Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add audit command to check for security issues
- Loading branch information
1 parent
556450b
commit e86620b
Showing
12 changed files
with
294 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<?php | ||
|
||
namespace Composer\Command; | ||
|
||
use Symfony\Component\Console\Input\InputInterface; | ||
use Symfony\Component\Console\Output\OutputInterface; | ||
use Composer\Factory; | ||
use Composer\Util\Auditor; | ||
use Composer\Util\Filesystem; | ||
use Symfony\Component\Console\Input\InputOption; | ||
|
||
class AuditCommand extends BaseCommand | ||
{ | ||
protected function configure() | ||
{ | ||
$this | ||
->setName('audit') | ||
->setDescription('Checks for security vulnerability advisories for packages in your composer.lock.') | ||
->setDefinition(array( | ||
new InputOption('no-dev', null, InputOption::VALUE_NONE, 'Disables auditing of require-dev packages.'), | ||
)) | ||
->setHelp( | ||
<<<EOT | ||
The <info>audit</info> command checks for security vulnerability advisories for packages in your composer.lock. | ||
If you do not want to include dev dependencies in the audit you can omit them with --no-dev | ||
Read more at https://getcomposer.org/doc/03-cli.md#audit | ||
EOT | ||
) | ||
; | ||
} | ||
|
||
protected function execute(InputInterface $input, OutputInterface $output) | ||
{ | ||
$lockFile = Factory::getLockFile(Factory::getComposerFile()); | ||
if (!Filesystem::isReadable($lockFile)) { | ||
$this->getIO()->writeError('<error>' . $lockFile . ' is not readable.</error>'); | ||
return 1; | ||
} | ||
|
||
$composer = $this->requireComposer($input->getOption('no-plugins'), $input->getOption('no-scripts')); | ||
$locker = $composer->getLocker(); | ||
$packages = $locker->getLockedRepository(!$input->getOption('no-dev'))->getPackages(); | ||
$httpDownloader = Factory::createHttpDownloader($this->getIO(), $composer->getConfig()); | ||
|
||
return Auditor::audit($this->getIO(), $httpDownloader, $packages, false); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
<?php | ||
|
||
namespace Composer\Util; | ||
|
||
use Composer\IO\IOInterface; | ||
use Composer\Package\BasePackage; | ||
use Composer\Semver\Semver; | ||
use InvalidArgumentException; | ||
|
||
class Auditor | ||
{ | ||
public const API_URL = 'https://packagist.org/api/security-advisories/'; | ||
|
||
/** | ||
* @param IOInterface $io | ||
* @param HttpDownloader $httpDownloader | ||
* @param BasePackage[] $packages | ||
* @param bool $warningOnly If true, outputs a warning. If false, outputs an error. | ||
* @return int | ||
* @throws InvalidArgumentException if no packages are passed in | ||
*/ | ||
public static function audit(IOInterface $io, HttpDownloader $httpDownloader, array $packages, bool $warningOnly = true): int | ||
{ | ||
$advisories = static::getAdvisories($httpDownloader, $packages); | ||
$format = $warningOnly ? 'warning' : 'error'; | ||
if (!empty($advisories)) { | ||
$error = ["<$format>Found the following security vulnerability advisories:"]; | ||
foreach ($advisories as $package => $packageAdvisories) { | ||
$error[] = "$package:"; | ||
foreach ($packageAdvisories as $advisory) { | ||
$cve = $advisory['cve'] ?: 'NO CVE'; | ||
$error[] = "\t{$cve}"; | ||
$error[] = "\t\tTitle: {$advisory['title']}"; | ||
$error[] = "\t\tURL: {$advisory['link']}"; | ||
$error[] = "\t\tAffected versions: {$advisory['affectedVersions']}"; | ||
$error[] = "\t\tReported on: {$advisory['reportedAt']}"; | ||
} | ||
} | ||
$error[] = "</$format>"; | ||
$io->writeError($error); | ||
return 1; | ||
} | ||
$io->writeError('<info>No issues found</info>'); | ||
return 0; | ||
} | ||
|
||
/** | ||
* Get advisories from packagist.org that match the package versions | ||
* | ||
* @param HttpDownloader $httpDownloader | ||
* @param BasePackage[] $packages | ||
* @param ?int $updatedSince Timestamp | ||
* @param bool $filterByVersion If true, don't filter by the package versions | ||
* @return string[][][] | ||
* @throws InvalidArgumentException if no packages are passed in | ||
*/ | ||
public static function getAdvisories( | ||
HttpDownloader $httpDownloader, | ||
array $packages, | ||
int $updatedSince = null, | ||
bool $filterByVersion = false | ||
): array | ||
{ | ||
if (empty($packages)) { | ||
throw new InvalidArgumentException('At least one package must be passed in.'); | ||
} | ||
|
||
// Get advisories for the given packages | ||
$body = ['packages' => []]; | ||
foreach ($packages as $package) { | ||
$body['packages'][] = $package->getName(); | ||
} | ||
|
||
// Add updatedSince if passed in | ||
if ($updatedSince !== null) { | ||
$body['updatedSince'] = $updatedSince; | ||
} | ||
|
||
// Get API response | ||
$response = $httpDownloader->get(static::API_URL, [ | ||
'http' => [ | ||
'method' => 'POST', | ||
'header' => ['Content-type: application/x-www-form-urlencoded'], | ||
'content' => http_build_query($body), | ||
'timeout' => 3, | ||
], | ||
]); | ||
$advisories = $response->decodeJson()['advisories']; | ||
|
||
if (!$filterByVersion) { | ||
// Filter out any advisories that aren't relevant for these package versions | ||
$relevantAdvisories = []; | ||
foreach ($packages as $package) { | ||
if (array_key_exists($package->getName(), $advisories)) { | ||
foreach ($advisories[$package->getName()] as $advisory) { | ||
if (Semver::satisfies($package->getVersion(), $advisory['affectedVersions'])) { | ||
$relevantAdvisories[$package->getName()][] = $advisory; | ||
} | ||
} | ||
} | ||
} | ||
return $relevantAdvisories; | ||
} | ||
|
||
return $advisories; | ||
} | ||
} |
Oops, something went wrong.