[Maintenance] Make known upstream vulnerabilities not fail the pipe

NoResponseMate · NoResponseMate · commit 90959390887c · 2025-10-10T12:53:25.000+02:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,7 +21,7 @@ jobs:
             matrix:
                 php: ["8.3"]
                 symfony: ["^5.4.21", "^6.4"]
-                sylius: ["~1.13.0", "~1.14.0"]
+                sylius: ["~1.14.0"]
                 database: ["mysql", "postgres"]
                 mysql: ["8.4"]
                 postgres: ["15.8"]
@@ -30,7 +30,7 @@ jobs:
 
                 include:
                     -
-                        php: "8.1"
+                        php: "8.3"
                         symfony: "^6.4"
                         sylius: "~1.14.0"
                         database: "mysql"
@@ -39,7 +39,7 @@ jobs:
                         wkhtmltopdf: "0.12.6-1"
                         state_machine_adapter: "symfony_workflow"
                     -
-                        php: "8.2"
+                        php: "8.3"
                         symfony: "^6.4"
                         sylius: "~1.14.0"
                         database: "mysql"
@@ -48,7 +48,7 @@ jobs:
                         wkhtmltopdf: "0.12.6-1"
                         state_machine_adapter: "winzou_state_machine"
                     -
-                        php: "8.2"
+                        php: "8.3"
                         symfony: "^6.4"
                         sylius: "~1.14.0"
                         database: "mysql"
@@ -143,6 +143,68 @@ jobs:
                 name: Install PHP dependencies
                 run: composer install --no-interaction
 
+            -   name: Run security checks
+                run: |
+                    set -e
+                    
+                    composer audit --no-interaction --format=json > composer-audit.json || AUDIT_EXIT=$?
+                    
+                    IGNORED=$(jq -r '.config.audit.ignore[]?' composer.json | sort || true)
+                    
+                    if [ "${AUDIT_EXIT:-0}" -ne 0 ]; then
+                      FOUND=$(jq -r '
+                        # Collect CVEs from both advisories and ignored-advisories
+                        (.advisories[]?.advisories[]?.cve? // empty),
+                        (.["ignored-advisories"][]?[]?.cve? // empty)
+                      ' composer-audit.json | sort | uniq)
+                    
+                      DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
+                    
+                      if [ -n "$DIFF" ]; then
+                        echo "❌ New vulnerabilities found by Composer audit:"
+                        echo "$DIFF"
+                        exit 1
+                      else
+                        echo "✅ No new vulnerabilities found by Composer audit."
+                      fi
+                    else
+                      echo "✅ No new vulnerabilities found by Composer audit."
+                    fi
+                    
+                    symfony security:check --format=json > symfony-audit.json || true
+                    
+                    FOUND=$(jq -r '.[]?.advisories[]?.cve? // empty' symfony-audit.json | sort | uniq)
+                    
+                    DIFF=$(comm -23 <(echo "$FOUND") <(echo "$IGNORED"))
+                    
+                    if [ -n "$DIFF" ]; then
+                      echo "❌ New vulnerabilities found by Symfony security:check:"
+                      echo "$DIFF"
+                      exit 1
+                    else
+                      echo "✅ No new vulnerabilities found by Symfony security:check."
+                    fi
+
+            -
+                name: Run ECS
+                run: vendor/bin/ecs check
+
+            -
+                name: Validate composer.json
+                run: composer validate --ansi --strict
+
+            -
+                name: Run analysis
+                run: composer analyse
+
+            -
+                name: Run PHPStan
+                run: vendor/bin/phpstan analyse -c phpstan.neon.dist src/
+
+            -
+                name: Run PHPSpec
+                run: vendor/bin/phpspec run --ansi -f progress --no-interaction
+
             -
                 name: Get Yarn cache directory
                 id: yarn-cache
@@ -192,30 +254,6 @@ jobs:
                 name: Load fixtures in test application
                 run: (cd tests/Application && bin/console sylius:fixtures:load -n)
 
-            -
-                name: Run security check
-                run: symfony security:check
-
-            -
-                name: Run ECS
-                run: vendor/bin/ecs check
-
-            -
-                name: Validate composer.json
-                run: composer validate --ansi --strict
-
-            -
-                name: Run analysis
-                run: composer analyse
-
-            -
-                name: Run PHPStan
-                run: vendor/bin/phpstan analyse -c phpstan.neon.dist src/
-
-            -
-                name: Run PHPSpec
-                run: vendor/bin/phpspec run --ansi -f progress --no-interaction
-
             -
                 name: Run PHPUnit
                 run: vendor/bin/phpunit --colors=always
diff --git a/composer.json b/composer.json
@@ -64,6 +64,12 @@
             "symfony/flex": true,
             "symfony/thanks": false,
             "php-http/discovery": true
+        },
+        "audit": {
+            "ignore": [
+                "CVE-2025-31481",
+                "CVE-2025-31485"
+            ]
         }
     },
     "conflict": {
