From 9635dcaa62bb91e796d9f88efb4b0698c5e52a05 Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Sat, 23 Jul 2022 12:47:36 +0200 Subject: [PATCH 1/3] Add json format for audit --- src/Composer/Advisory/Auditor.php | 9 +++++++++ src/Composer/Command/AuditCommand.php | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Composer/Advisory/Auditor.php b/src/Composer/Advisory/Auditor.php index 124372751d0a..7ceac1a1dd1c 100644 --- a/src/Composer/Advisory/Auditor.php +++ b/src/Composer/Advisory/Auditor.php @@ -4,6 +4,7 @@ use Composer\IO\ConsoleIO; use Composer\IO\IOInterface; +use Composer\Json\JsonFile; use Composer\Package\PackageInterface; use Composer\Repository\RepositorySet; use InvalidArgumentException; @@ -18,11 +19,14 @@ class Auditor public const FORMAT_PLAIN = 'plain'; + public const FORMAT_JSON = 'json'; + public const FORMAT_SUMMARY = 'summary'; public const FORMATS = [ self::FORMAT_TABLE, self::FORMAT_PLAIN, + self::FORMAT_JSON, self::FORMAT_SUMMARY, ]; @@ -37,6 +41,11 @@ class Auditor public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true): int { $advisories = $repoSet->getMatchingSecurityAdvisories($packages, $format === self::FORMAT_SUMMARY); + if (self::FORMAT_JSON === $format) { + $io->write(JsonFile::encode(['advisories' => $advisories])); + return count($advisories); + } + $errorOrWarn = $warningOnly ? 'warning' : 'error'; if (count($advisories) > 0) { [$affectedPackages, $totalAdvisories] = $this->countAdvisories($advisories); diff --git a/src/Composer/Command/AuditCommand.php b/src/Composer/Command/AuditCommand.php index 839c050065c7..c0f8737e6b46 100644 --- a/src/Composer/Command/AuditCommand.php +++ b/src/Composer/Command/AuditCommand.php @@ -21,7 +21,7 @@ protected function configure(): void ->setDescription('Checks for security vulnerability advisories for installed packages.') ->setDefinition(array( new InputOption('no-dev', null, InputOption::VALUE_NONE, 'Disables auditing of require-dev packages.'), - new InputOption('format', 'f', InputOption::VALUE_REQUIRED, 'Output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_TABLE, Auditor::FORMATS), + new InputOption('format', 'f', InputOption::VALUE_REQUIRED, 'Output format. Must be "table", "plain", "json" or "summary".', Auditor::FORMAT_TABLE, Auditor::FORMATS), new InputOption('locked', null, InputOption::VALUE_NONE, 'Audit based on the lock file instead of the installed packages.'), )) ->setHelp( From 2516612b5a69bc7051a1af001fa616f588a7f768 Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Sat, 23 Jul 2022 13:02:18 +0200 Subject: [PATCH 2/3] Add json to audit-format options --- src/Composer/Command/AuditCommand.php | 2 +- src/Composer/Command/CreateProjectCommand.php | 2 +- src/Composer/Command/InstallCommand.php | 2 +- src/Composer/Command/RemoveCommand.php | 2 +- src/Composer/Command/RequireCommand.php | 2 +- src/Composer/Command/UpdateCommand.php | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/Composer/Command/AuditCommand.php b/src/Composer/Command/AuditCommand.php index c0f8737e6b46..796d40a77d83 100644 --- a/src/Composer/Command/AuditCommand.php +++ b/src/Composer/Command/AuditCommand.php @@ -21,7 +21,7 @@ protected function configure(): void ->setDescription('Checks for security vulnerability advisories for installed packages.') ->setDefinition(array( new InputOption('no-dev', null, InputOption::VALUE_NONE, 'Disables auditing of require-dev packages.'), - new InputOption('format', 'f', InputOption::VALUE_REQUIRED, 'Output format. Must be "table", "plain", "json" or "summary".', Auditor::FORMAT_TABLE, Auditor::FORMATS), + new InputOption('format', 'f', InputOption::VALUE_REQUIRED, 'Output format. Must be "table", "plain", "json", or "summary".', Auditor::FORMAT_TABLE, Auditor::FORMATS), new InputOption('locked', null, InputOption::VALUE_NONE, 'Audit based on the lock file instead of the installed packages.'), )) ->setHelp( diff --git a/src/Composer/Command/CreateProjectCommand.php b/src/Composer/Command/CreateProjectCommand.php index ec4ad575aee8..cd04c01ba696 100644 --- a/src/Composer/Command/CreateProjectCommand.php +++ b/src/Composer/Command/CreateProjectCommand.php @@ -94,7 +94,7 @@ protected function configure(): void new InputOption('remove-vcs', null, InputOption::VALUE_NONE, 'Whether to force deletion of the vcs folder without prompting.'), new InputOption('no-install', null, InputOption::VALUE_NONE, 'Whether to skip installation of the package dependencies.'), new InputOption('no-audit', null, InputOption::VALUE_NONE, 'Whether to skip auditing of the installed package dependencies.'), - new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), + new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", "json" or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), new InputOption('ignore-platform-req', null, InputOption::VALUE_REQUIRED | InputOption::VALUE_IS_ARRAY, 'Ignore a specific platform requirement (php & ext- packages).'), new InputOption('ignore-platform-reqs', null, InputOption::VALUE_NONE, 'Ignore all platform requirements (php & ext- packages).'), new InputOption('ask', null, InputOption::VALUE_NONE, 'Whether to ask for project directory.'), diff --git a/src/Composer/Command/InstallCommand.php b/src/Composer/Command/InstallCommand.php index 7ad0acf7906c..f9ef8b0a2129 100644 --- a/src/Composer/Command/InstallCommand.php +++ b/src/Composer/Command/InstallCommand.php @@ -53,7 +53,7 @@ protected function configure() new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'), new InputOption('no-install', null, InputOption::VALUE_NONE, 'Do not use, only defined here to catch misuse of the install command.'), new InputOption('audit', null, InputOption::VALUE_NONE, 'Run an audit after installation is complete.'), - new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), + new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", "json", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), new InputOption('verbose', 'v|vv|vvv', InputOption::VALUE_NONE, 'Shows more details including new commits pulled in when updating packages.'), new InputOption('optimize-autoloader', 'o', InputOption::VALUE_NONE, 'Optimize autoloader during autoloader dump'), new InputOption('classmap-authoritative', 'a', InputOption::VALUE_NONE, 'Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.'), diff --git a/src/Composer/Command/RemoveCommand.php b/src/Composer/Command/RemoveCommand.php index 458dcdb60a4b..c21ae42b0e2d 100644 --- a/src/Composer/Command/RemoveCommand.php +++ b/src/Composer/Command/RemoveCommand.php @@ -51,7 +51,7 @@ protected function configure() new InputOption('no-update', null, InputOption::VALUE_NONE, 'Disables the automatic update of the dependencies (implies --no-install).'), new InputOption('no-install', null, InputOption::VALUE_NONE, 'Skip the install step after updating the composer.lock file.'), new InputOption('no-audit', null, InputOption::VALUE_NONE, 'Skip the audit step after updating the composer.lock file.'), - new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), + new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", "json", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), new InputOption('update-no-dev', null, InputOption::VALUE_NONE, 'Run the dependency update with the --no-dev option.'), new InputOption('update-with-dependencies', 'w', InputOption::VALUE_NONE, 'Allows inherited dependencies to be updated with explicit dependencies. (Deprecrated, is now default behavior)'), new InputOption('update-with-all-dependencies', 'W', InputOption::VALUE_NONE, 'Allows all inherited dependencies to be updated, including those that are root requirements.'), diff --git a/src/Composer/Command/RequireCommand.php b/src/Composer/Command/RequireCommand.php index 23e36bdfa3dc..4f0e63984e74 100644 --- a/src/Composer/Command/RequireCommand.php +++ b/src/Composer/Command/RequireCommand.php @@ -86,7 +86,7 @@ protected function configure() new InputOption('no-update', null, InputOption::VALUE_NONE, 'Disables the automatic update of the dependencies (implies --no-install).'), new InputOption('no-install', null, InputOption::VALUE_NONE, 'Skip the install step after updating the composer.lock file.'), new InputOption('no-audit', null, InputOption::VALUE_NONE, 'Skip the audit step after updating the composer.lock file.'), - new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), + new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", "json", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), new InputOption('update-no-dev', null, InputOption::VALUE_NONE, 'Run the dependency update with the --no-dev option.'), new InputOption('update-with-dependencies', 'w', InputOption::VALUE_NONE, 'Allows inherited dependencies to be updated, except those that are root requirements.'), new InputOption('update-with-all-dependencies', 'W', InputOption::VALUE_NONE, 'Allows all inherited dependencies to be updated, including those that are root requirements.'), diff --git a/src/Composer/Command/UpdateCommand.php b/src/Composer/Command/UpdateCommand.php index 75a46db061c7..8602e83f3b74 100644 --- a/src/Composer/Command/UpdateCommand.php +++ b/src/Composer/Command/UpdateCommand.php @@ -62,7 +62,7 @@ protected function configure() new InputOption('lock', null, InputOption::VALUE_NONE, 'Overwrites the lock file hash to suppress warning about the lock file being out of date without updating package versions. Package metadata like mirrors and URLs are updated if they changed.'), new InputOption('no-install', null, InputOption::VALUE_NONE, 'Skip the install step after updating the composer.lock file.'), new InputOption('no-audit', null, InputOption::VALUE_NONE, 'Skip the audit step after updating the composer.lock file.'), - new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), + new InputOption('audit-format', null, InputOption::VALUE_REQUIRED, 'Audit output format. Must be "table", "plain", "json", or "summary".', Auditor::FORMAT_SUMMARY, Auditor::FORMATS), new InputOption('no-autoloader', null, InputOption::VALUE_NONE, 'Skips autoloader generation'), new InputOption('no-suggest', null, InputOption::VALUE_NONE, 'DEPRECATED: This flag does not exist anymore.'), new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'), From eae9dc480ecbdeab79a0ed08959167154b7ed610 Mon Sep 17 00:00:00 2001 From: "Barry vd. Heuvel" Date: Sat, 23 Jul 2022 13:03:36 +0200 Subject: [PATCH 3/3] Update cli docs --- doc/03-cli.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/03-cli.md b/doc/03-cli.md index 43c026c25407..84ce09873820 100644 --- a/doc/03-cli.md +++ b/doc/03-cli.md @@ -114,7 +114,7 @@ resolution. * **--no-progress:** Removes the progress display that can mess with some terminals or scripts which don't handle backspace characters. * **--audit:** Run an audit after installation is complete. -* **--audit-format:** Audit output format. Must be "table", "plain", or "summary" (default). +* **--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default). * **--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster autoloader. This is recommended especially for production, but can take a bit of time to run so it is currently not done by default. @@ -195,7 +195,7 @@ and this feature is only available for your root package dependencies. * **--no-dev:** Skip installing packages listed in `require-dev`. The autoloader generation skips the `autoload-dev` rules. * **--no-install:** Does not run the install step after updating the composer.lock file. * **--no-audit:** Does not run the audit steps after updating the composer.lock file. -* **--audit-format:** Audit output format. Must be "table", "plain", or "summary" (default). +* **--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default). * **--lock:** Only updates the lock file hash to suppress warning about the lock file being out of date. * **--with:** Temporary version constraint to add, e.g. foo/bar:1.0.0 or foo/bar=1.0.0 @@ -270,7 +270,7 @@ If you do not specify a package, Composer will prompt you to search for a packag * **--no-update:** Disables the automatic update of the dependencies (implies --no-install). * **--no-install:** Does not run the install step after updating the composer.lock file. * **--no-audit:** Does not run the audit steps after updating the composer.lock file. -* **--audit-format:** Audit output format. Must be "table", "plain", or "summary" (default). +* **--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default). * **--update-no-dev:** Run the dependency update with the `--no-dev` option. * **--update-with-dependencies (-w):** Also update dependencies of the newly required packages, except those that are root requirements. * **--update-with-all-dependencies (-W):** Also update dependencies of the newly required packages, including those that are root requirements. @@ -316,7 +316,7 @@ uninstalled. * **--no-update:** Disables the automatic update of the dependencies (implies --no-install). * **--no-install:** Does not run the install step after updating the composer.lock file. * **--no-audit:** Does not run the audit steps after installation is complete. -* **--audit-format:** Audit output format. Must be "table", "plain", or "summary" (default). +* **--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default). * **--update-no-dev:** Run the dependency update with the --no-dev option. * **--update-with-dependencies (-w):** Also update dependencies of the removed packages. (Deprecated, is now default behavior) @@ -897,7 +897,7 @@ By default the command checks for the packages on packagist.org. * **--remove-vcs:** Force-remove the VCS metadata without prompting. * **--no-install:** Disables installation of the vendors. * **--no-audit:** Does not run the audit steps after installation is complete. -* **--audit-format:** Audit output format. Must be "table", "plain", or "summary" (default). +* **--audit-format:** Audit output format. Must be "table", "plain", "json", or "summary" (default). * **--ignore-platform-reqs:** ignore all platform requirements (`php`, `hhvm`, `lib-*` and `ext-*`) and force the installation even if the local machine does not fulfill these. @@ -1023,7 +1023,7 @@ php composer.phar audit ### Options * **--no-dev:** Disables auditing of require-dev packages. -* **--format (-f):** Audit output format. Must be "table" (default), "plain", or "summary". +* **--format (-f):** Audit output format. Must be "table" (default), "plain", "json", or "summary". * **--locked:** Audit packages from the lock file, regardless of what is currently in vendor dir. ## help