How to handle security advisories#3278
Conversation
Preview of modified filesPreview of modified Markdown: |
mnocon
left a comment
There was a problem hiding this comment.
Initial pass, like the direction a lot - seems much more maintanable than maintaing the list of advisories 💪
f758443 to
1a23ac6
Compare
|
|
||
| - Run servers on a recent operating system and install security patches for dependencies. | ||
| - Configure servers to alert you about security updates from vendors. Pay special attention to dependencies used by your project directly, or by PHP. The provider of the operating system usually has a service for this. | ||
| - Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions. |
There was a problem hiding this comment.
Maybe also add a point about considering whether you should update to very freshly released packages. There is a potential security benefit to avoiding the newest packages, because of supply-chain attacks. Composer doesn't have a setting for this yet, but minimum-release-age is coming:
composer/composer#12633
There was a problem hiding this comment.
@glye Some like this?:
| - Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions. | |
| - Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions. Delay the installation of recently released version that aren't fixes. Only install fixing versions and one-month-old versions. |
There was a problem hiding this comment.
Feels too definite and specific to me. "that aren't fixes" isn't very helpful since attacks will likely camouflage as fixes. I would only advise people to consider the risk of supply chain attacks, and whether they ought to have a policy for avoiding recent releases newer than X time.
There was a problem hiding this comment.
@glye Thx for the vocabulary :)
What about this?:
| - Update Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories). Update dependencies to be able to install fixed versions. | |
| - Update your Composer packages regularly. Don't underestimate [package security advisories](security_advisories.md#package-security-advisories) and update your dependencies so you can install the fixed versions. Also consider the risk of [supply chain attacks](https://en.wikipedia.org/wiki/Supply_chain_attack) which could be mitigated by adopting a policy of waiting a minimum amount of time before using new releases. |
Co-authored-by: Gunnstein Lye <289744+glye@users.noreply.github.com>
| <a id="authentication-token"></a>If you added credentials to the `COMPOSER_AUTH` variable, at this point add this variable to `auth.json` (for example, by running `echo $COMPOSER_AUTH > auth.json`). | ||
|
|
||
| !!! tip | ||
| !!! caution "Security advisories" |
There was a problem hiding this comment.
6 admonitions in the row, no need to change this now but at some point we'll have to rework this - for v6 most likely
| Example of a Composer output about a package with security issues when trying to install: | ||
|
|
||
| ```text | ||
| - Root composer.json requires twig/cssinliner-extra v3.11.0 (exact version match), found twig/cssinliner-extra[v3.11.0] but these were not loaded, because they are affected by security advisories ("PKSA-fs5b-x5k4-1h39"). |
|
|
||
| Composer's output isn't always this verbose about security advisories blocking installation or updates. | ||
|
|
||
| For example, imagine this error appeared recently when trying to install [[= product_name =]] 4.6 on PHP 7.4: |
There was a problem hiding this comment.
| For example, imagine this error appeared recently when trying to install [[= product_name =]] 4.6 on PHP 7.4: | |
| For example, when trying to install [[= product_name =]] 4.6 on PHP 7.4 you might see an error like the following one: |
|
|
||
| It's highly recommended that you not install the affected package, and instead meet the requirements of the fixed version. | ||
|
|
||
| You can use the https://packagist.org/security-advisories/ resource to learn more about a security advisory, such as the affected packages and versions, a detailed description of the issue, and other possible reference IDs for the advisory: PKSA (Packagist Security Advisory), GHSA (GitHub Security Advisories), and CVE (Common Vulnerabilities and Exposures). |
There was a problem hiding this comment.
| You can use the https://packagist.org/security-advisories/ resource to learn more about a security advisory, such as the affected packages and versions, a detailed description of the issue, and other possible reference IDs for the advisory: PKSA (Packagist Security Advisory), GHSA (GitHub Security Advisories), and CVE (Common Vulnerabilities and Exposures). | |
| You can use the [Packagist Security Advisories database](https://packagist.org/security-advisories/) to learn more about a security advisory, such as the affected packages and versions, a detailed description of the issue, and other possible reference IDs for the advisory: PKSA (Packagist Security Advisory), GHSA (GitHub Security Advisories), and CVE (Common Vulnerabilities and Exposures). |
| It worked before. You can check packagist.org, or an already running instance of [[= product_name =]], to see which version of this package was previously accepted. | ||
|
|
||
| In this example, [`twig/twig` v3.11.3](https://packagist.org/packages/twig/twig#v3.11.3) matches the constraints `^3.0` and PHP 7.4 `>=7.2.5`. |
There was a problem hiding this comment.
| It worked before. You can check packagist.org, or an already running instance of [[= product_name =]], to see which version of this package was previously accepted. | |
| In this example, [`twig/twig` v3.11.3](https://packagist.org/packages/twig/twig#v3.11.3) matches the constraints `^3.0` and PHP 7.4 `>=7.2.5`. | |
| To gather more information, check package information on [Packagist](packagist.org) and try installing a specific version of the package blocking installation. | |
| In this case, trying to install `twig/twig:3.11.3` shows explicitly that this version is blocked by a security advisory: |
| - Root composer.json requires twig/cssinliner-extra v3.11.0 (exact version match), found twig/cssinliner-extra[v3.11.0] but these were not loaded, because they are affected by security advisories ("PKSA-fs5b-x5k4-1h39"). | ||
| ``` | ||
|
|
||
| Composer's output isn't always this verbose about security advisories blocking installation or updates. |
There was a problem hiding this comment.
| Composer's output isn't always this verbose about security advisories blocking installation or updates. | |
| Composer's output doesn't always mention that a security advisory is blocking installation or updates. |
To avoid a vague "isn't verbose"
|
|
||
| If updating the affected package isn't possible, carefully review the security issue and assess the risk. | ||
| If you choose to implement countermeasures instead of upgrading, you can ignore the security advisory. | ||
| We recommend using Composer's [`config.policy.advisories.ignore-id`](https://getcomposer.org/doc/06-config.md#ignore-id) setting, providing for each entry the reason why you consider it safe to ignore. |
There was a problem hiding this comment.
| We recommend using Composer's [`config.policy.advisories.ignore-id`](https://getcomposer.org/doc/06-config.md#ignore-id) setting, providing for each entry the reason why you consider it safe to ignore. | |
| Use Composer's [`config.policy.advisories.ignore-id`](https://getcomposer.org/doc/06-config.md#ignore-id) setting, providing for each entry the reason why you consider it safe to ignore. |

#3235 and #3246 show that maintaining an exhaustive list of Security Advisories (SA) for both update and install is fastidious.
This PR proposes to explain how to handle SA in general.
Also document how to suppress deprecation messages breaking
ibexa:installon PHP 8.4Move CI
code_samples.yamlfrom deprecatedconfig.audit.ignoretoconfig.policy.advisories.ignore-id, update its SA list, and sort alphabetically.Checklist