From 3187ef1ac3a5fd0dafb24760e7ba566cedff810a Mon Sep 17 00:00:00 2001
From: Peter Jaap Blaakmeer <peterjaap@blaakmeer.com>
Date: Tue, 19 Nov 2024 09:30:19 +0100
Subject: [PATCH 1/5] Add allow-list functionality to securitychecker_enlightn

---
 src/Task/SecurityCheckerEnlightn.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php
index 614e41ec..e01950dc 100644
--- a/src/Task/SecurityCheckerEnlightn.php
+++ b/src/Task/SecurityCheckerEnlightn.php
@@ -24,10 +24,12 @@ public static function getConfigurableOptions(): ConfigOptionsResolver
         $resolver->setDefaults([
             'lockfile' => './composer.lock',
             'run_always' => false,
+            'allow_list' => []
         ]);
 
         $resolver->addAllowedTypes('lockfile', ['string']);
         $resolver->addAllowedTypes('run_always', ['bool']);
+        $resolver->addAllowedTypes('allow_list', ['array']);
 
         return ConfigOptionsResolver::fromOptionsResolver($resolver);
     }
@@ -50,6 +52,11 @@ public function run(ContextInterface $context): TaskResultInterface
         $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
         $arguments->add('security:check');
         $arguments->addOptionalArgument('%s', $config['lockfile']);
+        if (!empty($config['allow_list'])) {
+            foreach ($config['allow_list'] as $allowListItem) {
+                $arguments->addOptionalArgument('--allow-list %s', $allowListItem);
+            }
+        }
 
         $process = $this->processBuilder->buildProcess($arguments);
         $process->run();

From a93588453e752d39ec4668edfad67847c40e2a8d Mon Sep 17 00:00:00 2001
From: Peter Jaap Blaakmeer <peterjaap@blaakmeer.com>
Date: Tue, 19 Nov 2024 09:32:29 +0100
Subject: [PATCH 2/5] Update enlightn.md

