security-advisories: False positive on drupal/search_api_solr
The Drupal module Search API Solr Search gets flagged by the security checker, because of the following issue: https://www.drupal.org/sa-contrib-2018-065. From what I can gather this issue only applies to Drupal 7 installations (correct me if I’m wrong here).
I’m running Drupal 8 with the latest 8.x-1.x (1.2.0) version of the Search APi Solr Search module. I would expect the security checker not to flag this installation as vulnerable.
This could be fixed by adjusting sa-contrib-2018-065.yaml to only apply to Drupal 7. In this case such could be achieved by specifying the branch containing the security issue, which would be 7.x-1.x in this case. But from what I can gather from https://github.com/FriendsOfPHP/security-advisories/issues/366#issuecomment-466175158 this won’t be possible.
What would be a solution to this issue?
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 15 (8 by maintainers)
this is related to the discussion happening in https://github.com/Roave/SecurityAdvisories/issues/54
The root cause of the issue here is that the Drupal ecosystem has actually 2 different repositories (one for drupal 7 and one for drupal 8), which can use the same version numbers for packages while the code is not the same (due to their
8.x-1.xvs7.x-1.xinternal versioning).@fabpot according to https://github.com/Roave/SecurityAdvisories/issues/54#issuecomment-467219080 the new endpoint is also affected by the fact that the Drupal ecosystem reuses the same version for composer packages in the 7 and 8 repositories (while they are not affected the same by advisories). So I suggest reverting #371.
The
http://security.sensiolabs.org/check_lockendpoint will be removed soon, you must not use it anymore.