From a899b0270fe7ae8322fdd70fc1bcc58113c92287 Mon Sep 17 00:00:00 2001
From: Michal Kaczmarek <michal.kaczmarek@bitbag.pl>
Date: Thu, 20 Nov 2025 09:57:36 +0100
Subject: [PATCH 1/2] Add cve to ignore

---
 AUDIT-IGNORE.md | 11 +++++++++++
 composer.json   |  7 +++++++
 2 files changed, 18 insertions(+)
 create mode 100644 AUDIT-IGNORE.md

diff --git a/AUDIT-IGNORE.md b/AUDIT-IGNORE.md
new file mode 100644
index 00000000..4ebb3db2
--- /dev/null
+++ b/AUDIT-IGNORE.md
@@ -0,0 +1,11 @@
+# AUDIT-IGNORE
+
+This document explains why specific advisories are added to `composer.json` → `config.audit.ignore`.
+
+**PKSA-gs8r-6kz6-pp56** — `api-platform/core` CVE-2025-31485; affected versions < 3.4.17, 4.0.0–4.0.21, 4.1.0–4.1.4 are pulled by Sylius dependency constraints. GraphQL property security grant caching issue allows unauthorized access.
+https://www.cve.org/CVERecord?id=CVE-2025-31485
+
+**PKSA-gnn4-pxdg-q76m** — `api-platform/core` CVE-2025-31481; same affected versions as above. GraphQL security bypass via Relay `node` type allows unauthorized entity access.
+https://www.cve.org/CVERecord?id=CVE-2025-31481
+
+**PKSA-4g5g-4rkv-myqs** — PKSA-4g5g-4rkv-myqs
\ No newline at end of file
diff --git a/composer.json b/composer.json
index 3e434152..dae3b532 100644
--- a/composer.json
+++ b/composer.json
@@ -79,6 +79,13 @@
             "phpstan/extension-installer": true,
             "symfony/flex": true,
             "symfony/thanks": false
+        },
+        "audit": {
+          "ignore": [
+            "PKSA-gs8r-6kz6-pp56",
+            "PKSA-gnn4-pxdg-q76m",
+            "PKSA-4g5g-4rkv-myqs"
+          ]
         }
     },
     "extra": {

From b88a6796298d8284928d9fd52b47a0d5a80f4606 Mon Sep 17 00:00:00 2001
From: Rafikooo <thecrazyrafik@gmail.com>
Date: Thu, 20 Nov 2025 10:33:39 +0100
Subject: [PATCH 2/2] Fix CI by updating CVE filtering and security check
 workflow

- Add comprehensive CVE ignore list to composer.json (API Platform, Twig, Symfony)
- Create AUDIT-IGNORE.md with detailed CVE documentation
- Replace symfony security:check with composer audit --locked --abandoned=ignore

The symfony security:check command doesn't respect composer.json ignore configuration,
causing CI failures despite CVE advisories being intentionally ignored. Switching to
composer audit ensures the ignore list is properly respected.

Following patterns from:
- Sylius/Sylius#18553
- Sylius/Sylius#18549
- Sylius/AdyenPlugin#172
---
 .github/workflows/build.yaml |  2 +-
 AUDIT-IGNORE.md              | 12 +++++++++++-
 composer.json                |  3 +++
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 3e78ba29..eea153e7 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -216,7 +216,7 @@ jobs:
 
             -
                 name: Run security check
-                run: symfony security:check
+                run: composer audit --abandoned=ignore
 
             -
                 name: Run PHPStan
diff --git a/AUDIT-IGNORE.md b/AUDIT-IGNORE.md
index 4ebb3db2..703cc519 100644
--- a/AUDIT-IGNORE.md
+++ b/AUDIT-IGNORE.md
@@ -8,4 +8,14 @@ https://www.cve.org/CVERecord?id=CVE-2025-31485
 **PKSA-gnn4-pxdg-q76m** — `api-platform/core` CVE-2025-31481; same affected versions as above. GraphQL security bypass via Relay `node` type allows unauthorized entity access.
 https://www.cve.org/CVERecord?id=CVE-2025-31481
 
-**PKSA-4g5g-4rkv-myqs** — PKSA-4g5g-4rkv-myqs
\ No newline at end of file
+**PKSA-yhcn-xrg3-68b1** — `twig/twig` CVE-2024-45411; affected versions < 1.44.8, < 2.16.1, < 3.14.0 are pulled by Sylius dependency constraints. Sandbox security checks can be bypassed when templates are loaded in non-sandbox context before include().
+https://www.cve.org/CVERecord?id=CVE-2024-45411
+
+**PKSA-2wrf-1xmk-1pky** — `twig/twig` CVE-2024-51755; affected versions < 3.11.2 or 3.12.0–3.14.0 are pulled by Sylius dependency constraints. Unguarded `__isset()` and array-access in sandbox allows attribute access on Array-like objects.
+https://www.cve.org/CVERecord?id=CVE-2024-51755
+
+**PKSA-365x-2zjk-pt47** — `symfony/http-foundation` CVE-2025-64500; affected versions < 5.4.50, < 6.4.29, < 7.3.7 are pulled by Sylius dependency constraints. Incorrect parsing of PATH_INFO can lead to limited authorization bypass.
+https://www.cve.org/CVERecord?id=CVE-2025-64500
+
+**PKSA-4g5g-4rkv-myqs** — `enshrined/svg-sanitize` CVE-2025-55166; affected versions < 0.22.0 are pulled by Sylius 1.13.x dependency constraints (requires ^0.16). Attribute sanitization bypass allowing XSS via mixed-case attributes. Fixed in Sylius 1.14 by removing the dependency entirely.
+https://www.cve.org/CVERecord?id=CVE-2025-55166
diff --git a/composer.json b/composer.json
index dae3b532..7d1787d7 100644
--- a/composer.json
+++ b/composer.json
@@ -84,6 +84,9 @@
           "ignore": [
             "PKSA-gs8r-6kz6-pp56",
             "PKSA-gnn4-pxdg-q76m",
+            "PKSA-yhcn-xrg3-68b1",
+            "PKSA-2wrf-1xmk-1pky",
+            "PKSA-365x-2zjk-pt47",
             "PKSA-4g5g-4rkv-myqs"
           ]
         }