From b7d306f0866903c0421479cdc34a0f5e15933257 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 14:35:56 +0000 Subject: [PATCH 1/7] Change command name to `security-audit` --- .github/workflows/smokes.yml | 2 +- README.md | 10 ++++++---- src/AuditCommand.php | 8 +++++++- src/Legacy/AuditNotCompatibleCommand.php | 3 ++- tests/integration/IntegrationTest.php | 2 +- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/workflows/smokes.yml b/.github/workflows/smokes.yml index a682ae4..b214170 100644 --- a/.github/workflows/smokes.yml +++ b/.github/workflows/smokes.yml @@ -43,4 +43,4 @@ jobs: composer global require cs278/composer-audit:@dev cd "$(mktemp -d)" composer require --no-install cs278/mktemp - composer audit -vvv + composer security-audit -vvv diff --git a/README.md b/README.md index 9e53a06..d49e74b 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,8 @@ vulnerabilities *without* sending your lock file to an [external service][security.symfony.com] or using [closed source software](https://github.com/symfony/cli/issues/37). +Note this command is *distinct* from the `audit` command built into Composer ≥ 2.4. + Installation ------------ @@ -39,7 +41,7 @@ library) the installed packages, located in `vendor/composer/installed.json` will be validated instead. ```sh -composer audit +composer security-audit ``` ### Audit non development dependencies @@ -48,7 +50,7 @@ Only audit your production dependencies from `composer.lock`, this option only works when there is a `composer.lock` file. ```sh -composer audit --no-dev +composer security-audit --no-dev ``` ### Update security advisories database @@ -58,7 +60,7 @@ option, without this option being supplied the database will be downloaded if it does not exist or it’s more than an hour old. For example: ```sh -composer audit --update +composer security-audit --update ``` Configuration @@ -119,7 +121,7 @@ composer require symfony/http-foundation 2.0.4 # Require Composer Audit composer require --dev cs278/composer-audit ^1 -composer audit +composer security-audit Found 9 advisories affecting 1 package(s). composer://symfony/http-foundation (2.0.4) diff --git a/src/AuditCommand.php b/src/AuditCommand.php index a4ae641..ce28494 100644 --- a/src/AuditCommand.php +++ b/src/AuditCommand.php @@ -30,7 +30,13 @@ final class AuditCommand extends BaseCommand protected function configure() { - $this->setName('audit'); + $this->setName('security-audit'); + + // Register alias if there isn't a conflicting command. + if (!\class_exists(\Composer\Command\AuditCommand::class)) { + $this->setAliases(['audit']); + } + $this->setDescription('Check packages for security advisories.'); $this->addOption( 'no-dev', diff --git a/src/Legacy/AuditNotCompatibleCommand.php b/src/Legacy/AuditNotCompatibleCommand.php index f7488c3..d389a61 100644 --- a/src/Legacy/AuditNotCompatibleCommand.php +++ b/src/Legacy/AuditNotCompatibleCommand.php @@ -19,7 +19,8 @@ final class AuditNotCompatibleCommand extends BaseCommand protected function configure() { // Configuration is copied from AuditCommand so that the command accepts the same inputs. - $this->setName('audit'); + $this->setName('security-audit'); + $this->setAliases(array('audit')); $this->setDescription('Check packages for security advisories.'); $this->addOption( 'no-dev', diff --git a/tests/integration/IntegrationTest.php b/tests/integration/IntegrationTest.php index 39dd895..e00c2cc 100644 --- a/tests/integration/IntegrationTest.php +++ b/tests/integration/IntegrationTest.php @@ -128,7 +128,7 @@ public function testRun(int $expectedExit, string $expectedOutput, string $condi $composer('update')->mustRun(); } - $proc = $composer('audit', ...$args); + $proc = $composer('security-audit', ...$args); if ($expectedExit === 0) { $proc->mustRun(); From 9f6ad1ad12a190284acb94b72714f0d92b6f0146 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 14:45:13 +0000 Subject: [PATCH 2/7] Ensure tests can use the plugin --- .github/workflows/main.yml | 1 + .github/workflows/smokes.yml | 1 + tests/integration/IntegrationTest.php | 3 +++ 3 files changed, 5 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9275967..8a36e9e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -76,6 +76,7 @@ jobs: done < <(find src/Legacy -type f -name "*.php") - name: Integration test run: | + composer global config allow-plugins.cs278/composer-audit true composer global config repositories.0 path "$(pwd)" composer global require --ignore-platform-reqs cs278/composer-audit '*@dev' diff --git a/.github/workflows/smokes.yml b/.github/workflows/smokes.yml index b214170..26f3ddc 100644 --- a/.github/workflows/smokes.yml +++ b/.github/workflows/smokes.yml @@ -39,6 +39,7 @@ jobs: run: | export COMPOSER_CACHE_DIR="$(composer global config cache-dir)" export COMPOSER_HOME="$(mktemp -d)" + composer global config allow-plugins.cs278/composer-audit true composer global config repositories.0 path "$(pwd)" composer global require cs278/composer-audit:@dev cd "$(mktemp -d)" diff --git a/tests/integration/IntegrationTest.php b/tests/integration/IntegrationTest.php index e00c2cc..ae7d2b1 100644 --- a/tests/integration/IntegrationTest.php +++ b/tests/integration/IntegrationTest.php @@ -80,6 +80,9 @@ public function testRun(int $expectedExit, string $expectedOutput, string $condi ], 'config' => [ 'notify-on-install' => false, + 'allow-plugins' => [ + 'cs278/composer-audit' => true, + ], ], 'repositories' => [ ['type' => 'path', 'url' => getcwd()], From 804e8ea9e6c284f5211ecec53de83b1168b44514 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 14:47:14 +0000 Subject: [PATCH 3/7] Expand/modify versions of PHP CI uses --- .github/workflows/main.yml | 2 ++ .github/workflows/smokes.