Skip to content

Include advisory source in new security advisory commits #451

New issue
New issue
Open
#459
Open
Include advisory source in new security advisory commits#451
#459
Labels
enhancementhelp wanted
@Ocramius

Description

@Ocramius
Ocramius
opened on Nov 15, 2021

One regular source of support questions is "why is some/library:1.2.3 included in the roave/security-advisories conflicts section?"

This is becoming regular and quite frustrating:

We probably do want to start committing the source of an advisory.

Specifically, we need to add a Source (value object with a URI in it, basically) to Advisory:

SecurityAdvisoriesBuilder/src/Roave/SecurityAdvisories/Advisory.php

Lines 33 to 46 in 0246933

/** @psalm-immutable */
final class Advisory
{
public PackageName $package;
/** @var list<VersionConstraint> */
private array $branchConstraints;
/** @param list<VersionConstraint> $branchConstraints */
private function __construct(PackageName $package, array $branchConstraints)
{
$this->package = $package;
$this->branchConstraints = $this->sortVersionConstraints($branchConstraints);
}

After doing that comes the tricky part: we need to identify which advisories were not considered as part of the pre-existing composer.json.

For that, we need to:

  1. read the pre-existing composer.json into an usable in-memory data structure
  2. compare each of the Advisory instances against it
  3. isolate those Advisory instances that would lead to a change of the excluded (data structure above?)
  4. add these Advisory instances to a list that is then used to determine the commit message to be generated
  5. generate the new commit message, which is currently hardcoded:

    SecurityAdvisoriesBuilder/build-conflicts.php

    Lines 247 to 275 in 14a83da

    $commitComposerJson = static function (string $composerJsonPath) use ($execute): void {
    $parseHead =
    /** @psalm-return non-empty-list<string> */
    static function () use ($execute): array {
    return $execute('git rev-parse HEAD');
    };
    $originalHash = runInPath(
    $parseHead,
    dirname($composerJsonPath) . '/../security-advisories'
    );
    runInPath(
    static function () use ($composerJsonPath, $originalHash, $execute): void {
    $execute('git add ' . escapeshellarg(realpath($composerJsonPath)));
    $message = sprintf(
    'Committing generated "composer.json" file as per "%s"',
    (new DateTime('now', new DateTimeZone('UTC')))->format(DateTime::W3C)
    );
    $message .= "\n" . sprintf(
    'Original commit: "%s"',
    'https://github.com/FriendsOfPHP/security-advisories/commit/' . $originalHash[0]
    );
    $execute('git diff-index --quiet HEAD || git commit -m ' . escapeshellarg($message));
    },
    dirname($composerJsonPath)
    );
    };

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementhelp wanted

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions