forked from composer/composer
/
AuditCommand.php
102 lines (87 loc) · 3.78 KB
/
AuditCommand.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
<?php
namespace Composer\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Composer\Package\PackageInterface;
use Composer\Repository\InstalledRepository;
use Composer\Repository\RepositoryInterface;
use Composer\Util\Auditor;
use Symfony\Component\Console\Input\InputOption;
class AuditCommand extends BaseCommand
{
protected function configure(): void
{
$this
->setName('audit')
->setDescription('Checks for security vulnerability advisories for installed packages.')
->setDefinition(array(
new InputOption('no-dev', null, InputOption::VALUE_NONE, 'Disables auditing of require-dev packages.'),
new InputOption('format', 'f', InputOption::VALUE_OPTIONAL, 'Output format. Must be "table", "plain", or "summary".', Auditor::FORMAT_TABLE),
new InputOption('locked', null, InputOption::VALUE_NONE, 'Audit based on the lock file instead of the installed packages.'),
))
->setHelp(
<<<EOT
The <info>audit</info> command checks for security vulnerability advisories for installed packages.
If you do not want to include dev dependencies in the audit you can omit them with --no-dev
Read more at https://getcomposer.org/doc/03-cli.md#audit
EOT
)
;
}
protected function execute(InputInterface $input, OutputInterface $output)
{
$composer = $this->requireComposer($input->getOption('no-plugins'), $input->getOption('no-scripts'));
$packages = $this->getPackages($input);
$httpDownloader = $composer->getLoop()->getHttpDownloader();
if (count($packages) === 0) {
$this->getIO()->writeError('No packages - skipping audit.');
return 0;
}
$auditor = new Auditor($httpDownloader);
return $auditor->audit($this->getIO(), $packages, $input->getOption('format'), false);
}
/**
* @param InputInterface $input
* @return PackageInterface[]
*/
private function getPackages(InputInterface $input): array
{
$composer = $this->requireComposer($input->getOption('no-plugins'), $input->getOption('no-scripts'));
if ($input->getOption('locked')) {
if (!$composer->getLocker()->isLocked()) {
throw new \UnexpectedValueException('Valid composer.json and composer.lock files is required to run this command with --locked');
}
$locker = $composer->getLocker();
return $locker->getLockedRepository(!$input->getOption('no-dev'))->getPackages();
}
$rootPkg = $composer->getPackage();
$installedRepo = new InstalledRepository(array($composer->getRepositoryManager()->getLocalRepository()));
if ($input->getOption('no-dev')) {
return $this->filterRequiredPackages($installedRepo, $rootPkg);
}
return $installedRepo->getPackages();
}
/**
* Find package requires and child requires.
* Effectively filters out dev dependencies.
*
* @param PackageInterface[] $bucket
* @return PackageInterface[]
*/
private function filterRequiredPackages(RepositoryInterface $repo, PackageInterface $package, array $bucket = array()): array
{
$requires = $package->getRequires();
foreach ($repo->getPackages() as $candidate) {
foreach ($candidate->getNames() as $name) {
if (isset($requires[$name])) {
if (!in_array($candidate, $bucket, true)) {
$bucket[] = $candidate;
$bucket = $this->filterRequiredPackages($repo, $candidate, $bucket);
}
break;
}
}
}
return $bucket;
}
}