composer audit checks alias instead of actual package version

[jfastnacht]

My composer.json:

{
    "name": "jfastnacht/composer-audit-alias-test",
    "require": {
        "guzzlehttp/guzzle": "7.7.0 as 6.0.1"
    }
}

Output of composer diagnose:

Checking composer.json: WARNING
No license specified, it is recommended to do so. For closed-source software you may use "proprietary" as license.
require.guzzlehttp/guzzle : exact version constraints (7.7.0 as 6.0.1) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK git version 2.30.2
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: OK
Checking github.com oauth access: OK
Checking disk free space: OK
Checking pubkeys: FAIL
Missing pubkey for tags verification
Missing pubkey for dev verification
Run composer self-update --update-keys to set them up
Checking composer version: OK
Composer version: 2.6.6
PHP version: 8.0.30
PHP binary path: /usr/bin/php8.0
OpenSSL version: OpenSSL 1.1.1n  15 Mar 2022
cURL version: 7.74.0 libz 1.2.11 ssl OpenSSL/1.1.1w
zip: extension present, unzip present, 7-Zip not available

When I run this command:

composer audit -vvv --locked

I get the following output:

Running 2.6.6 (2023-12-08 18:32:26) with PHP 8.0.30 on Linux / 5.15.133.1-microsoft-standard-WSL2
Reading ./composer.json (/var/www/html/composer.json)
Loading config file /home/jfastnacht/.composer/auth.json
Loading config file ./composer.json (/var/www/html/composer.json)
gitlab.<domain>.<tld> is not in the configured gitlab-domains, adding it implicitly as authentication is configured for this domain
Checked CA file /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a file.
Checked directory /etc/pki/tls/certs/ca-bundle.crt does not exist or it is not a directory.
Checked CA file /etc/ssl/certs/ca-certificates.crt: valid
Executing command (/var/www/html): 'git' 'branch' '-a' '--no-color' '--no-abbrev' '-v'
Executing command (/var/www/html): git describe --exact-match --tags
Executing command (CWD): git --version
Executing command (/var/www/html): git log --pretty="%H" -n1 HEAD --no-show-signature
Executing command (/var/www/html): hg branch
Executing command (/var/www/html): fossil branch list
Executing command (/var/www/html): fossil tag list
Executing command (/var/www/html): svn info --xml
Failed to initialize global composer: Composer could not find the config file: /home/jfastnacht/.composer/composer.json

Reading ./composer.lock (/var/www/html/composer.lock)
Reading /var/www/html/vendor/composer/installed.json
The new audit.abandoned setting (currently defaulting to "report" will default to "fail" in Composer 2.7, make sure to set it to "report" or "ignore" explicitly by then if you do not want this.
Reading /mnt/ddev-global-cache/composer/repo/https---repo.packagist.org/packages.json from cache
Downloading https://packagist.org/api/security-advisories/
[200] https://packagist.org/api/security-advisories/
Found 6 security vulnerability advisories affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2022-31091                                                                   |
| Title             | Change in port should be considered a change in origin                           |
| URL               | https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699         |
| Affected versions | >=7,<7.4.5|>=4,<6.5.8                                                            |
| Reported at       | 2022-06-20T22:24:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2022-31090                                                                   |
| Title             | CURLOPT_HTTPAUTH option not cleared on change of origin                          |
| URL               | https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r         |
| Affected versions | >=7,<7.4.5|>=4,<6.5.8                                                            |
| Reported at       | 2022-06-20T22:24:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2022-31043                                                                   |
| Title             | Fix failure to strip Authorization header on HTTP downgrade                      |
| URL               | https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q         |
| Affected versions | >=7,<7.4.4|>=4,<6.5.7                                                            |
| Reported at       | 2022-06-09T23:36:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2022-31042                                                                   |
| Title             | Failure to strip the Cookie header on change in host or HTTP downgrade           |
| URL               | https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9         |
| Affected versions | >=7,<7.4.4|>=4,<6.5.7                                                            |
| Reported at       | 2022-06-09T23:36:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2022-29248                                                                   |
| Title             | Cross-domain cookie leakage                                                      |
| URL               | https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3         |
| Affected versions | >=7,<7.4.3|>=4,<6.5.6                                                            |
| Reported at       | 2022-05-25T13:21:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | guzzlehttp/guzzle                                                                |
| CVE               | CVE-2016-5385                                                                    |
| Title             | HTTP Proxy header vulnerability                                                  |
| URL               | https://github.com/guzzle/guzzle/releases/tag/6.2.1                              |
| Affected versions | >=6,<6.2.1|>=4.0.0-rc2,<4.2.4|>=5,<5.3.1                                         |
| Reported at       | 2015-07-15T17:14:23+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

And I expected this to happen:

composer audit should check version 7.7.0 and not the alias 6.0.1 for security advisories. If you remove the alias, everything is fine.

[Seldaek]

Right that makes sense, we shouldn't do it for root package aliases. Branch aliases coming from the source version tho should still be taken into account IMO.

[theoboldalex]

I can take a look at this. I have added a test for the happy path of this command in #11789 and will begin work on a fix next.

[Seldaek]

Ok, let me know if you need guidance, note that you can distinguish those two things by the class names AliasPackage vs RootAliasPackage (those should be ignored).