Exclude and packagist.org set to false not working with composer audit.

[krowinski]

My composer.json:

{
    "name": "krowinski/sec-test",
    "require": {
        "czproject/git-php": "3.0"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://repo.packagist.com/foo",
	    "exclude": []
        },
        {
            "packagist.org": false
        }
    ]
}

*foo -> I replaced with fake data

Output of composer diagnose:

Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.czproject/git-php : exact version constraints (3.0) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK git version 2.37.1
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking composer version: OK
Composer version: 2.5.1
PHP version: 8.2.0
PHP binary path: /opt/homebrew/Cellar/php/8.2.0/bin/php
OpenSSL version: OpenSSL 1.1.1s  1 Nov 2022
cURL version: 7.87.0 libz 1.2.11 ssl (SecureTransport) OpenSSL/1.1.1s
zip: extension present, unzip present, 7-Zip not available

When I run this command: composer audit -vvv

Running 2.5.1 (2022-12-22 15:33:54) with PHP 8.2.0 on Darwin / 21.6.0
Reading ./composer.json (***composer.json)
Loading config file ***config.json
Loading config file ***auth.json
Loading auth config from COMPOSER_AUTH
Loading config file ./composer.json (***composer.json)
Checked CA file ***: valid
Executing command (***): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (***): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (***): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (***): hg branch
Executing command (***): fossil branch list
Executing command (***): fossil tag list
Executing command (***): svn info --xml
Failed to initialize global composer: Composer could not find the config file: ***/composer.json

Reading ./composer.lock (***/composer.lock)
Reading ***/installed.json

** * -> removed my paths

I get the following output:

No security vulnerability advisories found

And I expected this to happen:

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | czproject/git-php                                                                |
| CVE               | CVE-2022-25866                                                                   |
| Title             | Command injection in czproject/git-php                                           |
| URL               | https://github.com/advisories/GHSA-3xpw-vhmv-cw7h                                |
| Affected versions | <4.0.3                                                                           |
| Reported at       | 2022-04-26T00:00:35+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

When I remove "exclude": [] from "repositories" in composer.json it's working as intended I got vulnerability.

{
    "name": "krowinski/sec-test",
    "require": {
        "czproject/git-php": "3.0"
    },
    "repositories": [
        {
            "type": "composer",
            "url": "https://repo.packagist.com/foo"
        },
        {
            "packagist.org": false
        }
    ]
}

Of corse in exclude I have some project so I need this, in this example I just left empty to prove the point.

Also on audit -vvv I see that is downloading security-advisories

Downloading https://repo.packagist.com/foo/security-advisories/
[200] https://repo.packagist.com/foo/security-advisories/

[Seldaek]

Ah nice catch thanks, forgot to implement the new interface in FilterRepository

[krowinski]

Tx!