Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can we use Enlightn Security Checker? #2380

Open
I-Valchev opened this issue Feb 9, 2021 · 4 comments
Open

Can we use Enlightn Security Checker? #2380

I-Valchev opened this issue Feb 9, 2021 · 4 comments

Comments

@I-Valchev
Copy link
Member

@I-Valchev you can consider the Enlightn Security Checker.

Originally posted by @paras-malhotra in #2356 (comment)
@I-Valchev
Copy link
Member Author

@paras-malhotra thank you for the suggestion! Moved it to a new issue so that we don't forget about it :-)

@I-Valchev
Copy link
Member Author

Hi @paras-malhotra,

Looking at this more carefully, I wonder if it adds more than the roave/security-advisories that we already use?

It looks like both get their data from https://github.com/FriendsOfPHP/security-advisories

@paras-malhotra
Copy link

Hi @I-Valchev, I agree you should only use 1 of roave or enlightn. I am the author of Enlightn security checker so I'm of course biased towards Enlightn but I would still like to highlight its advantages:

  1. roave relies on you always being updated to the latest version of dev-master. So, lets say roave updated today and you are on yesterday's version, it will not object to a composer require of an insecure package that was issued an advisory today. It will only object when you next run a composer update.
  2. Due to roave's requirement of dev-master, it creates issues with projects that have set Composer configs with min-stability of anything above dev (e.g. alpha, beta, RC, stable).
  3. roave is absolutely strict. It will simply not allow composer installations/upgrades for vulnerable dependencies. This can be an issue if you wish to support older versions that don't have patches for the vulnerabilities. Tests, etc. will stop running on older versions and CI/CD tools will crash. Enlightn on the other hand will simply raise a warning and your enlightn step in the CI/CD tool is the only one that will fail.

@I-Valchev
Copy link
Member Author

Hi @paras-malhotra ,

Thank you for the detailed explanation! Either of those tools we will use in this repository exclusively (so, for example not in the distributed https://github.com/bolt/project). It would be better to have the security step more explicit, which is what https://github.com/enlightn/security-checker will do by adding it to the CI.

Given your knowledge of it, would you be willing to create a PR to make the necessary changes to use https://github.com/enlightn/security-checker?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@I-Valchev @paras-malhotra