aboutsummaryrefslogtreecommitdiffhomepage
path: root/crates/shirabe/src
diff options
context:
space:
mode:
authornsfisis <nsfisis@gmail.com>2026-06-02 23:58:38 +0900
committernsfisis <nsfisis@gmail.com>2026-06-02 23:58:54 +0900
commit51843230859ef39344c0b67daa9049ead87ec49c (patch)
treef657969816da51b7f8656012e756498680ffcc23 /crates/shirabe/src
parent20dbcf11b86cb03c451ba1d5cd9efe17b68fa66d (diff)
downloadphp-shirabe-51843230859ef39344c0b67daa9049ead87ec49c.tar.gz
php-shirabe-51843230859ef39344c0b67daa9049ead87ec49c.tar.zst
php-shirabe-51843230859ef39344c0b67daa9049ead87ec49c.zip
feat(resolver): port SecurityAdvisoryPoolFilter::filter
Implement the security advisory pool filter end to end, plus the remaining actionable wirings it unblocked. - Unify the PartialSecurityAdvisory|SecurityAdvisory union as the PartialOrFullSecurityAdvisory enum and make the advisory types Clone, so advisories can be collected and stored; Pool.security_removed_versions now carries the union. This also unblocks PoolOptimizer's clone of the security-removed versions. - Thread the filter result through run_security_advisory_filter/build_pool as anyhow::Result. - Introduce typed PlatformRepositoryHandle and pass platform repos as handles through determine_requirements instead of &PlatformRepository. - Wire RuleSetGenerator's is_unacceptable_fixed_or_locked_package check and UpdateCommand's non-locked installed-packages branch. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Diffstat (limited to 'crates/shirabe/src')
-rw-r--r--crates/shirabe/src/advisory/auditor.rs59
-rw-r--r--crates/shirabe/src/advisory/mod.rs2
-rw-r--r--crates/shirabe/src/advisory/partial_or_full_security_advisory.rs25
-rw-r--r--crates/shirabe/src/advisory/partial_security_advisory.rs10
-rw-r--r--crates/shirabe/src/advisory/security_advisory.rs2
-rw-r--r--crates/shirabe/src/command/init_command.rs3
-rw-r--r--crates/shirabe/src/command/package_discovery_trait.rs8
-rw-r--r--crates/shirabe/src/command/require_command.rs45
-rw-r--r--crates/shirabe/src/command/update_command.rs7
-rw-r--r--crates/shirabe/src/dependency_resolver/pool.rs15
-rw-r--r--crates/shirabe/src/dependency_resolver/pool_builder.rs20
-rw-r--r--crates/shirabe/src/dependency_resolver/pool_optimizer.rs3
-rw-r--r--crates/shirabe/src/dependency_resolver/rule_set_generator.rs8
-rw-r--r--crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs143
-rw-r--r--crates/shirabe/src/repository/advisory_provider_interface.rs20
-rw-r--r--crates/shirabe/src/repository/composer_repository.rs20
-rw-r--r--crates/shirabe/src/repository/handle.rs64
-rw-r--r--crates/shirabe/src/repository/package_repository.rs14
-rw-r--r--crates/shirabe/src/repository/repository_set.rs11
19 files changed, 322 insertions, 157 deletions
diff --git a/crates/shirabe/src/advisory/auditor.rs b/crates/shirabe/src/advisory/auditor.rs
index 535f6a7..18af0f3 100644
--- a/crates/shirabe/src/advisory/auditor.rs
+++ b/crates/shirabe/src/advisory/auditor.rs
@@ -11,6 +11,7 @@ use shirabe_php_shim::{
};
use crate::advisory::IgnoredSecurityAdvisory;
+use crate::advisory::PartialOrFullSecurityAdvisory;
use crate::advisory::SecurityAdvisory;
use crate::io::ConsoleIO;
use crate::io::IOInterface;
@@ -19,7 +20,6 @@ use crate::package::CompletePackageInterfaceHandle;
use crate::package::PackageInterfaceHandle;
use crate::package::base_package;
use crate::package::base_package::BasePackage;
-use crate::repository::PartialOrSecurityAdvisory;
use crate::repository::RepositorySet;
use crate::util::PackageInfo;
@@ -182,7 +182,7 @@ impl Auditor {
let error_or_warn = if warning_only { "warning" } else { "error" };
if affected_packages_count > 0 || ignored_advisories.len() > 0 {
let passes: Vec<(
- &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
String,
)> = vec![
(
@@ -243,12 +243,12 @@ impl Auditor {
Ok(audit_bitmask)
}
- /// @param array<string, array<SecurityAdvisory|PartialOrSecurityAdvisory>> $advisories
+ /// @param array<string, array<SecurityAdvisory|PartialOrFullSecurityAdvisory>> $advisories
/// @param array<string, string|null> $ignoreList
/// @return bool
pub fn needs_complete_advisory_load(
&self,
- advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
ignore_list: &IndexMap<String, Option<String>>,
) -> bool {
if advisories.len() == 0 {
@@ -256,16 +256,20 @@ impl Auditor {
}
// no partial advisories present
- let advisories_values: Vec<&Vec<PartialOrSecurityAdvisory>> = advisories.values().collect();
+ let advisories_values: Vec<&Vec<PartialOrFullSecurityAdvisory>> =
+ advisories.values().collect();
if array_all(
&advisories_values,
- |pkg_advisories: &&Vec<PartialOrSecurityAdvisory>| {
- array_all(pkg_advisories, |_advisory: &PartialOrSecurityAdvisory| {
- // TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory
- // enum or trait downcast; SecurityAdvisoriesResult currently only holds
- // PartialOrSecurityAdvisory so this is hard-coded to false
- false
- })
+ |pkg_advisories: &&Vec<PartialOrFullSecurityAdvisory>| {
+ array_all(
+ pkg_advisories,
+ |_advisory: &PartialOrFullSecurityAdvisory| {
+ // TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory
+ // enum or trait downcast; SecurityAdvisoriesResult currently only holds
+ // PartialOrFullSecurityAdvisory so this is hard-coded to false
+ false
+ },
+ )
},
) {
return false;
@@ -307,13 +311,9 @@ impl Auditor {
Ok(result)
}
- /// @phpstan-param array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>> $allAdvisories
- /// @param array<string, string|null> $ignoreList List of advisory IDs, remote IDs, CVE IDs or package names that reported but not listed as vulnerabilities.
