Add security to support options (#11271)

This support option allows projects to specify a URL to the project's vulnerability disclosure policy (VDP).
2023-03-10 15:28:10 -06:00 · 2023-03-10 15:28:10 -06:00 · cd137ee29b
parent d1ab1255b5
commit cd137ee29b
7 changed files with 16 additions and 6 deletions
--- a/composer.json
+++ b/composer.json
@ -98,6 +98,7 @@
    },
    "support": {
        "issues": "https://github.com/composer/composer/issues",
-        "irc": "ircs://irc.libera.chat:6697/composer"
+        "irc": "ircs://irc.libera.chat:6697/composer",
+        "security": "https://github.com/composer/composer/security/policy"
    }
 }
--- a/doc/04-schema.md
+++ b/doc/04-schema.md
@ -250,6 +250,7 @@ Support information includes the following:
 * **docs:** URL to the documentation.
 * **rss:** URL to the RSS feed.
 * **chat:** URL to the chat channel.
+* **security:** URL to the vulnerability disclosure policy (VDP).

 An example:

--- a/res/composer-schema.json
+++ b/res/composer-schema.json
@ -111,6 +111,11 @@
                    "type": "string",
                    "description": "URL to the RSS feed.",
                    "format": "uri"
+                },
+                "security": {
+                    "type": "string",
+                    "description": "URL to the vulnerability disclosure policy (VDP).",
+                    "format": "uri"
                }
            }
        },
--- a/src/Composer/Package/CompletePackage.php
+++ b/src/Composer/Package/CompletePackage.php
@ -33,7 +33,7 @@ class CompletePackage extends Package implements CompletePackageInterface
    protected $homepage = null;
    /** @var array<string, string[]> Map of script name to array of handlers */
    protected $scripts = [];
-    /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} */
+    /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} */
    protected $support = [];
    /** @var array<array{url?: string, type?: string}> */
    protected $funding = [];
--- a/src/Composer/Package/CompletePackageInterface.php
+++ b/src/Composer/Package/CompletePackageInterface.php
@ -118,14 +118,14 @@ interface CompletePackageInterface extends PackageInterface
    /**
     * Returns the support information
     *
-     * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string}
+     * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string}
     */
    public function getSupport(): array;

    /**
     * Set the support information
     *
-     * @param  array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} $support
+     * @param  array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} $support
     */
    public function setSupport(array $support): void;

--- a/src/Composer/Package/Loader/ValidatingArrayLoader.php
+++ b/src/Composer/Package/Loader/ValidatingArrayLoader.php
@ -191,7 +191,7 @@ class ValidatingArrayLoader implements LoaderInterface
        }

        if ($this->validateArray('support') && !empty($this->config['support'])) {
-            foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat'] as $key) {
+            foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat', 'security'] as $key) {
                if (isset($this->config['support'][$key]) && !is_string($this->config['support'][$key])) {
                    $this->errors[] = 'support.'.$key.' : invalid value, must be a string';
                    unset($this->config['support'][$key]);
@ -208,7 +208,7 @@ class ValidatingArrayLoader implements LoaderInterface
                unset($this->config['support']['irc']);
            }

-            foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat'] as $key) {
+            foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat', 'security'] as $key) {
                if (isset($this->config['support'][$key]) && !$this->filterUrl($this->config['support'][$key])) {
                    $this->warnings[] = 'support.'.$key.' : invalid value ('.$this->config['support'][$key].'), must be an http/https URL';
                    unset($this->config['support'][$key]);
--- a/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php
+++ b/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php
@ -74,6 +74,7 @@ class ValidatingArrayLoaderTest extends TestCase
                        'irc' => 'irc://example.org/example',
                        'rss' => 'http://example.org/rss',
                        'chat' => 'http://example.org/chat',
+                        'security' => 'https://example.org/security',
                    ],
                    'funding' => [
                        [
@ -449,6 +450,7 @@ class ValidatingArrayLoaderTest extends TestCase
                        'issues' => 'foo:bar',
                        'wiki' => 'foo:bar',
                        'chat' => 'foo:bar',
+                        'security' => 'foo:bar',
                    ],
                ],
                [
@ -457,6 +459,7 @@ class ValidatingArrayLoaderTest extends TestCase
                    'support.issues : invalid value (foo:bar), must be an http/https URL',
                    'support.wiki : invalid value (foo:bar), must be an http/https URL',
                    'support.chat : invalid value (foo:bar), must be an http/https URL',
+                    'support.security : invalid value (foo:bar), must be an http/https URL',
                ],
            ],
            [