From cd137ee29b2b7dd041d13567b113577c8b89c2c1 Mon Sep 17 00:00:00 2001 From: Ben Ramsey Date: Fri, 10 Mar 2023 15:28:10 -0600 Subject: [PATCH] Add security to support options (#11271) This support option allows projects to specify a URL to the project's vulnerability disclosure policy (VDP). --- composer.json | 3 ++- doc/04-schema.md | 1 + res/composer-schema.json | 5 +++++ src/Composer/Package/CompletePackage.php | 2 +- src/Composer/Package/CompletePackageInterface.php | 4 ++-- src/Composer/Package/Loader/ValidatingArrayLoader.php | 4 ++-- .../Test/Package/Loader/ValidatingArrayLoaderTest.php | 3 +++ 7 files changed, 16 insertions(+), 6 deletions(-) diff --git a/composer.json b/composer.json index 0b06a167c..fed3062b6 100644 --- a/composer.json +++ b/composer.json @@ -98,6 +98,7 @@ }, "support": { "issues": "https://github.com/composer/composer/issues", - "irc": "ircs://irc.libera.chat:6697/composer" + "irc": "ircs://irc.libera.chat:6697/composer", + "security": "https://github.com/composer/composer/security/policy" } } diff --git a/doc/04-schema.md b/doc/04-schema.md index de4bf1600..8cdb3117a 100644 --- a/doc/04-schema.md +++ b/doc/04-schema.md @@ -250,6 +250,7 @@ Support information includes the following: * **docs:** URL to the documentation. * **rss:** URL to the RSS feed. * **chat:** URL to the chat channel. +* **security:** URL to the vulnerability disclosure policy (VDP). An example: diff --git a/res/composer-schema.json b/res/composer-schema.json index c384e5b1f..8e8c65691 100644 --- a/res/composer-schema.json +++ b/res/composer-schema.json @@ -111,6 +111,11 @@ "type": "string", "description": "URL to the RSS feed.", "format": "uri" + }, + "security": { + "type": "string", + "description": "URL to the vulnerability disclosure policy (VDP).", + "format": "uri" } } }, diff --git a/src/Composer/Package/CompletePackage.php b/src/Composer/Package/CompletePackage.php index 66a5a127c..0d87082d7 100644 --- a/src/Composer/Package/CompletePackage.php +++ b/src/Composer/Package/CompletePackage.php @@ -33,7 +33,7 @@ class CompletePackage extends Package implements CompletePackageInterface protected $homepage = null; /** @var array Map of script name to array of handlers */ protected $scripts = []; - /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} */ + /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} */ protected $support = []; /** @var array */ protected $funding = []; diff --git a/src/Composer/Package/CompletePackageInterface.php b/src/Composer/Package/CompletePackageInterface.php index b24a0f9fc..e4db57d42 100644 --- a/src/Composer/Package/CompletePackageInterface.php +++ b/src/Composer/Package/CompletePackageInterface.php @@ -118,14 +118,14 @@ interface CompletePackageInterface extends PackageInterface /** * Returns the support information * - * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} + * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} */ public function getSupport(): array; /** * Set the support information * - * @param array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} $support + * @param array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} $support */ public function setSupport(array $support): void; diff --git a/src/Composer/Package/Loader/ValidatingArrayLoader.php b/src/Composer/Package/Loader/ValidatingArrayLoader.php index 396ab23ae..dc50a84d0 100644 --- a/src/Composer/Package/Loader/ValidatingArrayLoader.php +++ b/src/Composer/Package/Loader/ValidatingArrayLoader.php @@ -191,7 +191,7 @@ class ValidatingArrayLoader implements LoaderInterface } if ($this->validateArray('support') && !empty($this->config['support'])) { - foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat'] as $key) { + foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat', 'security'] as $key) { if (isset($this->config['support'][$key]) && !is_string($this->config['support'][$key])) { $this->errors[] = 'support.'.$key.' : invalid value, must be a string'; unset($this->config['support'][$key]); @@ -208,7 +208,7 @@ class ValidatingArrayLoader implements LoaderInterface unset($this->config['support']['irc']); } - foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat'] as $key) { + foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat', 'security'] as $key) { if (isset($this->config['support'][$key]) && !$this->filterUrl($this->config['support'][$key])) { $this->warnings[] = 'support.'.$key.' : invalid value ('.$this->config['support'][$key].'), must be an http/https URL'; unset($this->config['support'][$key]); diff --git a/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php b/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php index 39fb14d3b..43a474997 100644 --- a/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php +++ b/tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php @@ -74,6 +74,7 @@ class ValidatingArrayLoaderTest extends TestCase 'irc' => 'irc://example.org/example', 'rss' => 'http://example.org/rss', 'chat' => 'http://example.org/chat', + 'security' => 'https://example.org/security', ], 'funding' => [ [ @@ -449,6 +450,7 @@ class ValidatingArrayLoaderTest extends TestCase 'issues' => 'foo:bar', 'wiki' => 'foo:bar', 'chat' => 'foo:bar', + 'security' => 'foo:bar', ], ], [ @@ -457,6 +459,7 @@ class ValidatingArrayLoaderTest extends TestCase 'support.issues : invalid value (foo:bar), must be an http/https URL', 'support.wiki : invalid value (foo:bar), must be an http/https URL', 'support.chat : invalid value (foo:bar), must be an http/https URL', + 'support.security : invalid value (foo:bar), must be an http/https URL', ], ], [