As soon as you click, data is downloaded from YouTube and thus your IP address is submitted to their servers. For more information on data protection regarding our newsletter, please visit our privacy policy.
If a security vulnerability is known in Contao or in one of the installed packages and has been closed in a new version, you will receive an email notification from us (if you have activated this in Profile > Settings > Notifications). Within trakked, an additional label "Security risk" appears, with which you can find all affected installations. Furthermore, you can recognise by the red trakked logo that there is a security problem with this installation.
If you then open the detailed view of an installation, a new tab "Security" appears. Here you can see the affected packages and a short description of the security gap. If available, you can find out more details by clicking on the link button.
Ignore certain security vulnerabilities
Imagine you have an installation and a bundle is installed in it that has recently been affected by a security vulnerability. Unfortunately, it is a bundle that you use in practically every installation. To close the security vulnerability, you would have to reference a new version of this bundle. However, since an update is not possible at this time and you know that this security vulnerability does not pose a threat to your installation, you find the constant reminders from trakked in the weekly notification and display in the app annoying.
Composer offers the option of ignoring certain security vulnerabilities via an entry in the composer.json. This is used in composer audit, and we naturally take these entries into account as well.
Let's assume that the following security vulnerability is involved:
CVE-2024-6531: Bootstrap Cross-Site Scripting (XSS) vulnerability.
Then your entry in composer.json should look like this:
"config": {
"audit": {
"ignore": ["CVE-2024-6531"]
}
}
Of course, you can also document the reason for yourself:
"config": {
"audit": {
"ignore": {
"CVE-2024-6531": "Affects a Bootstrap XSS vulnerability in the Carousel component, which we do not use in this project."
}
}
}
If there are multiple security vulnerabilities, the entry should look like this:
"config": {
"audit": {
"ignore": ["CVE-2024-6531", "CVE-2024-xxxx"]
}
}
... and with comments:
"config": {
"audit": {
"ignore": {
"CVE-2024-6531": "Affects a Bootstrap XSS vulnerability in the Carousel component, which we do not use in this project.",
"CVE-2024-xxxx": "…"
}
}
}
If the security vulnerability does not have a CVE, you can also insert the advisory ID. So GHSA-vc8w-jr9v-vj7f instead of CVE-2024-6531. An advisory ID is always available, but a CVE is not always registered and is therefore optional.
Then click "Update system information" on the installation in trakked. The security message is now crossed out and will no longer be included in notifications. In the future, we plan to make it possible to maintain the list via our user interface.
Video