- /// @param array<string, string|null> $ignoredSeverities List of ignored severity levels
- /// @phpstan-return array{advisories: array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>>, ignoredAdvisories: array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>>}
pub fn process_advisories(
&self,
- all_advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ all_advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
ignore_list: &IndexMap<String, Option<String>>,
ignored_severities: &IndexMap<String, Option<String>>,
) -> ProcessAdvisoriesResult {
@@ -324,8 +324,8 @@ impl Auditor {
};
}
- let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new();
- let mut ignored: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new();
+ let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new();
+ let mut ignored: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new();
let mut ignore_reason: Option<String> = None;
for (package, pkg_advisories) in all_advisories {
@@ -347,7 +347,7 @@ impl Auditor {
// TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory enum
// or trait downcast; the block below is skipped while SecurityAdvisoriesResult
- // only holds PartialOrSecurityAdvisory
+ // only holds PartialOrFullSecurityAdvisory
let advisory_as_full: Option<&SecurityAdvisory> = None;
if let Some(full) = advisory_as_full {
if is_string(&PhpMixed::String(full.severity.clone().unwrap_or_default()))
@@ -411,11 +411,10 @@ impl Auditor {
}
}
- /// @param array<string, array<PartialOrSecurityAdvisory>> $advisories
/// @return array{int, int} Count of affected packages and total count of advisories
fn count_advisories(
&self,
- advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
) -> (i64, i64) {
let mut count: i64 = 0;
for package_advisories in advisories.values() {
@@ -430,7 +429,7 @@ impl Auditor {
fn output_advisories(
&self,
io: &mut dyn IOInterface,
- advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
format: &str,
) -> Result<()> {
match format {
@@ -469,7 +468,7 @@ impl Auditor {
fn output_advisories_table(
&self,
io: &ConsoleIO,
- advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
) {
for package_advisories in advisories.values() {
for advisory in package_advisories {
@@ -483,7 +482,7 @@ impl Auditor {
"Affected versions".to_string(),
"Reported at".to_string(),
];
- // TODO(phase-b): advisory typed PartialOrSecurityAdvisory; PHP accesses
+ // TODO(phase-b): advisory typed PartialOrFullSecurityAdvisory; PHP accesses
// SecurityAdvisory fields (title, link, reportedAt, etc.)
let _ = advisory;
let row: Vec<String> = vec![
@@ -519,7 +518,7 @@ impl Auditor {
fn output_advisories_plain(
&self,
io: &mut dyn IOInterface,
- advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
) {
let mut error: Vec<String> = vec![];
let mut first_advisory = true;
@@ -528,7 +527,7 @@ impl Auditor {
if !first_advisory {
error.push("--------".to_string());
}
- // TODO(phase-b): advisory typed PartialOrSecurityAdvisory; PHP accesses
+ // TODO(phase-b): advisory typed PartialOrFullSecurityAdvisory; PHP accesses
// SecurityAdvisory fields
let _ = advisory;
error.push(format!("Package: {}", /* advisory.packageName */ ""));
@@ -687,7 +686,7 @@ impl Auditor {
}
fn get_advisory_id(&self, advisory: &SecurityAdvisory) -> String {
- // TODO(phase-b): advisory.advisory_id lives on inner PartialOrSecurityAdvisory
+ // TODO(phase-b): advisory.advisory_id lives on inner PartialOrFullSecurityAdvisory
let advisory_id: &str = "";
let _ = advisory;
if str_starts_with(advisory_id, "PKSA-") {
@@ -747,6 +746,6 @@ impl Auditor {
#[derive(Debug)]
pub struct ProcessAdvisoriesResult {
- pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
- pub ignored_advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
+ pub ignored_advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
}
diff --git a/crates/shirabe/src/advisory/mod.rs b/crates/shirabe/src/advisory/mod.rs
index bcfbe93..df80735 100644
--- a/crates/shirabe/src/advisory/mod.rs
+++ b/crates/shirabe/src/advisory/mod.rs
@@ -1,11 +1,13 @@
pub mod audit_config;
pub mod auditor;
pub mod ignored_security_advisory;
+pub mod partial_or_full_security_advisory;
pub mod partial_security_advisory;
pub mod security_advisory;
pub use audit_config::*;
pub use auditor::*;
pub use ignored_security_advisory::*;
+pub use partial_or_full_security_advisory::*;
pub use partial_security_advisory::*;
pub use security_advisory::*;
diff --git a/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs b/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs
new file mode 100644
index 0000000..bb1df78
--- /dev/null
+++ b/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs
@@ -0,0 +1,25 @@
+use crate::advisory::PartialSecurityAdvisory;
+use crate::advisory::SecurityAdvisory;
+use shirabe_semver::constraint::AnyConstraint;
+
+#[derive(Debug, Clone)]
+pub enum PartialOrFullSecurityAdvisory {
+ Partial(PartialSecurityAdvisory),
+ Full(SecurityAdvisory),
+}
+
+impl PartialOrFullSecurityAdvisory {
+ pub fn advisory_id(&self) -> &str {
+ match self {
+ PartialOrFullSecurityAdvisory::Partial(p) => &p.advisory_id,
+ PartialOrFullSecurityAdvisory::Full(s) => s.advisory_id(),
+ }
+ }
+
+ pub fn affected_versions(&self) -> &AnyConstraint {
+ match self {
+ PartialOrFullSecurityAdvisory::Partial(p) => &p.affected_versions,
+ PartialOrFullSecurityAdvisory::Full(s) => s.affected_versions(),
+ }
+ }
+}
diff --git a/crates/shirabe/src/advisory/partial_security_advisory.rs b/crates/shirabe/src/advisory/partial_security_advisory.rs
index fe3c99e..1e92dec 100644
--- a/crates/shirabe/src/advisory/partial_security_advisory.rs
+++ b/crates/shirabe/src/advisory/partial_security_advisory.rs
@@ -1,7 +1,7 @@
//! ref: composer/src/Composer/Advisory/PartialSecurityAdvisory.php
