From 5edd173c45d52d86c71171cc8ef31fd45fa792aa Mon Sep 17 00:00:00 2001 From: Andrew Longosz Date: Mon, 1 Jun 2026 12:44:27 +0200 Subject: [PATCH 1/4] [Prepare Project Edition] Extracted composer audit logic to commons --- bin/4.6.x-dev/prepare_project_edition.sh | 57 ++--------------------- bin/_common/composer_audit_ignore.sh | 58 ++++++++++++++++++++++++ bin/stable/prepare_project_edition.sh | 58 ++---------------------- 3 files changed, 67 insertions(+), 106 deletions(-) create mode 100644 bin/_common/composer_audit_ignore.sh diff --git a/bin/4.6.x-dev/prepare_project_edition.sh b/bin/4.6.x-dev/prepare_project_edition.sh index 7ff1762..9657efb 100755 --- a/bin/4.6.x-dev/prepare_project_edition.sh +++ b/bin/4.6.x-dev/prepare_project_edition.sh @@ -43,60 +43,11 @@ echo "> Setting up website skeleton" composer create-project ibexa/website-skeleton:$PROJECT_VERSION . --no-install --ansi # Configure composer audit for unresolvable advisories -docker exec install_dependencies bash -c ' - cd /var/www +echo "> Adding composer audit.ignore script, if applies" +curl -L "https://raw.githubusercontent.com/ibexa/ci-scripts/main/bin/_common/composer_audit_ignore.sh" > composer_audit_ignore.sh +source ./composer_audit_ignore.sh - add_audit_ignores() { - local reason=$1 - shift - - for advisory in "$@"; do - composer config audit.ignore --json --merge "{\"$advisory\":\"$reason\"}" - done - } - - PHP74_ADVISORIES=( - PKSA-xwpn-zs9j-6wy5 - PKSA-sf9j-1gs7-xzvx - PKSA-7h5p-prw9-w5nr - ) - - PHP74_PHP80_ADVISORIES=( - PKSA-5k7f-wvjj-jrgw - PKSA-sjvz-tbbr-vwth - PKSA-h8hf-ytnd-5t9q - PKSA-wwb1-81rc-pd65 - PKSA-hgmw-wn4d-hpcy - PKSA-kvv6-36cr-fkzb - PKSA-n14z-jjjg-g8vd - PKSA-3mcc-k66d-pydb - PKSA-gw7n-z4yx-7xjt - PKSA-dpx1-78wg-1kqs - PKSA-21g2-dzjv-sky5 - PKSA-v3kg-5xkr-pykw - PKSA-yhcn-xrg3-68b1 - PKSA-2wrf-1xmk-1pky - PKSA-6319-ffpf-gx66 - PKSA-n7sg-8f52-pqtf - PKSA-8kk8-h2xr-h5nx - PKSA-2rbx-bjdx-4d4d - PKSA-fs5b-x5k4-1h39 - ) - - PHP_VERSION="$(php -r "echo PHP_MAJOR_VERSION . \".\" . PHP_MINOR_VERSION;")" - - if [ "$PHP_VERSION" = "7.4" ]; then - add_audit_ignores \ - "The affected version of 3rd party component is installed on PHP 7.4. There is no alternative supporting PHP 7.4. Consider upgrading to PHP 8.1+" \ - "${PHP74_ADVISORIES[@]}" - fi - - if [ "$PHP_VERSION" = "7.4" ] || [ "$PHP_VERSION" = "8.0" ]; then - add_audit_ignores \ - "The affected version of 3rd party component is installed on PHP ${PHP_VERSION}. There is no alternative supporting PHP ${PHP_VERSION}. Consider upgrading to PHP 8.1+" \ - "${PHP74_PHP80_ADVISORIES[@]}" - fi -' +add_composer_audit_ignore_config # Add other dependencies if required if [ -f ${DEPENDENCY_PACKAGE_DIR}/dependencies.json ]; then diff --git a/bin/_common/composer_audit_ignore.sh b/bin/_common/composer_audit_ignore.sh new file mode 100644 index 0000000..c19ab56 --- /dev/null +++ b/bin/_common/composer_audit_ignore.