How to check for security patches

tim.koertgen

Hi all,

I am currently looking for a way to check if we have implemented the latest security fixes or if there is anything left on some projects.

Unfortunately, we have a project that is still on an older Spryker version. The release documentation is not available anymore, as the old documentation was archived on GitHub (https://github.com/spryker/documentation/tree/master). The file names make it really hard to find the information needed.

Is there a way to check for security vulnerabilities within Spryker? I tried the Jarvis Migration Tool, but the tool just shows updates in general and there is no information if those updates are security related.

Also had a look at the Release History https://api.release.spryker.com/release-history, but there is no way to filter for security related releases.

Maybe some of you already experienced the same issue before.

Best Regards
Tim

amansilla

Hey @tim.koertgen,

I would suggest that you install the Spryker Evaluator and run it locally. This tool will assess whether your project code aligns with Spryker's standards. Additionally, it will furnish details on any security vulnerabilities within Spryker's core and open-source modules, along with the version that includes the necessary fix.

For more guidance on installation and running the Evaluator, refer to the Spryker public documentation.

I hope this facilitates a smoother application of security patches. Feel free to reach out if you require further assistance or have any feedback.

Cheers,
Antonio

tim.koertgen

Hi @amansilla

Thanks for your feedback.

I managed to set up the evaluator after I had some issues with an updated php-parser package, leading to an undefined method error. Downgrading the package helps in this case:

composer require nikic/php-parser:^4.0.0

I also created a merge request for these changes: https://github.com/spryker-sdk/evaluator/pull/62

Will take a look at the output now :)

tim.koertgen

Is there a way to use the evaluator outside your project?

I set it up locally via composer as a separate project because we have some dependency issue while installing. But I think the result might not be accurate as the evaluator checks the local PHP version?

And it probably also checks the composer.json in its current directory? I tried the —path option to specify our project path and the code is being checked, but the PHP version and dependencies show no additional information (we know it is outdated, so I was expecting some kind of information about that)