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8a36e9e..3ea8b98 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,6 +19,8 @@ jobs: - '7.3' - '7.4' - '8.0' + - '8.1' + - '8.2' deps: - highest - lowest diff --git a/.github/workflows/smokes.yml b/.github/workflows/smokes.yml index 26f3ddc..f3beacf 100644 --- a/.github/workflows/smokes.yml +++ b/.github/workflows/smokes.yml @@ -16,7 +16,7 @@ jobs: os: [ubuntu-latest] php: - '7.4' - - '8.0' + - '8.1' deps: - highest - lowest From 97192e1287c460d62b16fec16d50eb6029033110 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 14:53:07 +0000 Subject: [PATCH 4/7] Pin legacy tests to Composer 2.2 LTS --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3ea8b98..3f8bd29 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -71,6 +71,7 @@ jobs: - uses: shivammathur/setup-php@4067ce8b814db5bfc731c8906aa3034f28911e9f with: php-version: 5.3 + tools: composer:2.2 - name: Syntax check run: | while read file; do From eac9ed5e7ebbf2802a7a721bedd17c25ba6b01ee Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 15:25:31 +0000 Subject: [PATCH 5/7] Filter out deprecation notices from test output --- tests/integration/IntegrationTest.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/integration/IntegrationTest.php b/tests/integration/IntegrationTest.php index ae7d2b1..9a57c76 100644 --- a/tests/integration/IntegrationTest.php +++ b/tests/integration/IntegrationTest.php @@ -143,7 +143,12 @@ public function testRun(int $expectedExit, string $expectedOutput, string $condi } } - self::assertEquals($expectedOutput, $proc->getOutput()); + // Filter out deprecation notices as there is no way of suppressing these when running Composer. + // https://github.com/composer/composer/blob/50cded331ced9acb4e926be3dda1f74b86af2a3b/bin/composer#L21 + $output = \preg_replace('{\nDeprecated: .+?\n}m', '', $proc->getOutput()); + $output = \preg_replace('{\nUser Deprecated: .+?\n}m', '', $output); + + self::assertEquals($expectedOutput, $output); self::assertEquals($expectedExit, $proc->getExitCode()); } finally { (new Filesystem())->remove($workingDir); From 74166bf6348ec413d86d14645cc49109027ee57b Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 15:30:20 +0000 Subject: [PATCH 6/7] Update setup-php action --- .github/workflows/main.yml | 4 ++-- .github/workflows/smokes.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3f8bd29..a4115b7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,7 @@ jobs: name: PHP ${{ matrix.php }} / ${{ matrix.deps }} steps: - uses: actions/checkout@v2 - - uses: shivammathur/setup-php@4067ce8b814db5bfc731c8906aa3034f28911e9f + - uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d with: php-version: ${{ matrix.php }} - name: Cache dependencies @@ -68,7 +68,7 @@ jobs: name: PHP 5.3 steps: - uses: actions/checkout@v2 - - uses: shivammathur/setup-php@4067ce8b814db5bfc731c8906aa3034f28911e9f + - uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d with: php-version: 5.3 tools: composer:2.2 diff --git a/.github/workflows/smokes.yml b/.github/workflows/smokes.yml index f3beacf..8612876 100644 --- a/.github/workflows/smokes.yml +++ b/.github/workflows/smokes.yml @@ -24,7 +24,7 @@ jobs: name: PHP ${{ matrix.php }} / ${{ matrix.deps }} steps: - uses: actions/checkout@v2 - - uses: shivammathur/setup-php@4067ce8b814db5bfc731c8906aa3034f28911e9f + - uses: shivammathur/setup-php@d30ad8b1843ace22e6698ab99bbafaa747b6bd0d with: php-version: ${{ matrix.php }} - name: Cache dependencies From 18ef442c4cc098679ad133ee6c507406d75c80e7 Mon Sep 17 00:00:00 2001 From: Chris Smith Date: Fri, 3 Feb 2023 16:05:11 +0000 Subject: [PATCH 7/7] Fix PHP 5.3 sanity check workflow --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a4115b7..82b59bf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -72,6 +72,7 @@ jobs: with: php-version: 5.3 tools: composer:2.2 + coverage: none - name: Syntax check run: | while read file; do @@ -81,6 +82,7 @@ jobs: run: | composer global config allow-plugins.cs278/composer-audit true composer global config repositories.0 path "$(pwd)" + composer global require --ignore-platform-reqs symfony/yaml '~4.4' composer global require --ignore-platform-reqs cs278/composer-audit '*@dev' set +e