+use crate::advisory::PartialOrFullSecurityAdvisory;
use crate::advisory::SecurityAdvisory;
-use crate::repository::PartialOrSecurityAdvisory;
use anyhow::Result;
use chrono::{DateTime, TimeZone, Utc};
use indexmap::IndexMap;
@@ -18,7 +18,7 @@ fn serialize_constraint<S: serde::Serializer>(
serializer.serialize_str(&c.get_pretty_string())
}
-#[derive(Debug, serde::Serialize)]
+#[derive(Debug, Clone, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct PartialSecurityAdvisory {
pub advisory_id: String,
@@ -32,7 +32,7 @@ impl PartialSecurityAdvisory {
package_name: &str,
data: &IndexMap<String, PhpMixed>,
parser: &VersionParser,
- ) -> Result<PartialOrSecurityAdvisory> {
+ ) -> Result<PartialOrFullSecurityAdvisory> {
let affected_versions_str = data["affectedVersions"].as_string().unwrap_or("");
let constraint: AnyConstraint = match parser.parse_constraints(affected_versions_str) {
@@ -81,10 +81,10 @@ impl PartialSecurityAdvisory {
.and_then(|v| v.as_string())
.map(|s| s.to_string()),
);
- return Ok(PartialOrSecurityAdvisory::Full(advisory));
+ return Ok(PartialOrFullSecurityAdvisory::Full(advisory));
}
- Ok(PartialOrSecurityAdvisory::Partial(Self {
+ Ok(PartialOrFullSecurityAdvisory::Partial(Self {
advisory_id: data["advisoryId"].as_string().unwrap_or("").to_string(),
package_name: package_name.to_string(),
affected_versions: constraint,
diff --git a/crates/shirabe/src/advisory/security_advisory.rs b/crates/shirabe/src/advisory/security_advisory.rs
index edb161c..c766e0f 100644
--- a/crates/shirabe/src/advisory/security_advisory.rs
+++ b/crates/shirabe/src/advisory/security_advisory.rs
@@ -7,7 +7,7 @@ use shirabe_semver::constraint::AnyConstraint;
use crate::advisory::IgnoredSecurityAdvisory;
use crate::advisory::PartialSecurityAdvisory;
-#[derive(Debug, serde::Serialize)]
+#[derive(Debug, Clone, serde::Serialize)]
#[serde(rename_all = "camelCase")]
pub struct SecurityAdvisory {
#[serde(flatten)]
diff --git a/crates/shirabe/src/command/init_command.rs b/crates/shirabe/src/command/init_command.rs
index 38e620b..678e76d 100644
--- a/crates/shirabe/src/command/init_command.rs
+++ b/crates/shirabe/src/command/init_command.rs
@@ -29,6 +29,7 @@ use crate::json::JsonValidationException;
use crate::package::base_package::{self, BasePackage};
use crate::repository::CompositeRepository;
use crate::repository::PlatformRepository;
+use crate::repository::PlatformRepositoryHandle;
use crate::repository::RepositoryFactory;
use crate::util::Filesystem;
use crate::util::ProcessExecutor;
@@ -733,7 +734,7 @@ impl InitCommand {
"stable".to_string()
};
// TODO(phase-b): repos instanceof CompositeRepository downcast
- let _platform_repo: Option<&PlatformRepository> = None;
+ let _platform_repo: Option<&PlatformRepositoryHandle> = None;
// (omitted: iterate repos to find PlatformRepository instance)
diff --git a/crates/shirabe/src/command/package_discovery_trait.rs b/crates/shirabe/src/command/package_discovery_trait.rs
index 7da2b9a..939982a 100644
--- a/crates/shirabe/src/command/package_discovery_trait.rs
+++ b/crates/shirabe/src/command/package_discovery_trait.rs
@@ -26,6 +26,7 @@ use crate::package::version::VersionParser;
use crate::package::version::VersionSelector;
use crate::repository::CompositeRepository;
use crate::repository::PlatformRepository;
+use crate::repository::PlatformRepositoryHandle;
use crate::repository::RepositoryFactory;
use crate::repository::RepositorySet;
use crate::repository::{RepositoryInterface, SearchResult};
@@ -147,7 +148,7 @@ pub trait PackageDiscoveryTrait {
input: &dyn InputInterface,
_output: &dyn OutputInterface,
mut requires: Vec<String>,
- platform_repo: Option<&PlatformRepository>,
+ platform_repo: Option<&PlatformRepositoryHandle>,
preferred_stability: &str,
use_best_version_constraint: bool,
fixed: bool,
@@ -488,7 +489,7 @@ pub trait PackageDiscoveryTrait {
io: std::rc::Rc<std::cell::RefCell<dyn IOInterface>>,
input: &dyn InputInterface,
name: &str,
- platform_repo: Option<&PlatformRepository>,
+ platform_repo: Option<&PlatformRepositoryHandle>,
preferred_stability: &str,
fixed: bool,
) -> Result<(String, String)> {
@@ -859,13 +860,14 @@ pub trait PackageDiscoveryTrait {
fn get_platform_exception_details(
&self,
candidate: PackageInterfaceHandle,
- platform_repo: Option<&PlatformRepository>,
+ platform_repo: Option<&PlatformRepositoryHandle>,
) -> String {
let mut details: Vec<String> = vec![];
let platform_repo = match platform_repo {
None => return String::new(),
Some(p) => p,
};
+ let platform_repo = platform_repo.borrow();
for link in candidate.get_requires().values() {
if !PlatformRepository::is_platform_package(link.get_target()) {
diff --git a/crates/shirabe/src/command/require_command.rs b/crates/shirabe/src/command/require_command.rs
index bb90361..fa9a3dc 100644
--- a/crates/shirabe/src/command/require_command.rs
+++ b/crates/shirabe/src/command/require_command.rs
@@ -37,6 +37,7 @@ use crate::plugin::CommandEvent;
use crate::plugin::PluginEvents;
use crate::repository::CompositeRepository;
use crate::repository::PlatformRepository;
+use crate::repository::PlatformRepositoryHandle;
use crate::repository::RepositoryInterface;
use crate::repository::RepositorySet;
use crate::util::Filesystem;
@@ -260,17 +261,12 @@ impl RequireCommand {
.map(|m| m.iter().map(|(k, v)| (k.clone(), (**v).clone())).collect())
.unwrap_or_default();
// initialize self.repos as it is used by the PackageDiscoveryTrait
- let platform_repo = PlatformRepository::new(vec![], platform_overrides_map)?;
- let mut combined: Vec<crate::repository::RepositoryInterfaceHandle> = vec![
- // TODO(phase-c): share this platform_repo as a handle instead of constructing a
- // separate one; PlatformRepository is held by value here for the requirement below.
- crate::repository::RepositoryInterfaceHandle::new::<PlatformRepository>(todo!(
- "share platform_repo with PlatformRepository"
- )),
- ];
- for _repo in repos {
- // TODO(phase-b): repos are borrowed from RepositoryManager; need to take ownership
- combined.push(todo!("take ownership of repo from RepositoryManager"));
+ let platform_repo =
+ PlatformRepositoryHandle::new(PlatformRepository::new(vec![], platform_overrides_map)?);
+ let mut combined: Vec<crate::repository::RepositoryInterfaceHandle> =
+ vec![platform_repo.clone().into()];
+ for repo in repos {
+ combined.push(repo.clone());
}
*self.get_repos_mut() = Some(CompositeRepository::new(combined));
@@ -392,7 +388,9 @@ impl RequireCommand {
.to_string(),
true,
) {
- input.set_option("dev", PhpMixed::Bool(true));
+ // TODO(phase-b): set_option needs &mut dyn InputInterface, but execute holds
+ // input as &dyn. Commented out until input is threaded as &mut.
+ // input.set_option("dev", PhpMixed::Bool(true));
}
}
@@ -488,7 +486,9 @@ impl RequireCommand {
return Ok(0);
}
- input.set_option("dev", PhpMixed::Bool(true));
+ // TODO(phase-b): set_option needs &mut dyn InputInterface, but execute holds
+ // input as &dyn. Commented out until input is threaded as &mut.
+ // input.set_option("dev", PhpMixed::Bool(true));
let swap = require_key;
require_key = remove_key;
remove_key = swap;
@@ -523,13 +523,18 @@ impl RequireCommand {
}
if !input.get_option("dry-run").as_bool().unwrap_or(false) {
- self.update_file(
- self.json.as_ref().unwrap(),
- &requirements,
- require_key,
- remove_key,
- sort_packages,
- );
+ // TODO(phase-b): update_file takes &mut self, but the json argument must be borrowed
+ // from self.json, producing an overlapping borrow of self. Commented out until JsonFile
+ // is shared (Rc<RefCell> / interior mutability) so it can be passed without holding a
+ // borrow of self.
+ // self.update_file(
+ // self.json.as_ref().unwrap(),
+ // &requirements,
+ // require_key,
+ // remove_key,
+ // sort_packages,
+ // );
+ let _ = sort_packages;
}
let updated_msg = format!(
diff --git a/crates/shirabe/src/command/update_command.rs b/crates/shirabe/src/command/update_command.rs
index 82f98a1..7fcfa4d 100644
--- a/crates/shirabe/src/command/update_command.rs
+++ b/crates/shirabe/src/command/update_command.rs
@@ -496,8 +496,6 @@ impl UpdateCommand {
io_interface::NORMAL,
);
let mut autocompleter_values: IndexMap<String, String> = IndexMap::new();
- // TODO(phase-c): wire the non-locked branch through get_local_repository().get_packages()
- // (returns Vec<BasePackageHandle>); only the locker branch is populated for now.
let installed_packages: Vec<crate::package::PackageInterfaceHandle> =
if composer_ref.get_locker().borrow_mut().is_locked() {
CanonicalPackagesTrait::get_packages(
@@ -508,12 +506,11 @@ impl UpdateCommand {
.borrow(),
)
} else {
- let _ = composer_ref
+ composer_ref
.get_repository_manager()
.borrow()
.get_local_repository()
- .get_packages();
- Vec::new()
+ .get_packages()
};
let mut version_selector = self.create_version_selector(composer)?;
for package in &installed_packages {
diff --git a/crates/shirabe/src/dependency_resolver/pool.rs b/crates/shirabe/src/dependency_resolver/pool.rs
index ddb4df5..708930c 100644
--- a/crates/shirabe/src/dependency_resolver/pool.rs
+++ b/crates/shirabe/src/dependency_resolver/pool.rs
@@ -8,7 +8,7 @@ use shirabe_semver::compiling_matcher::CompilingMatcher;
use shirabe_semver::constraint::AnyConstraint;
use shirabe_semver::constraint::SimpleConstraint;
-use crate::advisory::PartialSecurityAdvisory;
+use crate::advisory::PartialOrFullSecurityAdvisory;
use crate::package::BasePackage;
use crate::package::BasePackageHandle;
use crate::package::version::VersionParser;
@@ -31,8 +31,8 @@ pub struct Pool {
/// @var array<string, array<string, string>> Map of package object hash => removed normalized versions => removed pretty version
pub(crate) removed_versions_by_package: IndexMap<String, IndexMap<String, String>>,
/// @var array<string, array<string, array<SecurityAdvisory|PartialSecurityAdvisory>>> Map of package name => normalized version => security advisories
- // TODO(phase-b): SecurityAdvisory|PartialSecurityAdvisory union — stored as PartialSecurityAdvisory base
- security_removed_versions: IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>>,
+ security_removed_versions:
+ IndexMap<String, IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>>,
/// @var array<string, array<string, string>> Map of package name => normalized version => pretty version
abandoned_removed_versions: IndexMap<String, IndexMap<String, String>>,
}
@@ -49,7 +49,10 @@ impl Pool {
unacceptable_fixed_or_locked_packages: Vec<BasePackageHandle>,
removed_versions: IndexMap<String, IndexMap<String, String>>,
removed_versions_by_package: IndexMap<String, IndexMap<String, String>>,
- security_removed_versions: IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>>,
+ security_removed_versions: IndexMap<
+ String,
+ IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
+ >,
abandoned_removed_versions: IndexMap<String, IndexMap<String, String>>,
) -> Self {
let mut this = Self {
@@ -151,7 +154,7 @@ impl Pool {
) {
return package_with_security_advisories
