feat: add an allow list to security checker

youwe-petervanderwal · youwe-petervanderwal · commit 4e376ed7f121 · 2025-08-11T15:40:51.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Upstream projects not having phpunit installed will install phpunit with an @stable version.
 - Added support for Drupal configuration and templates.
 - Migration docs for migration from v2 to v3 of the testing suite.
+- Added support for an Allow List within the Security Checker. 
 
 ### Changed
 - [BREAKING] The composer.json configurations `config.youwe-testing-suite.type` and `config.mediact-testing-suite.type`
diff --git a/composer.json b/composer.json
@@ -31,7 +31,7 @@
         "kint-php/kint": "@stable",
         "php-parallel-lint/php-parallel-lint": "^1.4",
         "phpmd/phpmd": "^2.15",
-        "phpro/grumphp-shim": "^2.12",
+        "phpro/grumphp-shim": "^2.15",
         "phpstan/phpstan": "@stable",
         "squizlabs/php_codesniffer": "^3.12.0",
         "youwe/composer-dependency-installer": "^2.0",
diff --git a/config/default/grumphp.yml b/config/default/grumphp.yml
@@ -44,6 +44,7 @@ parameters:
 
   securitychecker.lockfile: ./composer.lock
   securitychecker.run_always: true
+  securitychecker.allow_list: []
 
   git_blacklist.keywords:
     - "die("
@@ -132,3 +133,4 @@ grumphp:
     securitychecker_enlightn:
       lockfile: '%securitychecker.lockfile%'
       run_always: '%securitychecker.run_always%'
+      allow_list: '%securitychecker.allow_list%'
diff --git a/config/drupal/grumphp.yml b/config/drupal/grumphp.yml
@@ -3,4 +3,8 @@ imports:
 
 # Extend git triggers with common Drupal constructs
 parameters:
-  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.
diff --git a/config/magento2/grumphp.yml b/config/magento2/grumphp.yml
@@ -17,3 +17,7 @@ parameters:
     - "<?php echo"
     - "Magento\\\\Framework\\\\App\\\\ObjectManager"
   git_blacklist.triggered_by: [ 'php', 'js', 'phtml' ]
+
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.
diff --git a/config/pimcore/grumphp.yml b/config/pimcore/grumphp.yml
@@ -3,4 +3,8 @@ imports:
 
 # Extend git triggers with common pimcore constructs
 parameters:
-  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+  
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.
