propel: 2.0.0-alpha11

Question

propel: 2.0.0-alpha11

DawoudIO opened this issue 4 years ago · 11 comments

the following does not apply to 1propel/propel": "2.0.0-alpha11`

I'm still getting the error
https://github.com/ChurchCRM/CRM/runs/1471875270?check_suite_focus=true

Other files to note
https://github.com/FriendsOfPHP/security-advisories/blob/master/propel/propel/2018-02-14.yaml
https://github.com/ChurchCRM/CRM/blob/master/src/composer.json

Answer 1 · 2021-01-05T14:56:34.000Z

It looks to me like the security-advisory lists the correct versions, but the tool you're using doesn't understand the "-alphaX" portion of the version string. I think an issue needs to be raised for the symfony/cli repo to address the tool that is parsing the version strings.

Answer 2 · 2021-01-05T15:27:06.000Z

We should not have entries for alpha versions IMHO.

Answer 3 · 2021-01-05T16:21:20.000Z

Propel alpha is sadly very widespreadly used, so it's probably stable software that is not declared as such.

IMO valid to notify users that they are running something harmful.

Answer 4 · 2021-01-15T07:17:41.000Z

The whole code is now Open-Source at https://github.com/fabpot/local-php-security-checker (server + client code, so no more API calls). Feel free to submit a PR there to fix this bug.

Answer 5 · 2021-01-21T12:17:31.000Z

The false positive is still present though it seems - the source of the problem seems still to be that the tool cannot properly see the order of non trivial release versions, e.g. alpha, beta, RC:

2.0.0-alpha1 < 2.0.0-alpha11 < 2.0.0-alpha2

the tool thinks - which is incorrect.

Answer 6 · 2021-01-21T13:54:39.000Z

I think I'm in agreement with @fabpot that there should not be any alpha/beta/rc identifiers. The SemVer spec does not consider these pre-release tags when comparing versions. See https://interrupt.memfault.com/blog/release-versioning for a good write-up of SemVer. Ideally the Propel2 library should increment the patch version number and not the "alpha" number.

Answer 7 · 2021-01-21T13:57:21.000Z

@thirdender as this targets composer packages, it should support things that composer accepts.

Answer 8 · 2021-01-21T14:06:50.000Z

semver definitely considers pre-release tags. But the official semver spec requires a . between the prerelease identifier (alpha) and the prerelease version (so 2.0.0-alpha.11).

Answer 9 · 2021-01-21T14:12:35.000Z

Hmm, the article and SemVer library I'm using are both wrong then. Thanks for digging that up, looks like I have some more research to do.

Answer 10 · 2021-01-21T14:35:16.000Z

Related: Roave/SecurityAdvisoriesBuilder#98 - @slash3b worked quite a lot to add support for patch version modifiers, should you need inspiration.

Answer 11 · 2021-01-22T11:12:45.000Z

I opened fabpot/local-php-security-checker#9 on the checker project itself to track this, in case someone wants to contribute.