Better handling of upstream CVE scans
Today, our environment found an upstream CVE for the first time:
+-------------------+----------------------------------------------------------------------------------+
| Package | enshrined/svg-sanitize |
| CVE | CVE-2023-28426 |
| Title | svg-sanitizer has Cross-site Scripting Bypass |
| URL | https://github.com/advisories/GHSA-xrqq-wqh4-5hg2 |
| Affected versions | <0.16.0 |
| Reported at | 2023-03-20T20:44:30+00:00 |
+-------------------+----------------------------------------------------------------------------------+
and blocked the updates. Checking, why this package is included, we get this:
drupal/svg_image 1.16.0 requires enshrined/svg-sanitize (>=0.15 <1.0)
drupal/svg_image_field 2.2.0 requires enshrined/svg-sanitize (~0.15)
roave/security-advisories dev-master conflicts enshrined/svg-sanitize (<0.15)
Now, there are at least 2 issues with this process:
- The pipeline does not output the test result, it just stops processing as expected. We need to make sure, that the logs are showing the output in such cases.
- As we test for this before updating, this will probably never go away. We should test this after
composer update
to see if the supposed to be deployed code contains any upstream CVEs.