Closed
Conversation
ebad1eb to
55c6b31
Compare
e51032d to
9931004
Compare
Co-authored-by: Aaron Weeden <31246768+aaronweeden@users.noreply.github.com>
**Note: The upgrade won't pass because the patch files have lines that have trailing whitespace in them. But if the whitespace is removed the patches no longer work soooo... yeah, that's a thing.**
- `.circleci/config.yml`:
- Removed the sections where we install php7.4, development libraries, and
pecl install mongodb as these steps have already been included in the current image.
- `BaseControllerProvider.php`: the namespace for the `ControllerProviderInterface;` interface changed in the latest version of Silex ( from `Silex\ControllerProviderInterface` to `Silex\Api\ControllerProviderInterface`).
- `XdmodApplicationFactory.php`:
- `UrlGeneratorServiceProvider` has been changed to `RoutingServiceProvider`.
- there is no more `app->share` function, you just use an anonymous function.
- the `Request $request` argument has been added to the anonymous function called by the `$app->error` helper
function.
- `composer.json`:
- Updated silex to the latest ( last ) version `v2.3.0`, this resolves the following dependabot alerts:
- https://github.com/ubccr/xdmod/security/dependabot/10 (CVE-2022-24894)
- Here's the commit with the fix: symfony/symfony@d2f6322
- And here is where you can find the updated file: `vendor/symfony/http-kernel/HttpCache/Store.php`. Specifically lines `49-51`, and `228-230`.
- https://github.com/ubccr/xdmod/security/dependabot/11 (CVE-2019-18888)
- this is fixed as the current version `v4.4.49` is >= `3.4.35`.
- Here's the commit w/ the fix: symfony/symfony@691486e
- And here's the updated file: `vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.php`
- https://github.com/ubccr/xdmod/security/dependabot/12 (CVE-2019-10913)
- Here's the commit w/ the fix: symfony/symfony@944e60f
- Here's the updated file: `vendor/symfony/http-foundation/Request.php`
- https://github.com/ubccr/xdmod/security/dependabot/13 (CVE-2019-18887)
- Here's the commit w/ the fix: symfony/symfony@cccefe6
- And here's the updated file: `vendor/symfony/http-kernel/UriSigner.php`
- https://github.com/ubccr/xdmod/security/dependabot/14 (CVE-2018-14773)
- Here's the commit with the fix: symfony/symfony@e447e8b
- Here's the updated file: `vendor/symfony/http-foundation/Request.php`
- Updated `mongodb/mongodb` to the latest version `v1.19.0`
- `open_xdmod/modules/xdmod/assets/setup.sh`:
- Removed the Composer Install section as this + the dangling `cd` was causing the composer dependencies of `qa` to be installed in the xdmod directory. This probably wasn't a problem or caught before because we were not previously patching files.
- Changed the `cd $xdmod_dir`to a `pushd | popd` so that we reset the cwd after the script runs.
- `open_xdmod/modules/xdmod/build.json`
- Added the patches to resolve:
- https://github.com/ubccr/xdmod/security/dependabot/1
- https://github.com/ubccr/xdmod/security/dependabot/2
- https://github.com/ubccr/xdmod/security/dependabot/22
- `tests/ci/scripts/qa-test-setup.sh`:
- Taking care of the other part of the **Case of the Mysterious Disappearing Dependencies**. Just made sure to save the existing `$COMPOSER` env variable so that we can restore it after we're done installing the qa dependencies.
- https://github.com/ubccr/xdmod/security/dependabot/1 ( CVE-2020-5225 )
- Resolved with changes in commit: simplesamlphp/simplesamlphp@864f039
- patch of these changes ( for `www/errorreport.php` ): `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patch`
- https://github.com/ubccr/xdmod/security/dependabot/2
- Resolved with changes in: simplesamlphp/simplesamlphp@47968d2
- Patch file: `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patch`
- https://github.com/ubccr/xdmod/security/dependabot/22
- Resolved with changes in: simplesamlphp/simplesamlphp@ce2294e
- Note: the function `isValidURL` already exists in `Utils/Http.php` in the version that we're using, that's why only the change to `postredirect.php` has been included in the patch file.
- Patch File: open_xdmod/modules/xdmod/assets/simplesamlphp-SSPSA_201907-01_postredirect.patch
We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the `symfony/*` and `simplesamlphp/simplesamlphp` dependencies.
All automated tests pass.
<!--- Go over all the following points and make sure they have all been completed -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [X] The pull request description is suitable for a Changelog entry
- [X] The milestone is set correctly on the pull request
- [X] The appropriate labels have been added to the pull request
3759cb6 to
be76dbc
Compare
ryanrath
added a commit
to ryanrath/xdmod
that referenced
this pull request
May 2, 2025
These fixes were originally included in ubccr#1967, but are now to be included in this PR.
Contributor
Author
|
Closing in favor of #2035 |
ryanrath
added a commit
to ryanrath/xdmod
that referenced
this pull request
May 6, 2025
These fixes were originally included in ubccr#1967, but are now to be included in this PR.
ryanrath
added a commit
that referenced
this pull request
May 14, 2025
* Dependabot Fixes These fixes were originally included in #1967, but are now to be included in this PR.
aaronweeden
pushed a commit
to aaronweeden/xdmod
that referenced
this pull request
May 23, 2025
* Dependabot Fixes These fixes were originally included in ubccr#1967, but are now to be included in this PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
BaseControllerProvider.php: the namespace for theControllerProviderInterface;interface changed in the latest version of Silex ( fromSilex\ControllerProviderInterfacetoSilex\Api\ControllerProviderInterface).XdmodApplicationFactory.php:UrlGeneratorServiceProviderhas been changed toRoutingServiceProvider.app->sharefunction, you just use an anonymous function.Request $requestargument has been added to the anonymous function called by the$app->errorhelperfunction.
composer.json:v2.3.0, this resolves the following dependabot alerts:vendor/symfony/http-kernel/HttpCache/Store.php. Specifically lines49-51, and228-230.v4.4.49is >=3.4.35.vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.phpvendor/symfony/http-foundation/Request.phpvendor/symfony/http-kernel/UriSigner.phpvendor/symfony/http-foundation/Request.phpmongodb/mongodbto the latest versionv1.19.0open_xdmod/modules/xdmod/build.jsonSimpleSAMLphp Patches
www/errorreport.php):open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patchopen_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patchisValidURLalready exists inUtils/Http.phpin the version that we're using, that's why only the change topostredirect.phphas been included in the patch file.Motivation and Context
We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the
symfony/*andsimplesamlphp/simplesamlphpdependencies.Tests performed
All automated tests pass.
Checklist: