1
0
Fork 0

Perform audit on Composer and its dependencies during diagnose, fixes #11216 (#11761)

pull/11785/head
Jordi Boggiano 2024-01-04 10:55:59 +01:00 committed by GitHub
parent 8e62977cb5
commit efe6e44883
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 55 additions and 1 deletions

View File

@ -12,14 +12,23 @@
namespace Composer\Command; namespace Composer\Command;
use Composer\Advisory\Auditor;
use Composer\Composer; use Composer\Composer;
use Composer\Factory; use Composer\Factory;
use Composer\Config; use Composer\Config;
use Composer\Downloader\TransportException; use Composer\Downloader\TransportException;
use Composer\IO\BufferIO;
use Composer\Json\JsonFile;
use Composer\Package\RootPackage;
use Composer\Package\Version\VersionParser;
use Composer\Pcre\Preg; use Composer\Pcre\Preg;
use Composer\Repository\ComposerRepository;
use Composer\Repository\FilesystemRepository;
use Composer\Repository\PlatformRepository; use Composer\Repository\PlatformRepository;
use Composer\Plugin\CommandEvent; use Composer\Plugin\CommandEvent;
use Composer\Plugin\PluginEvents; use Composer\Plugin\PluginEvents;
use Composer\Repository\RepositorySet;
use Composer\Repository\RootPackageRepository;
use Composer\Util\ConfigValidator; use Composer\Util\ConfigValidator;
use Composer\Util\Git; use Composer\Util\Git;
use Composer\Util\IniHelper; use Composer\Util\IniHelper;
@ -153,10 +162,13 @@ EOT
$io->write('Checking pubkeys: ', false); $io->write('Checking pubkeys: ', false);
$this->outputResult($this->checkPubKeys($config)); $this->outputResult($this->checkPubKeys($config));
$io->write('Checking composer version: ', false); $io->write('Checking Composer version: ', false);
$this->outputResult($this->checkVersion($config)); $this->outputResult($this->checkVersion($config));
} }
$io->write('Checking Composer and its dependencies for vulnerabilities: ', false);
$this->outputResult($this->checkComposerAudit($config));
$io->write(sprintf('Composer version: <comment>%s</comment>', Composer::getVersion())); $io->write(sprintf('Composer version: <comment>%s</comment>', Composer::getVersion()));
$platformOverrides = $config->get('platform') ?: []; $platformOverrides = $config->get('platform') ?: [];
@ -438,6 +450,48 @@ EOT
return true; return true;
} }
/**
* @return string|true
*/
private function checkComposerAudit(Config $config)
{
$result = $this->checkConnectivityAndComposerNetworkHttpEnablement();
if ($result !== true) {
return $result;
}
$auditor = new Auditor();
$repoSet = new RepositorySet();
$installedJson = new JsonFile(__DIR__ . '/../../../vendor/composer/installed.json');
if (!$installedJson->exists()) {
return '<warning>Could not find Composer\'s installed.json, this must be a non-standard Composer installation.</>';
}
$localRepo = new FilesystemRepository($installedJson);
$version = Composer::getVersion();
$packages = $localRepo->getCanonicalPackages();
if ($version !== '@package_version@') {
$versionParser = new VersionParser();
$normalizedVersion = $versionParser->normalize($version);
$rootPkg = new RootPackage('composer/composer', $normalizedVersion, $version);
$packages[] = $rootPkg;
}
$repoSet->addRepository(new ComposerRepository(['type' => 'composer', 'url' => 'https://packagist.org'], new NullIO(), $config, $this->httpDownloader));
try {
$io = new BufferIO();
$result = $auditor->audit($io, $repoSet, $packages, Auditor::FORMAT_TABLE, true, [], Auditor::ABANDONED_IGNORE);
} catch (\Throwable $e) {
return '<warning>Failed performing audit: '.$e->getMessage().'</>';
}
if ($result > 0) {
return '<error>Audit found some issues:</>' . PHP_EOL . $io->getOutput();
}
return true;
}
private function getCurlVersion(): string private function getCurlVersion(): string
{ {
if (extension_loaded('curl')) { if (extension_loaded('curl')) {