Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add audit command to check for security issues
- Loading branch information
1 parent
f1f013e
commit 577d350
Showing
11 changed files
with
241 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
<?php | ||
|
||
namespace Composer\Command; | ||
|
||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
use Composer\Factory; | ||
use Composer\Util\Auditor; | ||
use Composer\Util\Filesystem; | ||
use Symfony\Component\Console\Input\InputOption; | ||
|
||
class AuditCommand extends InitCommand | ||
{ | ||
protected function configure() | ||
{ | ||
$this | ||
->setName('audit') | ||
->setDescription('Checks for security vulnerability advisories for packages in your composer.lock.') | ||
->setDefinition(array( | ||
new InputOption('no-dev', null, InputOption::VALUE_NONE, 'Disables auditing of require-dev packages.'), | ||
)) | ||
->setHelp( | ||
<<<EOT | ||
The <info>audit</info> command checks for security vulnerability advisories for packages in your composer.lock. | ||
If you do not want to include dev dependencies in the audit you can omit them with --no-dev | ||
Read more at https://getcomposer.org/doc/03-cli.md#audit | ||
EOT | ||
) | ||
; | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output) | ||
{ | ||
$lockFile = Factory::getLockFile(Factory::getComposerFile()); | ||
if (!Filesystem::isReadable($lockFile)) { | ||
$this->getIO()->writeError('<error>' . $lockFile . ' is not readable.</error>'); | ||
return 1; | ||
} | ||
|
||
$composer = $this->requireComposer($input->getOption('no-plugins'), $input->getOption('no-scripts')); | ||
$locker = $composer->getLocker(); | ||
$packages = $locker->getLockedRepository(!$input->getOption('no-dev'))->getPackages(); | ||
$httpDownloader = Factory::createHttpDownloader($this->getIO(), $composer->getConfig()); | ||
|
||
return Auditor::audit($this->getIO(), $packages, $httpDownloader, false); | ||
} | ||
|
||
protected function interact(InputInterface $input, OutputInterface $output) | ||
{ | ||
return; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
<?php | ||
|
||
namespace Composer\Util; | ||
|
||
use Composer\IO\IOInterface; | ||
use Composer\Package\BasePackage; | ||
use Composer\Semver\Semver; | ||
|
||
class Auditor | ||
{ | ||
public const API_URL = 'https://packagist.org/api/security-advisories/'; | ||
|
||
/** | ||
* @param BasePackage[] $packages | ||
* @param HttpDownloader $httpDownloader | ||
* @param bool $warningOnly If true, outputs a warning. If false, outputs an error. | ||
* @return int | ||
*/ | ||
public static function audit(IOInterface $io, array $packages, HttpDownloader $httpDownloader, bool $warningOnly = true): int | ||
{ | ||
$allAdvisories = static::getAdvisories($packages, $httpDownloader); | ||
$format = $warningOnly ? 'warning' : 'error'; | ||
if (!empty($allAdvisories)) { | ||
$error = ["<$format>Found the following security vulnerability advisories:"]; | ||
foreach ($allAdvisories as $package => $advisories) { | ||
$error[] = "$package:"; | ||
foreach ($advisories as $advisory) { | ||
$cve = $advisory['cve'] ?: 'NO CVE'; | ||
$error[] = "\t{$cve}"; | ||
$error[] = "\t\tTitle: {$advisory['title']}"; | ||
$error[] = "\t\tURL: {$advisory['link']}"; | ||
$error[] = "\t\tAffected versions: {$advisory['affectedVersions']}"; | ||
$error[] = "\t\tReported on: {$advisory['reportedAt']}"; | ||
} | ||
} | ||
$error[] = "</$format>"; | ||
$io->writeError($error); | ||
return 1; | ||
} | ||
$io->writeError('<info>No issues found</info>'); | ||
return 0; | ||
} | ||
|
||
/** | ||
* Get advisories from packagist.org that match the package versions | ||
* | ||
* @param BasePackage[] $packages | ||
* @param HttpDownloader $httpDownloader | ||
* @param bool $allAdvisories If true, don't filter by the package versions | ||
* @return array | ||
*/ | ||
public static function getAdvisories(array $packages, HttpDownloader $httpDownloader, bool $allAdvisories = false): array | ||
{ | ||
// Get advisories for the given packages | ||
$packageNames = []; | ||
foreach ($packages as $package) { | ||
$packageNames[] = $package->getName(); | ||
} | ||
$response = $httpDownloader->get(static::API_URL, [ | ||
'http' => [ | ||
'method' => 'POST', | ||
'header' => ['Content-type: application/x-www-form-urlencoded'], | ||
'content' => http_build_query(['packages' => $packageNames]), | ||
'timeout' => 3, | ||
], | ||
]); | ||
$advisories = $response->decodeJson()['advisories']; | ||
|
||
if (!$allAdvisories) { | ||
// Filter out any advisories that aren't relevant for these package versions | ||
$relevantAdvisories = []; | ||
foreach ($packages as $package) { | ||
if (array_key_exists($package->getName(), $advisories)) { | ||
foreach ($advisories[$package->getName()] as $advisory) { | ||
if (Semver::satisfies($package->getVersion(), $advisory['affectedVersions'])) { | ||
$relevantAdvisories[$package->getName()][] = $advisory; | ||
} | ||
} | ||
} | ||
} | ||
return $relevantAdvisories; | ||
} | ||
|
||
return $advisories; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
<?php | ||
|
||
namespace Composer\Test\Util; | ||
|
||
use Composer\IO\IOInterface; | ||
use Composer\Test\TestCase; | ||
|
||
class AuditorTest extends TestCase | ||
{ | ||
/** @var \Composer\IO\IOInterface&\PHPUnit\Framework\MockObject\MockObject */ | ||
private $io; | ||
|
||
protected function setUp(): void | ||
{ | ||
$this->io = $this | ||
->getMockBuilder('Composer\IO\IOInterface') | ||
->disableOriginalConstructor() | ||
->getMock(); | ||
} | ||
|
||
public function auditProvider() | ||
{ | ||
return array( | ||
array( | ||
'some value', | ||
'some other value', | ||
), | ||
array( | ||
'some value', | ||
'some other value', | ||
), | ||
); | ||
} | ||
|
||
/** | ||
* @dataProvider auditProvider | ||
*/ | ||
public function testAudit(string $value1, string $value2) | ||
{ | ||
Auditor::audit($this->io, $packages, $this->httpProvider); | ||
} | ||
|
||
/** | ||
* @dataProvider auditProvider | ||
*/ | ||
public function testGetAdvisories(string $value1, string $value2) | ||
{ | ||
Auditor::getAdvisories($packages, $this->httpProvider); | ||
} | ||
} |