.iter()
- .map(|advisory| advisory.advisory_id.clone())
+ .map(|advisory| advisory.advisory_id().to_string())
.collect();
}
}
@@ -186,7 +189,7 @@ impl Pool {
/// @return array<string, array<string, array<SecurityAdvisory|PartialSecurityAdvisory>>>
pub fn get_all_security_removed_package_versions(
&self,
- ) -> &IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>> {
+ ) -> &IndexMap<String, IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> {
&self.security_removed_versions
}
diff --git a/crates/shirabe/src/dependency_resolver/pool_builder.rs b/crates/shirabe/src/dependency_resolver/pool_builder.rs
index 18d2db4..1bbd51e 100644
--- a/crates/shirabe/src/dependency_resolver/pool_builder.rs
+++ b/crates/shirabe/src/dependency_resolver/pool_builder.rs
@@ -352,7 +352,7 @@ impl PoolBuilder {
// filter vulnerable packages before optimizing the pool otherwise we may end up with inconsistent state where the optimizer took away versions
// that were not vulnerable and now suddenly the vulnerable ones are removed and we are missing some versions to make it solvable
- pool = self.run_security_advisory_filter(pool, &repositories, request);
+ pool = self.run_security_advisory_filter(pool, &repositories, request)?;
pool = self.run_optimizer(request, pool);
Intervals::clear();
@@ -1110,9 +1110,9 @@ impl PoolBuilder {
pool: Pool,
repositories: &Vec<RepositoryInterfaceHandle>,
request: &Request,
- ) -> Pool {
+ ) -> anyhow::Result<Pool> {
if self.security_advisory_pool_filter.is_none() {
- return pool;
+ return Ok(pool);
}
self.io.debug("Running security advisory pool filter.", &[]);
@@ -1121,16 +1121,16 @@ impl PoolBuilder {
let total = pool.get_packages().len() as f64;
let repos_owned: Vec<RepositoryInterfaceHandle> = repositories.iter().cloned().collect();
- let pool =
- self.security_advisory_pool_filter
- .as_mut()
- .unwrap()
- .filter(pool, repos_owned, request);
+ let pool = self
+ .security_advisory_pool_filter
+ .as_mut()
+ .unwrap()
+ .filter(pool, repos_owned, request)?;
let filtered = total - (pool.get_packages().len() as f64);
if 0.0 == filtered {
- return pool;
+ return Ok(pool);
}
self.io.write3(
@@ -1154,6 +1154,6 @@ impl PoolBuilder {
io_interface::VERY_VERBOSE,
);
- pool
+ Ok(pool)
}
}
diff --git a/crates/shirabe/src/dependency_resolver/pool_optimizer.rs b/crates/shirabe/src/dependency_resolver/pool_optimizer.rs
index 18c8d01..7cba910 100644
--- a/crates/shirabe/src/dependency_resolver/pool_optimizer.rs
+++ b/crates/shirabe/src/dependency_resolver/pool_optimizer.rs
@@ -209,8 +209,7 @@ impl PoolOptimizer {
pool.get_unacceptable_fixed_or_locked_packages().clone(),
removed_versions,
self.removed_versions_by_package.clone(),
- // TODO(phase-b): PartialSecurityAdvisory is a PHP class (no Clone). Need shared ownership rework.
- todo!("pool.get_all_security_removed_package_versions().clone()"),
+ pool.get_all_security_removed_package_versions().clone(),
pool.get_all_abandoned_removed_package_versions().clone(),
)
}
diff --git a/crates/shirabe/src/dependency_resolver/rule_set_generator.rs b/crates/shirabe/src/dependency_resolver/rule_set_generator.rs
index fece1e4..5979f63 100644
--- a/crates/shirabe/src/dependency_resolver/rule_set_generator.rs
+++ b/crates/shirabe/src/dependency_resolver/rule_set_generator.rs
@@ -309,9 +309,11 @@ impl RuleSetGenerator {
for package in request.get_fixed_packages().values() {
if package.get_id() == -1 {
// fixed package was not added to the pool as it did not pass the stability requirements, this is fine
- // TODO(phase-c): wire Pool::is_unacceptable_fixed_or_locked_package(package) here;
- // the package handle and the pool's identity check are now both handle-based.
- if todo!("is_unacceptable_fixed_or_locked_package with a request package handle") {
+ if self
+ .pool
+ .borrow()
+ .is_unacceptable_fixed_or_locked_package(package.clone())
+ {
continue;
}
diff --git a/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs b/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs
index ec224b4..3136ce5 100644
--- a/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs
+++ b/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs
@@ -2,12 +2,14 @@
use crate::advisory::AuditConfig;
use crate::advisory::Auditor;
-use crate::advisory::PartialSecurityAdvisory;
+use crate::advisory::PartialOrFullSecurityAdvisory;
use crate::dependency_resolver::Pool;
use crate::dependency_resolver::Request;
use crate::package::BasePackageHandle;
+use crate::repository::PlatformRepository;
+use crate::repository::RepositoryInterfaceHandle;
+use crate::repository::RepositorySet;
use indexmap::IndexMap;
-use shirabe_semver::constraint::AnyConstraint;
use shirabe_semver::constraint::SimpleConstraint;
#[derive(Debug)]
@@ -27,37 +29,128 @@ impl SecurityAdvisoryPoolFilter {
pub fn filter(
&self,
pool: Pool,
- repositories: Vec<crate::repository::RepositoryInterfaceHandle>,
+ repositories: Vec<RepositoryInterfaceHandle>,
request: &Request,
- ) -> Pool {
- // TODO(phase-c): port the filter() body. Blockers:
- // * RepositorySet::new takes 6 args; ConfigSourceInterface refactor pending
- // * pool.get_packages() yields BasePackageHandle; widen to PackageInterfaceHandle
- // (via .into()) where the audit/repo APIs expect PackageInterface.