---
 doc/tasks/securitychecker/enlightn.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/tasks/securitychecker/enlightn.md b/doc/tasks/securitychecker/enlightn.md
index 3c51ccca..a87c5989 100644
--- a/doc/tasks/securitychecker/enlightn.md
+++ b/doc/tasks/securitychecker/enlightn.md
@@ -19,6 +19,10 @@ grumphp:
         securitychecker_enlightn:
             lockfile: ./composer.lock
             run_always: false
+            allow_list:
+                - CVE-2018-15133
+                - CVE-2024-51755
+                - CVE-2024-45411
 ```
 
 **lockfile**

From 9026e69e094c4d5d720f5c7675538189ac33348b Mon Sep 17 00:00:00 2001
From: peterjaap <peterjaap@elgentos.nl>
Date: Tue, 3 Dec 2024 09:08:42 +0100
Subject: [PATCH 3/5] Use addArgumentArrayWithSeparatedValue()

---
 src/Task/SecurityCheckerEnlightn.php | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php
index e01950dc..bbe9412b 100644
--- a/src/Task/SecurityCheckerEnlightn.php
+++ b/src/Task/SecurityCheckerEnlightn.php
@@ -52,11 +52,7 @@ public function run(ContextInterface $context): TaskResultInterface
         $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
         $arguments->add('security:check');
         $arguments->addOptionalArgument('%s', $config['lockfile']);
-        if (!empty($config['allow_list'])) {
-            foreach ($config['allow_list'] as $allowListItem) {
-                $arguments->addOptionalArgument('--allow-list %s', $allowListItem);
-            }
-        }
+        $arguments->addArgumentArrayWithSeparatedValue('--allow-list', $config['allow_list'] ?? []);
 
         $process = $this->processBuilder->buildProcess($arguments);
         $process->run();

From bed10e9e7314b95226767443a7a579f406ff9e64 Mon Sep 17 00:00:00 2001
From: peterjaap <peterjaap@elgentos.nl>
Date: Tue, 3 Dec 2024 09:15:43 +0100
Subject: [PATCH 4/5] Added test case for usage of --allow-list

---
 test/Unit/Task/SecurityCheckerEnlightnTest.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/test/Unit/Task/SecurityCheckerEnlightnTest.php b/test/Unit/Task/SecurityCheckerEnlightnTest.php
index a15104a3..35377574 100644
--- a/test/Unit/Task/SecurityCheckerEnlightnTest.php
+++ b/test/Unit/Task/SecurityCheckerEnlightnTest.php
@@ -107,5 +107,16 @@ public function provideExternalTaskRuns(): iterable
                 './composer.lock',
             ]
         ];
+
+        yield 'with_allow_list' => [
+            ['allow_list' => ['allow_advisory_1', 'allow_advisory_2']],
+            $this->mockContext(RunContext::class, ['composer.lock']),
+            'security-checker',
+            [
+                'security:check',
+                './composer.lock',
+                '--allow-list=allow_advisory_1,allow_advisory_2'
+            ]
+        ];
     }
 }

From eda6d36d0d65dacffd024f9e26b4e4bf61822555 Mon Sep 17 00:00:00 2001
From: peterjaap <peterjaap@elgentos.nl>
Date: Tue, 18 Mar 2025 21:01:57 +0100
Subject: [PATCH 5/5] Add --allow-list option to SecurityCheckerEnlightn task

- Document new option in enlightn.md with example usage

- Fix argument formatting to use comma-separated values for --allow-list

- Update unit test to include the new option in default configuration

This change allows users to specify CVEs that should be ignored during security checks when they've been assessed and determined not to pose a risk.
---
 doc/tasks/securitychecker/enlightn.md          | 14 ++++++++++++++
 src/Task/SecurityCheckerEnlightn.php           |  2 +-
 test/Unit/Task/SecurityCheckerEnlightnTest.php |  1 +
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/doc/tasks/securitychecker/enlightn.md b/doc/tasks/securitychecker/enlightn.md
index a87c5989..b2e05d21 100644
--- a/doc/tasks/securitychecker/enlightn.md
+++ b/doc/tasks/securitychecker/enlightn.md
@@ -36,3 +36,17 @@ If your `composer.lock` file is located in an exotic location, you can specify t
 *Default: false*
 
 When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.
+
+**allow_list**
+
+*Default: []*
+
+This option allows you to specify a list of CVE identifiers that should be ignored during the security check. This is useful if you have assessed certain vulnerabilities and determined that they do not pose a risk to your project. The CVE identifiers should be provided as an array of strings. For example:
+
+```yaml
+allow_list:
+    - CVE-2018-15133
+    - CVE-2024-51755
+    - CVE-2024-45411
+```
+
diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php
index bbe9412b..8b6e5c32 100644
--- a/src/Task/SecurityCheckerEnlightn.php
+++ b/src/Task/SecurityCheckerEnlightn.php
@@ -52,7 +52,7 @@ public function run(ContextInterface $context): TaskResultInterface
         $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
         $arguments->add('security:check');
         $arguments->addOptionalArgument('%s', $config['lockfile']);
-        $arguments->addArgumentArrayWithSeparatedValue('--allow-list', $config['allow_list'] ?? []);
+        $arguments->addOptionalCommaSeparatedArgument('--allow-list=%s', $config['allow_list']);
 
         $process = $this->processBuilder->buildProcess($arguments);
         $process->run();
diff --git a/test/Unit/Task/SecurityCheckerEnlightnTest.php b/test/Unit/Task/SecurityCheckerEnlightnTest.php
index 35377574..082c6505 100644
--- a/test/Unit/Task/SecurityCheckerEnlightnTest.php
+++ b/test/Unit/Task/SecurityCheckerEnlightnTest.php
@@ -27,6 +27,7 @@ public function provideConfigurableOptions(): iterable
             [
                 'lockfile' => './composer.lock',
                 'run_always' => false,
+                'allow_list' => [],
             ]
         ];
     }