to the checks.json
  • Enforce sorting of the checks.json file every time the missing command is ran
  • Save the timestamp to checks.json as 'updatedAt' to give a reference period for how old the checks are
  • Add php7 changelog to the missing checker
  • 'sunra/php-simple-html-dom-parser' is dead and throwing a ton of errors for newer versions of PHP. Replace it with an updated fork 'kub-at/php-simple-html-dom-parser'
  • Bump min php version since the array syntax is not avaliable before php 5.4
  • Add ext-json as a dependency
  • Fix unit tests (broken in master branch)
  • Add travis tests for php 7.3

Finally, I ran the 'missing' command with the changes I made and committed the updated checks.
@lightswitch05
Improve the 'missing' command workflow
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
e119cdf 
The 'missing' command is great for updates, but needs some TLC to make it easier to use.

* Added option 'save-results' to allow the results to be automatically added to the checks.json
* Enforce sorting of the checks.json file every time the missing command is ran
* Save the timestamp to checks.json as 'updatedAt' to give a reference period for how old the checks are
* Add php7 changelog to the missing checker
* 'sunra/php-simple-html-dom-parser' is dead and throwing a ton of errors for newer versions of PHP. Replace it with an updated fork 'kub-at/php-simple-html-dom-parser'
* Bump min php version since the array syntax is not avaliable before php 5.4
* Add ext-json as a dependency
@lightswitch05
Update checks using the newer version of the 'missing' command - many…
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
Loading status checks…
d4a95f6 
… new CVEs found
@lightswitch05
Fixing unit tests
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
Loading status checks…
5af2463
@lightswitch05 lightswitch05 force-pushed the lightswitch05:feature/improve-add-missing-workflow branch from 078535a to 5af2463 Aug 29, 2019
@lightswitch05
Run travis with php 7.3 as well as 5.4
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
Loading status checks…
f3cb10a
@lightswitch05

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

lightswitch05 commented Aug 29, 2019

With the improved workflow - I think there might be a path forward to have an automated run of the 'missing' command in travis ci. Automation could be done on a separate branch, with a manual review of the results before merging into master.
@lightswitch05

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

lightswitch05 commented Aug 29, 2019

@enygma I wouldn't mind setting up the automation if that is something you are interested in.

I also would be interested in helping you maintain this project if you need assistance. Automation with travis-ci would certainly require maintenance and more review work. Having more people with merge ability would help get the CVE updates out faster. Just for reference, there was a new release today - 7.3.9 - that fixes a CVE in 7.3.8. I didn't even know about it until I was testing my updates here.
@colinodell
colinodell reviewed Aug 29, 2019
View changes
Copy link
Collaborator

colinodell left a comment

I have not tested this out myself, but I do like the proposed approach here.
src/Psecio/Versionscan/Command/MissingCommand.php Outdated Show resolved Hide resolved
@lightswitch05
Correct missed reference to checks.json per code review
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
Loading status checks…
80e73cb
@lightswitch05
Added fixVersion 7.1.32 for CVE-2019-13224
Verified
This commit was signed with a verified signature.
lightswitch05 Daniel
GPG key ID: 4940B41048AF73EA Learn about signing commits
Loading status checks…
940ecf5
@lightswitch05

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

lightswitch05 commented Sep 3, 2019

It would be nice if more then one person had pull permissions on this repo
@lightswitch05

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

lightswitch05 commented Sep 4, 2019

@enygma is this tool abandoned?
@colinodell
colinodell approved these changes Sep 4, 2019
View changes
Copy link
Collaborator

colinodell left a comment

I have permissions on this repo and would be happy to merge this :)

I was hoping for @enygma to weigh in here, since I generally only help with updating checks.json and minor bugfixes, leaving the larger things (plus releasing new versions) up to him. But I feel this change isn't too massive and is obviously beneficial so let's merge it :)
@colinodell colinodell merged commit 8c4324e into psecio:master Sep 4, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@lightswitch05

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

lightswitch05 commented Sep 4, 2019

Thanks @colinodell! Do you also have access to packagist?
@colinodell

This comment has been minimized.

Sign in to view
Copy link
Collaborator

colinodell commented Sep 4, 2019

I do not, just the Github repo.
@lightswitch05 lightswitch05 mentioned this pull request Oct 24, 2019
Closed
@enygma

This comment has been minimized.

Sign in to view
Copy link
Member

enygma commented Oct 24, 2019

Er, the version on Packagist updates when a new release is tagged here, not manually on the service. I can definitely push a new tag if that's needed!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colinodell colinodell

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@lightswitch05 @colinodell @enygma
You can’t perform that action at this time.