- // * Pool::new requires owned Vecs; clone the handles out of the existing pool.
- // * advisory map element type mismatch (PhpMixed vs PartialSecurityAdvisory).
- let _ = (
- pool,
- repositories,
- request,
- &self.auditor,
- &self.audit_config,
+ ) -> anyhow::Result<Pool> {
+ if !self.audit_config.block_insecure {
+ return Ok(pool);
+ }
+
+ let mut repo_set = RepositorySet::new(
+ "stable",
+ IndexMap::new(),
+ vec![],
+ IndexMap::new(),
+ IndexMap::new(),
+ IndexMap::new(),
);
- todo!("port SecurityAdvisoryPoolFilter::filter")
+ for repo in repositories {
+ repo_set.add_repository(repo)?;
+ }
+
+ let mut packages_for_advisories: Vec<BasePackageHandle> = vec![];
+ for package in pool.get_packages() {
+ if package.as_root().is_none()
+ && !PlatformRepository::is_platform_package(&package.get_name())
+ && !request.is_locked_package(package.clone())
+ {
+ packages_for_advisories.push(package.clone());
+ }
+ }
+
+ let mut all_advisories = repo_set.get_matching_security_advisories(
+ packages_for_advisories.clone(),
+ true,
+ true,
+ )?;
+ if self.auditor.needs_complete_advisory_load(
+ &all_advisories.advisories,
+ &self.audit_config.ignore_list_for_blocking,
+ ) {
+ all_advisories = repo_set.get_matching_security_advisories(
+ packages_for_advisories.clone(),
+ false,
+ true,
+ )?;
+ }
+
+ let advisory_map = self
+ .auditor
+ .process_advisories(
+ all_advisories.advisories,
+ &self.audit_config.ignore_list_for_blocking,
+ &self.audit_config.ignore_severity_for_blocking,
+ )
+ .advisories;
+
+ let mut packages: Vec<BasePackageHandle> = vec![];
+ let mut security_removed_versions: IndexMap<
+ String,
+ IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
+ > = IndexMap::new();
+ let mut abandoned_removed_versions: IndexMap<String, IndexMap<String, String>> =
+ IndexMap::new();
+ for package in pool.get_packages() {
+ if self.audit_config.block_abandoned
+ && self
+ .auditor
+ .filter_abandoned_packages(
+ &[package.clone()],
+ &self.audit_config.ignore_abandoned_for_blocking,
+ )?
+ .len()
+ != 0
+ {
+ for package_name in package.get_names(false) {
+ abandoned_removed_versions
+ .entry(package_name)
+ .or_default()
+ .insert(
+ package.get_version().to_string(),
+ package.get_pretty_version().to_string(),
+ );
+ }
+ continue;
+ }
+
+ let matching_advisories = self.get_matching_advisories(package.clone(), &advisory_map);
+ if matching_advisories.len() > 0 {
+ for package_name in package.get_names(false) {
+ security_removed_versions
+ .entry(package_name)
+ .or_default()
+ .insert(
+ package.get_version().to_string(),
+ matching_advisories.clone(),
+ );
+ }
+
+ continue;
+ }
+
+ packages.push(package.clone());
+ }
+
+ Ok(Pool::new(
+ packages,
+ pool.get_unacceptable_fixed_or_locked_packages().clone(),
+ pool.get_all_removed_versions().clone(),
+ pool.get_all_removed_versions_by_package().clone(),
+ security_removed_versions,
+ abandoned_removed_versions,
+ ))
}
- /// @param array<string, array<PartialSecurityAdvisory|SecurityAdvisory>> $advisoryMap
- /// @return list<PartialSecurityAdvisory|SecurityAdvisory>
fn get_matching_advisories(
&self,
package: BasePackageHandle,
- advisory_map: &IndexMap<String, Vec<PartialSecurityAdvisory>>,
- ) -> Vec<PartialSecurityAdvisory> {
+ advisory_map: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
+ ) -> Vec<PartialOrFullSecurityAdvisory> {
if package.is_dev() {
return vec![];
}
- let mut matching_advisories: Vec<PartialSecurityAdvisory> = vec![];
+ let mut matching_advisories: Vec<PartialOrFullSecurityAdvisory> = vec![];
for package_name in package.get_names(false) {
if !advisory_map.contains_key(&package_name) {
continue;
@@ -67,10 +160,8 @@ impl SecurityAdvisoryPoolFilter {
SimpleConstraint::new("==".to_string(), package.get_version().to_string(), None)
.into();
for advisory in &advisory_map[&package_name] {
- // advisory is PartialSecurityAdvisory or SecurityAdvisory; both have affected_versions: Box<dyn ConstraintInterface>
- if advisory.affected_versions.matches(&package_constraint) {
- // TODO(phase-b): PartialSecurityAdvisory is not Clone; replace with Rc when sharing is needed
- matching_advisories.push(todo!("clone PartialSecurityAdvisory"));
+ if advisory.affected_versions().matches(&package_constraint) {
+ matching_advisories.push(advisory.clone());
}
}
}
diff --git a/crates/shirabe/src/repository/advisory_provider_interface.rs b/crates/shirabe/src/repository/advisory_provider_interface.rs
index 0de9c42..4b93eca 100644
--- a/crates/shirabe/src/repository/advisory_provider_interface.rs
+++ b/crates/shirabe/src/repository/advisory_provider_interface.rs
@@ -1,29 +1,13 @@
//! ref: composer/src/Composer/Repository/AdvisoryProviderInterface.php
-use crate::advisory::PartialSecurityAdvisory;
-use crate::advisory::SecurityAdvisory;
+use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory, SecurityAdvisory};
use indexmap::IndexMap;
use shirabe_semver::constraint::AnyConstraint;
#[derive(Debug)]
-pub enum PartialOrSecurityAdvisory {
- Partial(PartialSecurityAdvisory),
- Full(SecurityAdvisory),
-}
-
-impl PartialOrSecurityAdvisory {
