[JUnit] Fix multiple vulns #52

viviengaetan · 2022-06-27T14:24:40Z

When a package as multiples vulnerabilities, the junit format only report one which is not the intended use case.

Sample with the following composer.json

{
  "require": {
    "guzzlehttp/guzzle": "7.4.2"
  }
}

Currently the result is the following:

./local-php-security-checker --path=test/ --format=junit
  <testsuites name="Symfony Security Check Report">
      <testsuite package="" errors="0" failures="1" tests="1">
          <testcase name="guzzlehttp/guzzle (7.4.2)" classname="packages">
              <failure>CVE-2022-31091 - Change in port should be considered a change in origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699)</failure>
          </testcase>
      </testsuite>
  </testsuites>

With the modification I did:

./local-php-security-checker --path=test/ --format=junit
  <testsuites name="Symfony Security Check Report">
      <testsuite package="" errors="0" failures="1" tests="1">
          <testcase name="guzzlehttp/guzzle (7.4.2)" classname="packages">
              <failure>CVE-2022-29248 - Cross-domain cookie leakage (https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3)</failure>
              <failure>CVE-2022-31042 - Failure to strip the Cookie header on change in host or HTTP downgrade (https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9)</failure>
              <failure>CVE-2022-31043 - Fix failure to strip Authorization header on HTTP downgrade (https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q)</failure>
              <failure>CVE-2022-31090 - CURLOPT_HTTPAUTH option not cleared on change of origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r)</failure>
              <failure>CVE-2022-31091 - Change in port should be considered a change in origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699)</failure>
          </testcase>
      </testsuite>
  </testsuites>

fabpot · 2022-06-27T16:13:24Z

Thank you

dmarcos89 · 2022-06-27T23:12:50Z

Thanks a lot @viviengaetan! That was quick 😄
@fabpot Any chance we can tag this as 2.0.4? Or what's the release frequency?
Cheers

fabpot · 2022-06-28T16:11:06Z

@dmarcos89 Released now.

The security checker binary has had a new release with improved handling for when a package has multiple security issues. Refs: * https://github.com/fabpot/local-php-security-checker/releases * fabpot/local-php-security-checker#52

[JUnit] Fix multiple vulns

45039a2

viviengaetan mentioned this pull request Jun 27, 2022

Add junit formatting #23

Merged

viviengaetan marked this pull request as ready for review June 27, 2022 15:00

fabpot merged commit 9150955 into fabpot:main Jun 27, 2022

jrfnl mentioned this pull request Jul 25, 2022

GH Actions/Securitycheck: update the security checker download PHPCSStandards/composer-installer#186

Merged

viviengaetan deleted the fix/junit_multiple_vulns branch April 14, 2024 20:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[JUnit] Fix multiple vulns #52

[JUnit] Fix multiple vulns #52

viviengaetan commented Jun 27, 2022

fabpot commented Jun 27, 2022

dmarcos89 commented Jun 27, 2022

fabpot commented Jun 28, 2022

[JUnit] Fix multiple vulns #52

[JUnit] Fix multiple vulns #52

Conversation

viviengaetan commented Jun 27, 2022

fabpot commented Jun 27, 2022

dmarcos89 commented Jun 27, 2022

fabpot commented Jun 28, 2022