You are here

protected function SecurityAdvisoriesFetcher::matchesExistingVersion in Drupal 9

Determines if an advisory matches the existing version of a project.

Parameters

\Drupal\system\SecurityAdvisories\SecurityAdvisory $sa: The security advisory.

Return value

bool TRUE if the security advisory matches the existing version of the project, or FALSE otherwise.

1 call to SecurityAdvisoriesFetcher::matchesExistingVersion()
SecurityAdvisoriesFetcher::isApplicable in core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php
Determines if a security advisory is applicable for the current site.

File

core/modules/system/src/SecurityAdvisories/SecurityAdvisoriesFetcher.php, line 183

Class

SecurityAdvisoriesFetcher
Defines a service to get security advisories.

Namespace

Drupal\system\SecurityAdvisories

Code

protected function matchesExistingVersion(SecurityAdvisory $sa) : bool {
  if ($existing_version = $this
    ->getProjectExistingVersion($sa)) {
    $existing_project_version = ExtensionVersion::createFromVersionString($existing_version);
    $insecure_versions = $sa
      ->getInsecureVersions();

    // If a site codebase has a development version of any project, including
    // core, we cannot be certain if their development build has the security
    // vulnerabilities that make any of the versions in $insecure_versions
    // insecure. Therefore, we should err on the side of assuming the site's
    // code does have the security vulnerabilities and show the advisories.
    // This will result in some sites seeing advisories that do not affect
    // their versions, but it will make it less likely that sites with the
    // security vulnerabilities will not see the advisories.
    if ($existing_project_version
      ->getVersionExtra() === 'dev') {
      foreach ($insecure_versions as $insecure_version) {
        try {
          $insecure_project_version = ExtensionVersion::createFromVersionString($insecure_version);
        } catch (\UnexpectedValueException $exception) {

          // An invalid version string should not halt the evaluation of valid
          // versions in $insecure_versions. Version numbers that start with
          // core prefix besides '8.x-' are allowed in $insecure_versions,
          // but will never match and will throw an exception.
          continue;
        }
        if ($existing_project_version
          ->getMajorVersion() === $insecure_project_version
          ->getMajorVersion()) {
          if ($existing_project_version
            ->getMinorVersion() === NULL) {

            // If the dev version doesn't specify a minor version, matching on
            // the major version alone is considered a match.
            return TRUE;
          }
          if ($existing_project_version
            ->getMinorVersion() === $insecure_project_version
            ->getMinorVersion()) {

            // If the dev version specifies a minor version, then the insecure
            // version must match on the minor version.
            return TRUE;
          }
        }
      }
    }
    else {

      // If the existing version is not a dev version, then it must match an
      // insecure version exactly.
      return in_array($existing_version, $insecure_versions, TRUE);
    }
  }
  return FALSE;
}