- pub fn advisory_id(&self) -> &str {
- match self {
- PartialOrSecurityAdvisory::Partial(p) => &p.advisory_id,
- PartialOrSecurityAdvisory::Full(s) => s.advisory_id(),
- }
- }
-}
-
-#[derive(Debug)]
pub struct SecurityAdvisoryResult {
pub names_found: Vec<String>,
- pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
}
pub trait AdvisoryProviderInterface {
diff --git a/crates/shirabe/src/repository/composer_repository.rs b/crates/shirabe/src/repository/composer_repository.rs
index d39fd82..1f2fcbf 100644
--- a/crates/shirabe/src/repository/composer_repository.rs
+++ b/crates/shirabe/src/repository/composer_repository.rs
@@ -15,7 +15,7 @@ use shirabe_semver::constraint::AnyConstraint;
use shirabe_semver::constraint::MatchAllConstraint;
use shirabe_semver::constraint::SimpleConstraint;
-use crate::advisory::PartialSecurityAdvisory;
+use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory};
use crate::cache::Cache;
use crate::config::Config;
use crate::downloader::TransportException;
@@ -41,7 +41,7 @@ use crate::repository::RepositoryInterface;
use crate::repository::RepositoryInterfaceHandle;
use crate::repository::RepositoryInterfaceWeakHandle;
use crate::repository::RepositorySecurityException;
-use crate::repository::{PartialOrSecurityAdvisory, SecurityAdvisoryResult};
+use crate::repository::SecurityAdvisoryResult;
use crate::repository::{SEARCH_FULLTEXT, SEARCH_VENDOR};
use crate::util::HttpDownloader;
use crate::util::Url;
@@ -1038,7 +1038,7 @@ impl ComposerRepository {
});
}
- let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new();
+ let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new();
let mut names_found: IndexMap<String, bool> = IndexMap::new();
let api_url = self
@@ -1062,9 +1062,9 @@ impl ComposerRepository {
let create = |data: &IndexMap<String, PhpMixed>,
name: &str,
package_constraint_map: &IndexMap<String, AnyConstraint>|
- -> anyhow::Result<Option<PartialOrSecurityAdvisory>> {
+ -> anyhow::Result<Option<PartialOrFullSecurityAdvisory>> {
let advisory = PartialSecurityAdvisory::create(name, data, &semver_parser)?;
- let is_full = matches!(advisory, PartialOrSecurityAdvisory::Full(_));
+ let is_full = matches!(advisory, PartialOrFullSecurityAdvisory::Full(_));
if !allow_partial_advisories && !is_full {
let data_mixed = PhpMixed::Array(
data.iter()
@@ -1084,8 +1084,8 @@ impl ComposerRepository {
.into());
}
let affected_versions: &AnyConstraint = match &advisory {
- PartialOrSecurityAdvisory::Partial(p) => &p.affected_versions,
- PartialOrSecurityAdvisory::Full(p) => p.affected_versions(),
+ PartialOrFullSecurityAdvisory::Partial(p) => &p.affected_versions,
+ PartialOrFullSecurityAdvisory::Full(p) => p.affected_versions(),
};
let constraint = package_constraint_map.get(name);
if let Some(c) = constraint {
@@ -1138,7 +1138,7 @@ impl ComposerRepository {
names_found.insert(name.clone(), true);
if !sec_advs_arr.is_empty() {
- let mut entries: Vec<PartialOrSecurityAdvisory> = Vec::new();
+ let mut entries: Vec<PartialOrFullSecurityAdvisory> = Vec::new();
for (_k, data_mixed) in sec_advs_arr.iter() {
if let Some(data) = data_mixed.as_array() {
let data_map: IndexMap<String, PhpMixed> = data
@@ -1229,7 +1229,7 @@ impl ComposerRepository {
None => continue,
};
if !list.is_empty() {
- let mut entries: Vec<PartialOrSecurityAdvisory> = Vec::new();
+ let mut entries: Vec<PartialOrFullSecurityAdvisory> = Vec::new();
for data_mixed in list.iter() {
if let Some(data) = data_mixed.as_array() {
let data_map: IndexMap<String, PhpMixed> = data
@@ -1249,7 +1249,7 @@ impl ComposerRepository {
}
}
- let advisories_filtered: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = advisories
+ let advisories_filtered: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = advisories
.into_iter()
.filter(|(_, adv)| !adv.is_empty())
.collect();
diff --git a/crates/shirabe/src/repository/handle.rs b/crates/shirabe/src/repository/handle.rs
index a4225f7..38a4f28 100644
--- a/crates/shirabe/src/repository/handle.rs
+++ b/crates/shirabe/src/repository/handle.rs
@@ -11,7 +11,8 @@ use crate::package::BasePackageHandle;
use crate::package::PackageInterfaceHandle;
use crate::repository::{
FindPackageConstraint, InstalledRepositoryInterface, LoadPackagesResult, LockArrayRepository,
- ProviderInfo, RepositoryInterface, SearchResult, WritableRepositoryInterface,
+ PlatformRepository, ProviderInfo, RepositoryInterface, SearchResult,
+ WritableRepositoryInterface,
};
/// Shared reference to a repository. Corresponds to PHP `RepositoryInterface`.
@@ -173,8 +174,7 @@ impl std::hash::Hash for RepositoryInterfaceHandle {
}
}
-/// Typed shared handle over `LockArrayRepository`. Preserves the PHP `?LockArrayRepository`
-/// typing where a `RepositoryInterfaceHandle` would be too wide.
+/// Typed shared handle over `LockArrayRepository`.
#[derive(Debug, Clone)]
pub struct LockArrayRepositoryHandle(Rc<RefCell<LockArrayRepository>>);
@@ -231,3 +231,61 @@ impl std::hash::Hash for LockArrayRepositoryHandle {
self.ptr_id().hash(state);
}
}
+
+/// Typed shared handle over `PlatformRepository`.
