Good Morning, we have a strange error when we try to install propel/propel (2.0.0-alpha10) $ /usr/local/bin/security-checker security:check ./composer.lock
But this error was fixed in 2018 -> https://github.com/propelorm/Propel2/pull/1464. Any idea?
are you installing via composer?
yes, via composer update
Just so that we are on the same page. You are using: https://github.com/sensiolabs/security-checker ?
yes
looks to me like a false positive. maybe because the version is not known there yet?
I think we got a versioning problem here:
Take a look at CVE constraint and semver π€
@UK6GTK9TL have you reported this to the propel team?
No, only here and spryker-support per mail. As far as I know Spryker took the lead on propel development?
Let me check that internally
@UK6GTK9TL could you please share the link to the program that creates the SemVer check?
do you mean the command?bin/console security:check composer.lock
CVE database is https://github.com/FriendsOfPHP/security-advisories/tree/master/propel I guess.
thank you, but i meant the Semver check
for some kind of semver constraint verification I used
https://jubianchi.github.io/semver-check/#/
as you can see in the screenshot above.
Therefore I think the security checker works correctly
thank you
@UK6GTK9TL please take a look here: https://github.com/jubianchi/semver-check/issues/77 a colleague took a look, and it seems that everything works as expected for composer
thanks for your investigation here!
Funny, if itβs a bug in this semver-checker tool, but on the other hand we do not know how sensions labs resolves constraints.
It looks like the symfony security checker composer.posts lock-file to an endpoint: https://github.com/sensiolabs/security-checker/blob/master/SensioLabs/Security/Crawler.php
Which must handle this also wrong.
We use latest version, can you confirm that security checker evaluates propel 2.0.0-alpha10 to be vulnerable?
@UK6GTK9TL could you PN me your composer.lock please?
thank you. Yes, the security check also evaluates 2.0.0-alpha10 incorrectly for me. Unfortunately, the security checker is a blackbox, so at this point we can only guess that there is a problem with evaluating the versions.
Thanks for your help, I created an issue on security-checker github project. Perhaps the sensiolab guys can check that internally.
But btw: https://github.com/semver/semver/blob/master/semver.md
suggests dot versions for pre-releases: