Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API refactor module to be more independent #34

Merged
merged 5 commits into from
May 31, 2018
Merged

API refactor module to be more independent #34

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5701642
API refactor module to be more independent
May 25, 2018
079a9d5
Add more display output for security alerts
May 29, 2018
7efa85c
Alter package level alert notice functionality
May 29, 2018
a8e9238
Make output strings translatable
May 30, 2018
fd37c29
Big refactor to make sense of code
May 31, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions _config/packagerelations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
Name: packagerelations
after: '#updatecheckerextensions'
Only:
moduleexists: silverstripe-maintenance
---
Package:
extensions:
- PackageSecurityExtension
CVE:
extensions:
- CVEExtension
SiteSummary:
extensions:
- SiteSummaryExtension
60 changes: 0 additions & 60 deletions code/jobs/CheckComposerSecurityJob.php
View file
Open in desktop

This file was deleted.

44 changes: 0 additions & 44 deletions code/models/ComposerSecurityVulnerability.php
View file
Open in desktop

This file was deleted.

102 changes: 0 additions & 102 deletions code/tasks/CheckComposerSecurityTask.php
View file
Open in desktop

This file was deleted.

8 changes: 4 additions & 4 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,15 @@
],
"require": {
"php": ">=5.6.0",
"silverstripe/framework": "^3.0",
"sensiolabs/security-checker": "^3.0",
"symbiote/silverstripe-queuedjobs": "^2.8",
"friendsofsilverstripe/silverstripe-maintenance": "^0.3"
"silverstripe/framework": "^3",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's introduce ^3.2 which matches bringyourownideas/silverstripe-maintenance

"sensiolabs/security-checker": "^4",
"symbiote/silverstripe-queuedjobs": "^2"
},
"replace": {
"spekulatius/silverstripe-composer-security-checker": "self.version"
},
"suggest": {
"friendsofsilverstripe/silverstripe-maintenance": "Display advisory information via Site Summary Report",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package name has changed =)

"roave/security-advisories": "Raises a conflict on attempt to install a vulnerable module"
},
"support": {
Expand Down
10 changes: 10 additions & 0 deletions phpcs.xml.dist
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<ruleset name="SilverStripe">
<description>CodeSniffer ruleset for SilverStripe coding conventions.</description>

<!-- base rules are PSR-2 -->
<rule ref="PSR2" >
<!-- Current exclusions -->
<exclude name="PSR1.Classes.ClassDeclaration.MissingNamespace" />
</rule>
</ruleset>
8 changes: 8 additions & 0 deletions src/Extensions/CVEExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?php

class CVEExtension extends DataExtension
{
private static $has_one = [
'PackageRecord' => 'Package'
];
}
25 changes: 25 additions & 0 deletions src/Extensions/PackageSecruityExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?php

class PackageSecurityExtension extends DataExtension
{
private static $has_many = [
'SecurityAlerts' => 'CVE'
];

private static $summary_fields = [
'listCVEs' => 'Security alerts',
];

public function listCVEs()
{
$alerts = $this->owner->SecurityAlerts()->Column('CVE');
return $alerts ? implode(', ', $alerts) : null;
}

public function listAlerts()
{
$templates = ['PackageSecurityAlerts'];
$this->owner->extend('updateListAlerts', $templates);
return $this->owner->renderWith($templates);
}
}
15 changes: 15 additions & 0 deletions src/Extensions/SiteSummaryExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
<?php

class SiteSummaryExtension extends Extension
{
public function updateColumns(&$columns)
{
unset($columns['listCVEs']);
}

public function updateCMSFields(&$fields)
{
$summaryInfo = $this->owner->sourceRecords()->renderWith('PackageSecurityAlerts');
$fields->unshift(LiteralField::create('AlertSummary', $summaryInfo));
}
}
61 changes: 61 additions & 0 deletions src/Jobs/CVECheckJob.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
<?php
/**
* Composer security checker job. Runs the task which does the check as a queuedjob.
*
* @author Peter Thaleikis
* @license BSD-3-Clause
*/
class CVECheckJob extends AbstractQueuedJob implements QueuedJob
{
private static $dependencies = [
'CVECheckTask' => '%$' . CVECheckTask::class,
];

/**
* @var CVECheckTask
*/
protected $checkTask;

/**
* @return CVECheckTask
*/
public function getCVECheckTask()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please name the getters/setters the same as the property? I.e. setCheckTask(CheckTask $checkTask)

{
return $this->checkTask;
}

/**
* @param CVECheckTask
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing variable name - can you please type hint the class in the argument too?

* @return CVECheckJob
*/
public function setCVECheckTask($checkTask)
{
$this->checkTask = $checkTask;
return $this;
}

public function getTitle()
{
return _t(
__CLASS__ . '.Title',
'Check if any composer managed modules have known security vulnerabilities.'
);
}

public function getJobType()
{
$this->totalSteps = 1;

return QueuedJob::QUEUED;
}

public function process()
{
// run the task
$task = $this->getCVECheckTask();
$task->run(null);

// mark job as completed
$this->isComplete = true;
}
}
20 changes: 20 additions & 0 deletions src/Models/CVE.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<?php
/**
* Describes a known security issue of an installed Composer package
*/
class CVE extends DataObject
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last thing- the vulnerabilities are not always assigned CVEs (ours aren’t for example), so maybe the original name or something like PackageVulnerability would be better- what do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Should the SS security ID then be put in place of the CVE ID?
i.e. SS-2015-014 when accessing ->CVE?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, because this module can work for any PHP packages not just SilverStripe packages. Maybe choose something generic like "Identifier"

{
private static $db = array(
'PackageName' => 'Varchar(255)',
'Version' => 'Varchar(255)',
'Title' => 'Varchar(255)',
'ExternalLink' => 'Varchar(255)',
'CVE' => 'Varchar(255)',
);

private static $summary_fields = array(
'PackageName',
'Version',
'Title',
);
}
Loading