Strange error when we try to install propel/propel (2.0.0-alpha10)
Good Morning, we have a strange error when we try to install propel/propel (2.0.0-alpha10) $ /usr/local/bin/security-checker security:check ./composer.lock
But this error was fixed in 2018 -> https://github.com/propelorm/Propel2/pull/1464. Any idea?
Comments
-
are you installing via composer?
0 -
yes, via composer update
0 -
Just so that we are on the same page. You are using: https://github.com/sensiolabs/security-checker ?
0 -
yes
0 -
looks to me like a false positive. maybe because the version is not known there yet?
0 -
I think we got a versioning problem here:
Take a look at CVE constraint and semver π€0 -
@UK6GTK9TL have you reported this to the propel team?
0 -
No, only here and spryker-support per mail. As far as I know Spryker took the lead on propel development?
0 -
Let me check that internally
0 -
@UK6GTK9TL could you please share the link to the program that creates the SemVer check?
0 -
do you mean the command?
bin/console security:check composer.lockCVE database is https://github.com/FriendsOfPHP/security-advisories/tree/master/propel I guess.
0 -
thank you, but i meant the Semver check
0 -
for some kind of semver constraint verification I used
https://jubianchi.github.io/semver-check/#/
as you can see in the screenshot above.
Therefore I think the security checker works correctly0 -
thank you
0 -
@UK6GTK9TL please take a look here: https://github.com/jubianchi/semver-check/issues/77 a colleague took a look, and it seems that everything works as expected for composer
0 -
thanks for your investigation here!
Funny, if itβs a bug in this semver-checker tool, but on the other hand we do not know how sensions labs resolves constraints.It looks like the symfony security checker composer.posts lock-file to an endpoint: https://github.com/sensiolabs/security-checker/blob/master/SensioLabs/Security/Crawler.php
Which must handle this also wrong.We use latest version, can you confirm that security checker evaluates propel 2.0.0-alpha10 to be vulnerable?
0 -
@UK6GTK9TL could you PN me your composer.lock please?
0 -
thank you. Yes, the security check also evaluates 2.0.0-alpha10 incorrectly for me. Unfortunately, the security checker is a blackbox, so at this point we can only guess that there is a problem with evaluating the versions.
0 -
Thanks for your help, I created an issue on security-checker github project. Perhaps the sensiolab guys can check that internally.
But btw: https://github.com/semver/semver/blob/master/semver.md
suggests dot versions for pre-releases:0
Categories
- All Categories
- 42 Getting Started & Guidelines
- 7 Getting Started in the Community
- 8 Additional Resources
- 7 Community Ideas and Feedback
- 75 Spryker News
- 919 Developer Corner
- 779 Spryker Development
- 89 Spryker Dev Environment
- 362 Spryker Releases
- 3 Oryx frontend framework
- 34 Propel ORM
- 68 Community Projects
- 3 Community Ideation Board
- 30 Hackathon
- 3 PHP Bridge
- 6 Gacela Project
- 25 Job Opportunities
- 3.2K π Slack Archives
- 116 Academy
- 5 Business Users
- 370 Docker
- 551 Slack General
- 2K Help
- 75 Knowledge Sharing
- 6 Random Stuff
- 4 Code Testing
- 32 Product & Business Questions
- 69 Spryker Safari Questions
- 50 Random