New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add audit command to check for security issues #10798
Add audit command to check for security issues #10798
Conversation
Well, one thing you could do is splitting the list of packages into batches (the batch size should be chosen based on the supported size for the Packagist API) and send multiple requests. Thanks to the parallelization support in Composer 2+, you can even send those requests in parallel. |
That's a good idea - I couldn't find any information about what the limit actually is but I'll have another look, and failing that I can always do some trial and error to find it. Bonus points for anyone who can point me in the right direction or who already knows what the limit is. Edit: apparently the API supports POST requests - I'll experiment a bit and see if I can get that to work, cause it's likely POST requests have a much higher limit. |
Yes IMO putting the package list in the POST body will fix this as this is AFAIK not size limited at all, unlike URL length which has limits in various places. |
Currently blocked because the packagist API returns a 404 error on POST requests. I've created an issue for it under composer/packagist#1309 Edit: It does if I do things correctly. :P Not blocked anymore. |
451632d
to
c643276
Compare
c643276
to
42fc493
Compare
The basic functionality is working now - any review on the I'm especially eager for feedback on the UX - I'm aware that the current output is probably not ideal, but I'm not sure how it should look. The parent issue references |
42fc493
to
577d350
Compare
It looks like there's some PHPStan issues as well - to be honest I don't understand what I need to do to resolve those. A lot of the errors are saying the new command doesn't define some options... but it doesn't need those options. |
19a57ef
to
e86620b
Compare
I've resolved some of the PHPStan issues. The ones that I think are false alarms I've tried to add to the baseline, but it doesn't seem to have taken. There are a couple of PHPStan issues there as well which are unrelated to this PR. |
e4aba91
to
2210585
Compare
This is consistent with the return value of all the other setX() methods in this class.
4673e43
to
5300806
Compare
For the output format could JSON Text be another variant? I've seen there is a table, so perhaps some very straight forward JSON Array of JSON Objects could be nice to pass along to further (automated) processing. |
@ktomk At this stage I'd just be keen to see the feature merged - that sounds like an enhancement that can be added after the fact quite easily if there is real world use for it. I'd be quite happy for someone to create a follow-up PR with that format if there is a need for it but it's not something I want to add to this PR right now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, looking good I think now, a couple typos/nitpicks and then it's mergeable I think.
Requested changes have been made. |
Tests fixed - there is one failure there but I think it's unrelated to this PR. |
Awesome, thank you! |
The more I think of it the more I think we can't really extract this, as it'll probably need to be integrated deeper into the Repository code than it is now. I think the better way would be to publish a packagist.org API client library really, that would be completely separate from Composer, and would not require Package objects or anything to function. |
That's fair. I'd be happy to help develop such a library with as much or as little guidance as you want to provide. While I could implement such a library in some arbitrary repo it makes sense to me that there would be such a repository under the composer organisation which people can just add to their dependencies when and as they need it. |
You mean something like https://packagist.org/packages/knplabs/packagist-api ? |
Ah yes there's that, then maybe worth sending a PR there porting the Auditor querying bits @GuySartorelli if you feel like it? |
I'll take a look - I wasn't aware of that package. Still doesn't feel as appropriate as having one in GitHub.com/composer but I won't push for that if the appetite for creating it isnt here 😅 |
I created a follow-up PR for the json format here: #10965 |
Closes #10329
Description
Adds an audit command which checks for security vulnerability advisories for installed packages using the API on packagist.org.
Also adds optional auditing (on by default) to the following commands:
create-project
update
install
require
remove
Table output (default)
Plain output
Things the audit command does not do:
vendor
dir match whatcomposer.lock
says they should becomposer.json
fileOut of scope, but would be a good future enhancement
--no-insecure
(or--allow-insecure
) flag could be added toupdate
andrequire
. This could useAuditor
to take versions with advisories out of the version candidate pool, so that you can't accidentally update to or require an insecure version of a package.Things I'm unsure about