#53 Improve scanning for upstream CVEs

test-and-deploy.yml

@@ -678,12 +678,19 @@ Debug:
     - !reference [.prepareaccess, before_script]
     - !reference [.preparecomposerplugins, before_script]
   script:
+    - DOUPDATE=0
     - rm /tmp/test.log >/dev/null 2>&1 || true
     - composer update --no-interaction --no-progress --no-dev --dry-run $NAMESPACES_CHECK_UPDATE >/tmp/test.log 2>&1
-    - composer audit --no-dev --locked || true
     - EC=0
     - grep "Nothing to modify in lock file" /tmp/test.log || EC=$?
-    - if [[ $EC -eq 0 ]]; then exit 0; fi
+    - if [[ $EC -ne 0 ]]; then DOUPDATE=1; fi
+    - rm /tmp/test.log >/dev/null 2>&1 || true
+    - composer audit --no-dev --locked --format=plain >/tmp/test.log 2>&1 || true
+    - cat /tmp/test.log
+    - EC=0
+    - grep "No security vulnerability advisories found" /tmp/test.log || EC=$?
+    - if [[ $EC -ne 0 ]]; then DOUPDATE=1; fi
+    - if [[ $DOUPDATE -eq 0 ]]; then exit 0; fi
     - git remote rm origin
     - git remote add origin git@${CI_SERVER_HOST}:$CI_PROJECT_PATH.git
     - composer update --no-interaction --no-progress --no-dev