function SecurityAdvisoriesFetcher::matchesExistingVersion

Same name in other branches
  1. 9 core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher::matchesExistingVersion()
  2. 10 core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher::matchesExistingVersion()

Determines if an advisory matches the existing version of a project.

Parameters

\Drupal\system\SecurityAdvisories\SecurityAdvisory $sa: The security advisory.

Return value

bool TRUE if the security advisory matches the existing version of the project, or FALSE otherwise.

1 call to SecurityAdvisoriesFetcher::matchesExistingVersion()
SecurityAdvisoriesFetcher::isApplicable in core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php
Determines if a security advisory is applicable for the current site.

File

core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php, line 184

Class

SecurityAdvisoriesFetcher
Defines a service to get security advisories.

Namespace

Drupal\system\SecurityAdvisories

Code

protected function matchesExistingVersion(SecurityAdvisory $sa) : bool {
    if ($existing_version = $this->getProjectExistingVersion($sa)) {
        $existing_project_version = ExtensionVersion::createFromVersionString($existing_version);
        $insecure_versions = $sa->getInsecureVersions();
        // If a site codebase has a development version of any project, including
        // core, we cannot be certain if their development build has the security
        // vulnerabilities that make any of the versions in $insecure_versions
        // insecure. Therefore, we should err on the side of assuming the site's
        // code does have the security vulnerabilities and show the advisories.
        // This will result in some sites seeing advisories that do not affect
        // their versions, but it will make it less likely that sites with the
        // security vulnerabilities will not see the advisories.
        if ($existing_project_version->getVersionExtra() === 'dev') {
            foreach ($insecure_versions as $insecure_version) {
                try {
                    $insecure_project_version = ExtensionVersion::createFromVersionString($insecure_version);
                } catch (\UnexpectedValueException) {
                    // An invalid version string should not halt the evaluation of valid
                    // versions in $insecure_versions. Version numbers that start with
                    // core prefix besides '8.x-' are allowed in $insecure_versions,
                    // but will never match and will throw an exception.
                    continue;
                }
                if ($existing_project_version->getMajorVersion() === $insecure_project_version->getMajorVersion()) {
                    if ($existing_project_version->getMinorVersion() === NULL) {
                        // If the dev version doesn't specify a minor version, matching on
                        // the major version alone is considered a match.
                        return TRUE;
                    }
                    if ($existing_project_version->getMinorVersion() === $insecure_project_version->getMinorVersion()) {
                        // If the dev version specifies a minor version, then the insecure
                        // version must match on the minor version.
                        return TRUE;
                    }
                }
            }
        }
        else {
            // If the existing version is not a dev version, then it must match an
            // insecure version exactly.
            return in_array($existing_version, $insecure_versions, TRUE);
        }
    }
    return FALSE;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.