Symfony: ignore bogus CVEs (#1493)

composer · Dec 3, 2024 · a624697 · a624697
1 parent 5185461
commit a624697
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/SecurityAdvisory/GitHubSecurityAdvisoriesSource.php b/src/SecurityAdvisory/GitHubSecurityAdvisoriesSource.php
@@ -28,6 +28,11 @@ class GitHubSecurityAdvisoriesSource implements SecurityAdvisorySourceInterface
 {
     public const SOURCE_NAME = 'GitHub';
 
+    private const IGNORE_CVES = [
+        'CVE-2024-36611', // @see https://phpc.social/@wouterj/113588554019692959
+        'CVE-2024-36610', // @see https://phpc.social/@wouterj/113588554019692959
+    ];
+
     /**
      * @param list<string> $fallbackGhTokens
      */
@@ -95,6 +100,10 @@ public function getAdvisories(ConsoleIO $io): ?RemoteSecurityAdvisoryCollection
                     continue;
                 }
 
+                if (in_array($cve, self::IGNORE_CVES, true)) {
+                    continue;
+                }
+
                 $packageName = strtolower($node['package']['name']);
 
                 // GitHub adds spaces everywhere e.g. > 1.0, adjust to be able to match other advisories