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +add_composer_audit_ignore_config() { + docker exec install_dependencies bash -c ' + cd /var/www + + add_audit_ignores() { + local reason=$1 + shift + + for advisory in "$@"; do + composer config audit.ignore --json --merge "{\"$advisory\":\"$reason\"}" + done + } + + PHP74_ADVISORIES=( + PKSA-xwpn-zs9j-6wy5 + PKSA-sf9j-1gs7-xzvx + PKSA-7h5p-prw9-w5nr + ) + + PHP74_PHP80_ADVISORIES=( + PKSA-5k7f-wvjj-jrgw + PKSA-sjvz-tbbr-vwth + PKSA-h8hf-ytnd-5t9q + PKSA-wwb1-81rc-pd65 + PKSA-hgmw-wn4d-hpcy + PKSA-kvv6-36cr-fkzb + PKSA-n14z-jjjg-g8vd + PKSA-3mcc-k66d-pydb + PKSA-gw7n-z4yx-7xjt + PKSA-dpx1-78wg-1kqs + PKSA-21g2-dzjv-sky5 + PKSA-v3kg-5xkr-pykw + PKSA-yhcn-xrg3-68b1 + PKSA-2wrf-1xmk-1pky + PKSA-6319-ffpf-gx66 + PKSA-n7sg-8f52-pqtf + PKSA-8kk8-h2xr-h5nx + PKSA-2rbx-bjdx-4d4d + PKSA-fs5b-x5k4-1h39 + ) + + PHP_VERSION="$(php -r "echo PHP_MAJOR_VERSION . \".\" . PHP_MINOR_VERSION;")" + + if [ "$PHP_VERSION" = "7.4" ]; then + add_audit_ignores \ + "The affected version of 3rd party component is installed on PHP 7.4. There is no alternative supporting PHP 7.4. Consider upgrading to PHP 8.1+" \ + "${PHP74_ADVISORIES[@]}" + fi + + if [ "$PHP_VERSION" = "7.4" ] || [ "$PHP_VERSION" = "8.0" ]; then + add_audit_ignores \ + "The affected version of 3rd party component is installed on PHP ${PHP_VERSION}. There is no alternative supporting PHP ${PHP_VERSION}. Consider upgrading to PHP 8.1+" \ + "${PHP74_PHP80_ADVISORIES[@]}" + fi + ' +} diff --git a/bin/stable/prepare_project_edition.sh b/bin/stable/prepare_project_edition.sh index e314f8a..9e33a42 100755 --- a/bin/stable/prepare_project_edition.sh +++ b/bin/stable/prepare_project_edition.sh @@ -38,60 +38,12 @@ if [[ $PHP_IMAGE == *"8.3"* ]]; then echo "> Running composer install" docker exec install_dependencies composer install --no-scripts --ansi else - docker exec install_dependencies bash -c ' - cd /var/www - - add_audit_ignores() { - local reason=$1 - shift - - for advisory in "$@"; do - composer config audit.ignore --json --merge "{\"$advisory\":\"$reason\"}" - done - } - - PHP74_ADVISORIES=( - PKSA-xwpn-zs9j-6wy5 - PKSA-sf9j-1gs7-xzvx - PKSA-7h5p-prw9-w5nr - ) - - PHP74_PHP80_ADVISORIES=( - PKSA-5k7f-wvjj-jrgw - PKSA-sjvz-tbbr-vwth - PKSA-h8hf-ytnd-5t9q - PKSA-wwb1-81rc-pd65 - PKSA-hgmw-wn4d-hpcy - PKSA-kvv6-36cr-fkzb - PKSA-n14z-jjjg-g8vd - PKSA-3mcc-k66d-pydb - PKSA-gw7n-z4yx-7xjt - PKSA-dpx1-78wg-1kqs - PKSA-21g2-dzjv-sky5 - PKSA-v3kg-5xkr-pykw - PKSA-yhcn-xrg3-68b1 - PKSA-2wrf-1xmk-1pky - PKSA-6319-ffpf-gx66 - PKSA-n7sg-8f52-pqtf - PKSA-8kk8-h2xr-h5nx - PKSA-2rbx-bjdx-4d4d - PKSA-fs5b-x5k4-1h39 - ) - - PHP_VERSION="$(php -r "echo PHP_MAJOR_VERSION . \".\" . PHP_MINOR_VERSION;")" - - if [ "$PHP_VERSION" = "7.4" ]; then - add_audit_ignores \ - "The affected version of 3rd party component is installed on PHP 7.4. There is no alternative supporting PHP 7.4. Consider upgrading to PHP 8.1+" \ - "${PHP74_ADVISORIES[@]}" - fi + # Configure composer audit for unresolvable advisories + echo "> Adding composer audit.ignore script, if applies" + curl -L "https://raw.githubusercontent.com/ibexa/ci-scripts/main/bin/_common/composer_audit_ignore.sh" > composer_audit_ignore.sh + source ./composer_audit_ignore.sh - if [ "$PHP_VERSION" = "7.4" ] || [ "$PHP_VERSION" = "8.0" ]; then - add_audit_ignores \ - "The affected version of 3rd party component is installed on PHP ${PHP_VERSION}. There is no alternative supporting PHP ${PHP_VERSION}. Consider upgrading to PHP 8.1+" \ - "${PHP74_PHP80_ADVISORIES[@]}" - fi - ' + add_composer_audit_ignore_config echo "> Running composer update" docker exec install_dependencies composer update --no-scripts --ansi From b786e6f856c6019b7a51dfe2eb27fda78deaf74d Mon Sep 17 00:00:00 2001 From: Andrew Longosz Date: Mon, 1 Jun 2026 12:44:50 +0200 Subject: [PATCH 2/4] [3.3] Added composer audit configuration --- bin/^3.3.x-dev/prepare_project_edition.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bin/^3.3.x-dev/prepare_project_edition.sh b/bin/^3.3.x-dev/prepare_project_edition.sh index 47bd0df..efcd30d 100644 --- a/bin/^3.3.x-dev/prepare_project_edition.sh +++ b/bin/^3.3.x-dev/prepare_project_edition.sh @@ -110,6 +110,13 @@ if [ -f ${DEPENDENCY_PACKAGE_DIR}/dependencies.json ]; then fi fi +# Configure composer audit for unresolvable advisories +echo "> Adding composer audit.ignore script, if applies" +curl -L "https://raw.githubusercontent.com/ibexa/ci-scripts/main/bin/_common/composer_audit_ignore.sh" > composer_audit_ignore.sh +source ./composer_audit_ignore.sh + +add_composer_audit_ignore_config + docker exec install_dependencies composer update --ansi # Move dependency to directory available for docker volume From bbd378f22779f055af5f30224a65e91173eda77e Mon Sep 17 00:00:00 2001 From: Andrew Longosz Date: Mon, 1 Jun 2026 17:29:09 +0200 Subject: [PATCH 3/4] IBX-11825: Added new advisories for Twig v3.26.0 --- bin/_common/composer_audit_ignore.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/_common/composer_audit_ignore.sh b/bin/_common/composer_audit_ignore.sh index c19ab56..14c82dd 100644 --- a/bin/_common/composer_audit_ignore.sh +++ b/bin/_common/composer_audit_ignore.sh @@ -39,6 +39,11 @@ add_composer_audit_ignore_config() { PKSA-8kk8-h2xr-h5nx PKSA-2rbx-bjdx-4d4d PKSA-fs5b-x5k4-1h39 + PKSA-fbvq-z33h-r2np + PKSA-g9zw-qxh8-pq8w + PKSA-yd6k-t2gh-1m43 + PKSA-1tmc-rt7x-12w6 + PKSA-xx6c-6d96-db2w ) PHP_VERSION="$(php -r "echo PHP_MAJOR_VERSION . \".\" . PHP_MINOR_VERSION;")" From 03b0cde24ea9500c7bce351b8d4483711a12aa5f Mon Sep 17 00:00:00 2001 From: Andrew Longosz Date: Mon, 1 Jun 2026 18:27:30 +0200 Subject: [PATCH 4/4] Added explicit returns to audit ignore helpers --- bin/_common/composer_audit_ignore.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/_common/composer_audit_ignore.sh b/bin/_common/composer_audit_ignore.sh index 14c82dd..6d1bc5d 100644 --- a/bin/_common/composer_audit_ignore.sh +++ b/bin/_common/composer_audit_ignore.sh @@ -11,6 +11,8 @@ add_composer_audit_ignore_config() { for advisory in "$@"; do composer config audit.ignore --json --merge "{\"$advisory\":\"$reason\"}" done + + return $? } PHP74_ADVISORIES=( @@ -60,4 +62,6 @@ add_composer_audit_ignore_config() { "${PHP74_PHP80_ADVISORIES[@]}" fi ' + + return $? }