grumphp icon indicating copy to clipboard operation
grumphp copied to clipboard
verified publisher icon phpro

SecurityCheckerEnlightn task: allow_list configuration doesn't handle multiple CVE IDs correctly

Open cedriclenders opened this issue 1 month ago • 1 comments

Summary

The SecurityCheckerEnlightn task in GrumPHP doesn't properly process multiple CVE IDs when configured in the allow_list. The task only works correctly when each CVE ID is passed as a separate --allow-list argument, but fails when multiple CVE IDs are provided in a single configuration.

Expected Behavior

When configuring multiple CVE IDs in the allow_list configuration:

security_checker_enlightn:
  allow_list:
    - CVE-2025-54370
    - CVE-2025-64500

All specified CVE IDs should be properly ignored during the security check.

Actual Behavior

Multiple CVE IDs in the allow_list are not processed correctly. The task continues to report vulnerabilities for all CVE IDs in the list, suggesting they are not being passed properly to the underlying security-checker command.

Steps to Reproduce

Configure GrumPHP with multiple CVE IDs in the SecurityCheckerEnlightn allow_list Run the security checker task Observe that vulnerabilities are still reported for the CVE IDs that should be allowed

Workaround

The issue can be worked around by running the security-checker command manually with separate --allow-list parameters:

php vendor/bin/security-checker security:check /app/composer.lock --allow-list=CVE-2025-54370 --allow-list=CVE-2025-64500

Root Cause

The issue appears to be in vendor/phpro/grumphp/src/Task/SecurityCheckerEnlightn.php where the allow_list configuration is not properly iterated to create separate --allow-list arguments for each CVE ID.

Suggested Fix

The code should loop over all items in the allow_list configuration:

foreach($config['allow_list'] as $allow_list_item) {
  $arguments->addOptionalArgument('--allow-list=%s', $allow_list_item);
}

Additional Context

Image

Screenshot attached showing the difference in behavior between comma-separated values in a single --allow-list parameter versus multiple separate --allow-list parameters.

cedriclenders avatar Nov 13 '25 13:11 cedriclenders

Thanks for reporting! Since you got this far, Can you provide a PR solving the issue?

The suggested fix could be made easier by using addArgumentArray directly instead of addOptionalArgument.

veewee avatar Nov 13 '25 13:11 veewee