Merge pull request #1161 from peterjaap/patch-2

Add allow-list functionality to securitychecker_enlightn

Author: veewee

doc/tasks/securitychecker/enlightn.md

@@ -19,6 +19,10 @@ grumphp:
         securitychecker_enlightn:
             lockfile: ./composer.lock
             run_always: false
+            allow_list:
+                - CVE-2018-15133
+                - CVE-2024-51755
+                - CVE-2024-45411
 ```
 
 **lockfile**
@@ -32,3 +36,17 @@ If your `composer.lock` file is located in an exotic location, you can specify t
 *Default: false*
 
 When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.
+
+**allow_list**
+
+*Default: []*
+
+This option allows you to specify a list of CVE identifiers that should be ignored during the security check. This is useful if you have assessed certain vulnerabilities and determined that they do not pose a risk to your project. The CVE identifiers should be provided as an array of strings. For example:
+
+```yaml
+allow_list:
+    - CVE-2018-15133
+    - CVE-2024-51755
+    - CVE-2024-45411
+```
+

src/Task/SecurityCheckerEnlightn.php

@@ -24,10 +24,12 @@ public static function getConfigurableOptions(): ConfigOptionsResolver
         $resolver->setDefaults([
             'lockfile' => './composer.lock',
             'run_always' => false,
+            'allow_list' => []
         ]);
 
         $resolver->addAllowedTypes('lockfile', ['string']);
         $resolver->addAllowedTypes('run_always', ['bool']);
+        $resolver->addAllowedTypes('allow_list', ['array']);
 
         return ConfigOptionsResolver::fromOptionsResolver($resolver);
     }
@@ -50,6 +52,7 @@ public function run(ContextInterface $context): TaskResultInterface
         $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
         $arguments->add('security:check');
         $arguments->addOptionalArgument('%s', $config['lockfile']);
+        $arguments->addOptionalCommaSeparatedArgument('--allow-list=%s', $config['allow_list']);
 
         $process = $this->processBuilder->buildProcess($arguments);
         $process->run();

test/Unit/Task/SecurityCheckerEnlightnTest.php

@@ -27,6 +27,7 @@ public function provideConfigurableOptions(): iterable
             [
                 'lockfile' => './composer.lock',
                 'run_always' => false,
+                'allow_list' => [],
             ]
         ];
     }
@@ -107,5 +108,16 @@ public function provideExternalTaskRuns(): iterable
                 './composer.lock',
             ]
         ];
+
+        yield 'with_allow_list' => [
+            ['allow_list' => ['allow_advisory_1', 'allow_advisory_2']],
+            $this->mockContext(RunContext::class, ['composer.lock']),
+            'security-checker',
+            [
+                'security:check',
+                './composer.lock',
+                '--allow-list=allow_advisory_1,allow_advisory_2'
+            ]
+        ];
     }
 }