Magento vulnerabilities should cover the magento/project-community-edition package as well

[bbutkovic]

Currently, advisories for Magento only reference the magento/community-edition package, not magento/project-community-edition.

A lot of Magento websites are set up to pull packages from Magento's own repos (https://repo.magento.com/), meaning they use the magento/project-community-edition metapackage, not magento/community-edition, making reports for magento/community-edition not apply for vulnerabilities in Magento's repos. Magento advises installs to use the project-* metapackage in their official documentation, too.

An example of the recent CVE-2024-34102 shows exactly this.

This is unfortunate as Dependabot alerts for Magento projects are essentially ineffective as Dependabot will not check for vulnerabilities in magento/community-edition.

FriendsOfPHP actually refer only to the magento/project-community-edition package in their advisory.

Perhaps it would be good to add magento/project-community-edition to the affected array retroactively and in future vulnerabilities.

I can update the current GHSAs with the added package if needed.

[shelbyc]

Hi @bbutkovic, thank you for reaching out about adding magento/project-community-edition to advisories that currently only have magento/community-edition listed as an affected product. Community contributions support changing only one advisory per pull request, so updating the advisories isn't as straightforward as merging one bulk pull request.

Additionally, I noticed that the latest version of magento/project-community-edition is 2.0.2, but 197 of the advisories that list magento/community-edition as an affected product have a lower bound on their vulnerable version ranges, such as >= 2.2 or >= 2.3, that is higher than 2.0.2. GHSA-3q5x-7mxp-rp6j is an example of an advisory that lists 2.2 as the lowest vulnerable version. I don't want to issue unnecessary alerts if it turns out that magento/community-edition didn't become vulnerable to a particular issue until after magento/project-community-edition stopped releasing new versions.

I compiled a list of advisories with lower bounds on their vulnerable version ranges that include magento/project-community-edition's latest version. They are:

GHSA-269w-pqc7-68q9
GHSA-2j6v-829g-885q
GHSA-2w2x-7qgj-4x78
GHSA-39ch-rg26-gmq5
GHSA-39rw-4m66-82gf
GHSA-45h4-6gcj-6hwv
GHSA-4f7x-gjqc-qqpg
GHSA-4h3p-63x6-vwg2
GHSA-4jfq-f8hc-775q
GHSA-55gv-hfg3-hwjq
GHSA-5j4w-v87m-8r65
GHSA-689w-2f93-2x67
GHSA-6988-g89m-27vf
GHSA-6w29-x5j4-qhrw
GHSA-724x-gqhv-9c5x
GHSA-792f-c8mp-2cr5
GHSA-7gh6-f4jh-3crq
GHSA-7gpv-xrjr-f5h4
GHSA-7pxg-6p87-8c9v
GHSA-8pfq-g48p-x7w8
GHSA-8wm7-h2qh-ff4c
GHSA-988g-wfwf-5666
GHSA-c38m-9668-6j2w
GHSA-c3m4-hxv9-4mxj
GHSA-c55h-7q4j-g6rq
GHSA-cc3w-r3w8-hfh7
GHSA-crjc-2v9m-8w7r
GHSA-crv7-r357-gw3w
GHSA-f2g3-3c6q-4478
GHSA-fr6f-xmfx-rrpq
GHSA-g7pc-799q-743f
GHSA-gffx-9f36-r8wp
GHSA-h437-qjj9-vmq4
GHSA-h4xc-577p-hgj9
GHSA-h5rm-m772-6qcx
GHSA-hvf5-4jr9-fghh
GHSA-j2jp-58gv-g2pg
GHSA-j2r4-2cr6-h3r3
GHSA-h7qw-mxrm-c6h2

I'm going to show these advisories to my colleagues to see how we want to handle magento/project-community-edition. Thanks for bringing magento/project-community-edition and I'll keep you posted on what our plans our with respect to these advisories.

[bbutkovic]

Hi! Good news, let me know what you decide.

Magento's repos currently publish new versions under magento/project-community-edition, including the latest. On packagist, however, they publish the same under magento/community-edition.

Maybe someone can correct me, but it looks to me like magento/community-edition is an alias on Packagist for Magento's own magento/project-community-edition in their repos.