Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added php lockfile parser #310

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Added php lockfile parser #310

wants to merge 4 commits into from
+142 −1

Conversation

insaaniManav
Copy link
Member

Fixes #257

abhisek
abhisek approved these changes Jan 17, 2025
View reviewed changes
pkg/models/models.go
@@ -32,6 +32,7 @@ const (
EcosystemTerraform = "Terraform"
EcosystemTerraformModule = "TerraformModule"
EcosystemTerraformProvider = "TerraformProvider"
EcosystemPHPComposer = "Composer"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Ecosystem for PHP Composer is actually called Packagist
https://osv.dev/list?ecosystem=Packagist

pkg/parser/composer.go
"github.com/safedep/vet/pkg/models"
)

type ComposerJSON struct {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment with reference to Composer JSON specification from official source? We need to see if we need any other information like dependency relationships for building dependency graph.

pkg/parser/parser.go
@@ -259,6 +263,8 @@ func (pw *parserWrapper) Ecosystem() string {
return models.EcosystemGitHubActions
case customParserTerraform:
return models.EcosystemTerraform
case customParserComposer:
return models.EcosystemPHPComposer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be packagist ecosystem

pkg/parser/parser.go
@@ -51,6 +52,7 @@ var supportedEcosystems map[string]bool = map[string]bool{
models.EcosystemSpdxSBOM: true,
models.EcosystemGitHubActions: true,
models.EcosystemTerraform: true,
models.EcosystemPHPComposer: true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not required. We should just use the Packagist ecosystem

@abhisek
Copy link
Member

abhisek commented Jan 17, 2025

@insaaniManav As I read more about Composer, I see there are two files

  • composer.json
  • composer.lock

This is similar to npm where .json is used to describe dependencies and .lock to lock them to specific version. It seems like we already support composer.lock due to dependency on osv-scanner lockfile package which supports it. However we do not support composer.json because of the complexity that it does not contain exact versions of a dependency but version constraints / ranges. In such a case we need to find out a way to choose a suitable version for scanning in the version range.

I think we should spend some time reading about Composer and decide on how to handle it.

@abhisek abhisek self-requested a review January 17, 2025 07:08
@insaaniManav
Copy link
Member Author

According to my research
We have 2 choices

  • Best Effort Resolution:
    • Use the latest available version that satisfies the range (could lead to false negatives).
    • Use the oldest version (could lead to more vulnerabilities being flagged).
    • Allow users to choose a resolution strategy (latest, oldest, median).
  • Force user to run composer install Before Scanning:
    • This would generate a composer.lock, ensuring accurate versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhisek abhisek Awaiting requested review from abhisek

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support PHP Composer as a Lockfile Format
2 participants
@insaaniManav @abhisek