From 4e376ed7f12186d9b6166918cd109e189fc0cc4e Mon Sep 17 00:00:00 2001
From: Peter van der Wal <peter.vanderwal@youweagency.com>
Date: Mon, 11 Aug 2025 15:39:27 +0200
Subject: [PATCH] feat: add an allow list to security checker

---
 CHANGELOG.md                | 1 +
 composer.json               | 2 +-
 config/default/grumphp.yml  | 2 ++
 config/drupal/grumphp.yml   | 6 +++++-
 config/magento2/grumphp.yml | 4 ++++
 config/pimcore/grumphp.yml  | 6 +++++-
 6 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb7a0f6..5135a64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - Upstream projects not having phpunit installed will install phpunit with an @stable version.
 - Added support for Drupal configuration and templates.
 - Migration docs for migration from v2 to v3 of the testing suite.
+- Added support for an Allow List within the Security Checker. 
 
 ### Changed
 - [BREAKING] The composer.json configurations `config.youwe-testing-suite.type` and `config.mediact-testing-suite.type`
diff --git a/composer.json b/composer.json
index 7b51667..5533485 100644
--- a/composer.json
+++ b/composer.json
@@ -31,7 +31,7 @@
         "kint-php/kint": "@stable",
         "php-parallel-lint/php-parallel-lint": "^1.4",
         "phpmd/phpmd": "^2.15",
-        "phpro/grumphp-shim": "^2.12",
+        "phpro/grumphp-shim": "^2.15",
         "phpstan/phpstan": "@stable",
         "squizlabs/php_codesniffer": "^3.12.0",
         "youwe/composer-dependency-installer": "^2.0",
diff --git a/config/default/grumphp.yml b/config/default/grumphp.yml
index 70d3f49..dc5b874 100644
--- a/config/default/grumphp.yml
+++ b/config/default/grumphp.yml
@@ -44,6 +44,7 @@ parameters:
 
   securitychecker.lockfile: ./composer.lock
   securitychecker.run_always: true
+  securitychecker.allow_list: []
 
   git_blacklist.keywords:
     - "die("
@@ -132,3 +133,4 @@ grumphp:
     securitychecker_enlightn:
       lockfile: '%securitychecker.lockfile%'
       run_always: '%securitychecker.run_always%'
+      allow_list: '%securitychecker.allow_list%'
diff --git a/config/drupal/grumphp.yml b/config/drupal/grumphp.yml
index 8492ff7..3964359 100644
--- a/config/drupal/grumphp.yml
+++ b/config/drupal/grumphp.yml
@@ -3,4 +3,8 @@ imports:
 
 # Extend git triggers with common Drupal constructs
 parameters:
-  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
\ No newline at end of file
+  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.
diff --git a/config/magento2/grumphp.yml b/config/magento2/grumphp.yml
index b82df02..5ee39a1 100644
--- a/config/magento2/grumphp.yml
+++ b/config/magento2/grumphp.yml
@@ -17,3 +17,7 @@ parameters:
     - "<?php echo"
     - "Magento\\\\Framework\\\\App\\\\ObjectManager"
   git_blacklist.triggered_by: [ 'php', 'js', 'phtml' ]
+
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.
diff --git a/config/pimcore/grumphp.yml b/config/pimcore/grumphp.yml
index 625e707..afc6814 100644
--- a/config/pimcore/grumphp.yml
+++ b/config/pimcore/grumphp.yml
@@ -3,4 +3,8 @@ imports:
 
 # Extend git triggers with common pimcore constructs
 parameters:
-  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
\ No newline at end of file
+  git_blacklist.triggered_by: [ 'php', 'js', 'twig' ]
+  
+#  securitychecker.allow_list:
+#    - CVE-2002-0121 # Add a jira ticket indicating when this vulnerability will be fixed (update/upgrade will be
+                     #    performed). Within that ticket explain this (new) vulnerability.