protected function SecurityAdvisoriesFetcher::matchesExistingVersion in Drupal 10
Same name and namespace in other branches
- 9 core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php \Drupal\system\SecurityAdvisories\SecurityAdvisoriesFetcher::matchesExistingVersion()
Determines if an advisory matches the existing version of a project.
Parameters
\Drupal\system\SecurityAdvisories\SecurityAdvisory $sa: The security advisory.
Return value
bool TRUE if the security advisory matches the existing version of the project, or FALSE otherwise.
1 call to SecurityAdvisoriesFetcher::matchesExistingVersion()
- SecurityAdvisoriesFetcher::isApplicable in core/
modules/ system/ src/ SecurityAdvisories/ SecurityAdvisoriesFetcher.php - Determines if a security advisory is applicable for the current site.
File
- core/
modules/ system/ src/ SecurityAdvisories/ SecurityAdvisoriesFetcher.php, line 183
Class
- SecurityAdvisoriesFetcher
- Defines a service to get security advisories.
Namespace
Drupal\system\SecurityAdvisoriesCode
protected function matchesExistingVersion(SecurityAdvisory $sa) : bool {
if ($existing_version = $this
->getProjectExistingVersion($sa)) {
$existing_project_version = ExtensionVersion::createFromVersionString($existing_version);
$insecure_versions = $sa
->getInsecureVersions();
// If a site codebase has a development version of any project, including
// core, we cannot be certain if their development build has the security
// vulnerabilities that make any of the versions in $insecure_versions
// insecure. Therefore, we should err on the side of assuming the site's
// code does have the security vulnerabilities and show the advisories.
// This will result in some sites seeing advisories that do not affect
// their versions, but it will make it less likely that sites with the
// security vulnerabilities will not see the advisories.
if ($existing_project_version
->getVersionExtra() === 'dev') {
foreach ($insecure_versions as $insecure_version) {
try {
$insecure_project_version = ExtensionVersion::createFromVersionString($insecure_version);
} catch (\UnexpectedValueException $exception) {
// An invalid version string should not halt the evaluation of valid
// versions in $insecure_versions. Version numbers that start with
// core prefix besides '8.x-' are allowed in $insecure_versions,
// but will never match and will throw an exception.
continue;
}
if ($existing_project_version
->getMajorVersion() === $insecure_project_version
->getMajorVersion()) {
if ($existing_project_version
->getMinorVersion() === NULL) {
// If the dev version doesn't specify a minor version, matching on
// the major version alone is considered a match.
return TRUE;
}
if ($existing_project_version
->getMinorVersion() === $insecure_project_version
->getMinorVersion()) {
// If the dev version specifies a minor version, then the insecure
// version must match on the minor version.
return TRUE;
}
}
}
}
else {
// If the existing version is not a dev version, then it must match an
// insecure version exactly.
return in_array($existing_version, $insecure_versions, TRUE);
}
}
return FALSE;
}