From e0f75276a2a42c9fc2c3e2d734593f759e7e6675 Mon Sep 17 00:00:00 2001 From: Jordi Boggiano Date: Mon, 18 Dec 2023 15:01:58 +0100 Subject: [PATCH] Switch default audit.abandoned to fail for 2.7 release --- src/Composer/Advisory/Auditor.php | 6 +----- src/Composer/Command/AuditCommand.php | 2 +- src/Composer/Config.php | 2 +- src/Composer/Installer.php | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/src/Composer/Advisory/Auditor.php b/src/Composer/Advisory/Auditor.php index 00ac610e6..6ca3d8102 100644 --- a/src/Composer/Advisory/Auditor.php +++ b/src/Composer/Advisory/Auditor.php @@ -56,12 +56,8 @@ class Auditor * @return int Amount of packages with vulnerabilities found * @throws InvalidArgumentException If no packages are passed in */ - public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true, array $ignoreList = [], string $abandoned = self::ABANDONED_REPORT): int + public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true, array $ignoreList = [], string $abandoned = self::ABANDONED_FAIL): int { - if ($abandoned === 'default' && $format !== self::FORMAT_SUMMARY) { - $io->writeError('The new audit.abandoned setting (currently defaulting to "report" will default to "fail" in Composer 2.7, make sure to set it to "report" or "ignore" explicitly by then if you do not want this.'); - } - $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packages, $format === self::FORMAT_SUMMARY); // we need the CVE & remote IDs set to filter ignores correctly so if we have any matches using the optimized codepath above // and ignores are set then we need to query again the full data to make sure it can be filtered diff --git a/src/Composer/Command/AuditCommand.php b/src/Composer/Command/AuditCommand.php index f2abfaeca..1097bb7af 100644 --- a/src/Composer/Command/AuditCommand.php +++ b/src/Composer/Command/AuditCommand.php @@ -65,7 +65,7 @@ EOT $auditConfig = $composer->getConfig()->get('audit'); - return min(255, $auditor->audit($this->getIO(), $repoSet, $packages, $this->getAuditFormat($input, 'format'), false, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_REPORT)); + return min(255, $auditor->audit($this->getIO(), $repoSet, $packages, $this->getAuditFormat($input, 'format'), false, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_FAIL)); } /** diff --git a/src/Composer/Config.php b/src/Composer/Config.php index 1ad622692..9296467f4 100644 --- a/src/Composer/Config.php +++ b/src/Composer/Config.php @@ -38,7 +38,7 @@ class Config 'allow-plugins' => [], 'use-parent-dir' => 'prompt', 'preferred-install' => 'dist', - 'audit' => ['ignore' => [], 'abandoned' => 'default'], // TODO in 2.7 switch to ABANDONED_FAIL + 'audit' => ['ignore' => [], 'abandoned' => Auditor::ABANDONED_FAIL], 'notify-on-install' => true, 'github-protocols' => ['https', 'ssh', 'git'], 'gitlab-protocol' => null, diff --git a/src/Composer/Installer.php b/src/Composer/Installer.php index 0efbcd6f3..d974f8c29 100644 --- a/src/Composer/Installer.php +++ b/src/Composer/Installer.php @@ -419,7 +419,7 @@ class Installer $auditConfig = $this->config->get('audit'); - return $auditor->audit($this->io, $repoSet, $packages, $this->auditFormat, true, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_REPORT) > 0 && $this->errorOnAudit ? self::ERROR_AUDIT_FAILED : 0; + return $auditor->audit($this->io, $repoSet, $packages, $this->auditFormat, true, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_FAIL) > 0 && $this->errorOnAudit ? self::ERROR_AUDIT_FAILED : 0; } catch (TransportException $e) { $this->io->error('Failed to audit '.$target.' packages.'); if ($this->io->isVerbose()) {