Add --allow-list option to SecurityCheckerEnlightn task

peterjaap · peterjaap · commit eda6d36d0d65 · 2025-03-18T21:01:57.000+01:00
- Document new option in enlightn.md with example usage

- Fix argument formatting to use comma-separated values for --allow-list

- Update unit test to include the new option in default configuration

This change allows users to specify CVEs that should be ignored during security checks when they've been assessed and determined not to pose a risk.
diff --git a/doc/tasks/securitychecker/enlightn.md b/doc/tasks/securitychecker/enlightn.md
@@ -36,3 +36,17 @@ If your `composer.lock` file is located in an exotic location, you can specify t
 *Default: false*
 
 When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.
+
+**allow_list**
+
+*Default: []*
+
+This option allows you to specify a list of CVE identifiers that should be ignored during the security check. This is useful if you have assessed certain vulnerabilities and determined that they do not pose a risk to your project. The CVE identifiers should be provided as an array of strings. For example:
+
+```yaml
+allow_list:
+    - CVE-2018-15133
+    - CVE-2024-51755
+    - CVE-2024-45411
+```
+
diff --git a/src/Task/SecurityCheckerEnlightn.php b/src/Task/SecurityCheckerEnlightn.php
@@ -52,7 +52,7 @@ public function run(ContextInterface $context): TaskResultInterface
         $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
         $arguments->add('security:check');
         $arguments->addOptionalArgument('%s', $config['lockfile']);
-        $arguments->addArgumentArrayWithSeparatedValue('--allow-list', $config['allow_list'] ?? []);
+        $arguments->addOptionalCommaSeparatedArgument('--allow-list=%s', $config['allow_list']);
 
         $process = $this->processBuilder->buildProcess($arguments);
         $process->run();
diff --git a/test/Unit/Task/SecurityCheckerEnlightnTest.php b/test/Unit/Task/SecurityCheckerEnlightnTest.php
@@ -27,6 +27,7 @@ public function provideConfigurableOptions(): iterable
             [
                 'lockfile' => './composer.lock',
                 'run_always' => false,
+                'allow_list' => [],
             ]
         ];
     }

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ public function provideConfigurableOptions(): iterable`
`27`	`27`	`[`
`28`	`28`	`'lockfile' => './composer.lock',`
`29`	`29`	`'run_always' => false,`
	`30`	`+ 'allow_list' => [],`
`30`	`31`	`]`
`31`	`32`	`];`
`32`	`33`	`}`