refs sparkfabrik/drupal-team-united/board#26: update phpstan

.github/workflows/e2e_tests.yml

@@ -23,13 +23,6 @@ jobs:
       - name: Execute phpqa
         run: |
           docker run --rm -v ${PWD}/tests:/app/drupal -v ${PWD}/reports:/app/reports ${IMAGE_NAME}:${IMAGE_TAG} phpqa --analyzedDirs "drupal/web/modules" --tools "phpcpd:0,phpcs:0,phpmd:0,phpmetrics,phploc,pdepend,parallel-lint:0,phpstan:0,security-checker:0" --buildDir "/app/reports" || true
-
-      - name: 'Upload Artifact'
-        uses: actions/upload-artifact@v2
-        with:
-          name: coverage_reports
-          path: reports
-          retention-days: 5
 
       - name: diff phpcs
         run: diff tests/expected_reports/checkstyle.xml reports/checkstyle.xml
@@ -45,3 +38,10 @@ jobs:
 
       - name: diff security-checker
         run: diff tests/expected_reports/security-checker.html reports/security-checker.html
+
+      - name: 'Upload Artifact'
+        uses: actions/upload-artifact@v2
+        with:
+          name: coverage_reports
+          path: reports
+          retention-days: 5

tests/composer.json

@@ -28,7 +28,12 @@
     "minimum-stability": "dev",
     "prefer-stable": true,
     "config": {
-        "sort-packages": true
+        "sort-packages": true,
+        "allow-plugins": {
+            "composer/installers": true,
+            "drupal/core-composer-scaffold": true,
+            "drupal/core-project-message": true
+        }
     },
     "extra": {
         "drupal-scaffold": {

tests/expected_reports/checkstyle.xml

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <checkstyle version="3.7.1">
+<file name="/app/drupal/web/modules/test_module/src/SomeClass.php">
+ <error line="8" column="1" severity="error" message="Missing class doc comment" source="Drupal.Commenting.ClassComment.Missing"/>
+</file>
 <file name="/app/drupal/web/modules/test_module/test_module.module">
  <error line="3" column="1" severity="error" message="Missing short description in doc comment" source="Drupal.Commenting.DocComment.MissingShort"/>
  <error line="8" column="4" severity="warning" message="Format should be &quot;* Implements hook_foo().&quot;, &quot;* Implements hook_foo_BAR_ID_bar() for xyz_bar().&quot;,, &quot;* Implements hook_foo_BAR_ID_bar() for xyz-bar.html.twig.&quot;, &quot;* Implements hook_foo_BAR_ID_bar() for xyz-bar.tpl.php.&quot;, or &quot;* Implements hook_foo_BAR_ID_bar() for block templates.&quot;" source="Drupal.Commenting.HookComment.HookCommentFormat"/>
 </file>
-<file name="/app/drupal/web/modules/test_module/src/SomeClass.php">
- <error line="8" column="1" severity="error" message="Missing class doc comment" source="Drupal.Commenting.ClassComment.Missing"/>
-</file>
 </checkstyle>
 

tests/expected_reports/security-checker.html

@@ -1,66 +1,105 @@
 <h1>security-checker</h1>
-<pre id="cli">[CRITICAL] 5 packages have known vulnerabilities
+<pre id="cli">[CRITICAL] 8 packages have known vulnerabilities
 
 composer/composer (1.10.22)
 ---------------------------
 
- * CVE-2022-24828: Missing input validation can lead to command execution in composer
-   https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
-
  * CVE-2021-41116: Improper escaping of command arguments on Windows leading to command injection
    https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
 
+ * CVE-2022-24828: Missing input validation can lead to command execution in composer
+   https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
+
 dompdf/dompdf (0.6.1)
 ---------------------
 
- * CVE-2014-5013: Remote Code Execution (complement of CVE-2014-2383)
-   https://github.com/dompdf/dompdf/releases/tag/v0.6.2
-
  * CVE-2022-28368: Remote code injection via remote fonts
    https://github.com/advisories/GHSA-x752-qjv4-c4hc
 
+ * CVE-2022-41343: Remote file inclusion
+   https://github.com/advisories/GHSA-6x28-7h8c-chx4
+
+ * CVE-2023-23924: Dompdf vulnerable to URI validation failure on SVG parsing
+   https://github.com/advisories/GHSA-3cw5-7cxw-v5qg
+
+ * CVE-2014-5013: Remote Code Execution (complement of CVE-2014-2383)
+   https://github.com/dompdf/dompdf/releases/tag/v0.6.2
+
  * CVE-2014-5012: Denial Of Service Vector
    https://github.com/dompdf/dompdf/releases/tag/v0.6.2
 
  * CVE-2014-5011: Information Disclosure
    https://github.com/dompdf/dompdf/releases/tag/v0.6.2
 
+ * CVE-2022-0085: Server-Side Request Forgery in dompdf/dompdf
+   https://github.com/advisories/GHSA-pf6p-25r2-fx45
+
 drupal/core (8.9.13)
 --------------------
 
- * Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
-   https://www.drupal.org/sa-core-2021-005
-
  * CVE-2021-33829: Drupal core - Critical - Cross-site scripting - SA-CORE-2021-003
    https://www.drupal.org/sa-core-2021-003
 
+ * CVE-2022-25277: Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014
+   https://www.drupal.org/sa-core-2022-014
+
  * CVE-2020-13672: Drupal core - Critical - Cross-site scripting - SA-CORE-2021-002
    https://www.drupal.org/sa-core-2021-002
 
+ * Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
+   https://www.drupal.org/sa-core-2021-005
+
+ * CVE-2022-25278: Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
+   https://www.drupal.org/sa-core-2022-013
+
+ * CVE-2022-25275: Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
+   https://www.drupal.org/sa-core-2022-012
+
 guzzlehttp/guzzle (6.5.4)
 -------------------------
 
- * CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
-   https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
-
  * CVE-2022-31091: Change in port should be considered a change in origin
    https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699
 
+ * CVE-2022-29248: Cross-domain cookie leakage
+   https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
+
  * CVE-2022-31043: Fix failure to strip Authorization header on HTTP downgrade
    https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q
 
  * CVE-2022-31042: Failure to strip the Cookie header on change in host or HTTP downgrade
    https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9
 
- * CVE-2022-29248: Cross-domain cookie leakage
-   https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3
+ * CVE-2022-31090: CURLOPT_HTTPAUTH option not cleared on change of origin
+   https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r
 
 guzzlehttp/psr7 (1.6.1)
 -----------------------
 
+ * CVE-2023-29197: Improper header validation
+   https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
+
  * CVE-2022-24775: Inproper parsing of HTTP headers
    https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
 
+laminas/laminas-diactoros (1.8.7p2)
+-----------------------------------
+
+ * CVE-2022-31109: Diactoros before 2.11.1 vulnerable to HTTP Host Header Attack.
+   https://github.com/advisories/GHSA-8274-h5jp-97vr
+
+symfony/http-kernel (3.4.44)
+----------------------------
+
+ * CVE-2022-24894: CVE-2022-24894: Prevent storing cookie headers in HttpCache
+   https://symfony.com/cve-2022-24894
+
+twig/twig (1.42.5)
+------------------
+
+ * CVE-2022-39261: Possibility to load a template outside a configured directory when using the filesystem loader
+   https://symfony.com/blog/twig-security-release-possibility-to-load-a-template-outside-a-configured-directory-when-using-the-filesystem-loader
+
 </pre> 
 
 <style>