+#[derive(Debug, Clone)]
+pub struct PlatformRepositoryHandle(Rc<RefCell<PlatformRepository>>);
+
+impl PlatformRepositoryHandle {
+ pub fn new(repository: PlatformRepository) -> Self {
+ let rc: Rc<RefCell<PlatformRepository>> = Rc::new(RefCell::new(repository));
+ let rc_dyn: Rc<RefCell<dyn RepositoryInterface>> = rc.clone();
+ rc.borrow().set_self_handle(Rc::downgrade(&rc_dyn));
+ Self(rc)
+ }
+
+ pub fn from_rc(rc: Rc<RefCell<PlatformRepository>>) -> Self {
+ Self(rc)
+ }
+
+ pub fn as_rc(&self) -> &Rc<RefCell<PlatformRepository>> {
+ &self.0
+ }
+
+ pub fn borrow(&self) -> Ref<'_, PlatformRepository> {
+ self.0.borrow()
+ }
+
+ pub fn borrow_mut(&self) -> RefMut<'_, PlatformRepository> {
+ self.0.borrow_mut()
+ }
+
+ pub fn ptr_eq(&self, other: &Self) -> bool {
+ Rc::ptr_eq(&self.0, &other.0)
+ }
+
+ pub fn ptr_id(&self) -> usize {
+ Rc::as_ptr(&self.0) as *const () as usize
+ }
+}
+
+impl From<PlatformRepositoryHandle> for RepositoryInterfaceHandle {
+ fn from(h: PlatformRepositoryHandle) -> Self {
+ let rc: Rc<RefCell<dyn RepositoryInterface>> = h.0;
+ RepositoryInterfaceHandle::from_rc(rc)
+ }
+}
+
+impl PartialEq for PlatformRepositoryHandle {
+ fn eq(&self, other: &Self) -> bool {
+ Rc::ptr_eq(&self.0, &other.0)
+ }
+}
+
+impl Eq for PlatformRepositoryHandle {}
+
+impl std::hash::Hash for PlatformRepositoryHandle {
+ fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+ self.ptr_id().hash(state);
+ }
+}
diff --git a/crates/shirabe/src/repository/package_repository.rs b/crates/shirabe/src/repository/package_repository.rs
index b88de78..b5280a8 100644
--- a/crates/shirabe/src/repository/package_repository.rs
+++ b/crates/shirabe/src/repository/package_repository.rs
@@ -1,15 +1,13 @@
//! ref: composer/src/Composer/Repository/PackageRepository.php
-use crate::advisory::PartialSecurityAdvisory;
use crate::advisory::SecurityAdvisory;
+use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory};
use crate::package::loader::ArrayLoader;
use crate::package::loader::ValidatingArrayLoader;
use crate::package::version::VersionParser;
use crate::repository::ArrayRepository;
use crate::repository::InvalidRepositoryException;
-use crate::repository::{
- AdvisoryProviderInterface, PartialOrSecurityAdvisory, SecurityAdvisoryResult,
-};
+use crate::repository::{AdvisoryProviderInterface, SecurityAdvisoryResult};
use indexmap::IndexMap;
use shirabe_external_packages::composer::pcre::Preg;
use shirabe_php_shim::{Exception, PhpMixed, RuntimeException, var_export};
@@ -97,7 +95,7 @@ impl AdvisoryProviderInterface for PackageRepository {
let semver_parser = shirabe_semver::version_parser::VersionParser;
let _ = parser;
- let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new();
+ let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new();
for (package_name, package_advisories) in &self.security_advisories {
if !package_constraint_map.contains_key(package_name.as_str()) {
continue;
@@ -106,7 +104,7 @@ impl AdvisoryProviderInterface for PackageRepository {
PhpMixed::List(list) => list,
_ => continue,
};
- let mut items: Vec<PartialOrSecurityAdvisory> = Vec::new();
+ let mut items: Vec<PartialOrFullSecurityAdvisory> = Vec::new();
for data in list {
let data_map: IndexMap<String, PhpMixed> = match data.as_ref() {
PhpMixed::Array(m) => m.iter().map(|(k, v)| (k.clone(), *v.clone())).collect(),
@@ -121,7 +119,7 @@ impl AdvisoryProviderInterface for PackageRepository {
Err(_) => continue,
};
if !allow_partial_advisories
- && matches!(advisory, PartialOrSecurityAdvisory::Partial(_))
+ && matches!(advisory, PartialOrFullSecurityAdvisory::Partial(_))
{
return Err(anyhow::anyhow!(RuntimeException {
message: format!(
@@ -141,7 +139,7 @@ impl AdvisoryProviderInterface for PackageRepository {
}
let names_found: Vec<String> = advisories.keys().cloned().collect();
- let advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = advisories
+ let advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = advisories
.into_iter()
.filter(|(_, adv)| !adv.is_empty())
.collect();
diff --git a/crates/shirabe/src/repository/repository_set.rs b/crates/shirabe/src/repository/repository_set.rs
index 843af80..ac904fc 100644
--- a/crates/shirabe/src/repository/repository_set.rs
+++ b/crates/shirabe/src/repository/repository_set.rs
@@ -13,8 +13,7 @@ use shirabe_semver::constraint::MatchAllConstraint;
use shirabe_semver::constraint::MultiConstraint;
use shirabe_semver::constraint::SimpleConstraint;
-use crate::advisory::PartialSecurityAdvisory;
-use crate::advisory::SecurityAdvisory;
+use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory, SecurityAdvisory};
use crate::dependency_resolver::Pool;
use crate::dependency_resolver::PoolBuilder;
use crate::dependency_resolver::PoolOptimizer;
@@ -29,12 +28,12 @@ use crate::package::BasePackageHandle;
use crate::package::CompleteAliasPackageHandle;
use crate::package::PackageInterfaceHandle;
use crate::package::version::StabilityFilter;
+use crate::repository::AdvisoryProviderInterface;
use crate::repository::CompositeRepository;
use crate::repository::InstalledRepository;
use crate::repository::InstalledRepositoryInterface;
use crate::repository::LockArrayRepositoryHandle;
use crate::repository::PlatformRepository;
-use crate::repository::{AdvisoryProviderInterface, PartialOrSecurityAdvisory};
use crate::repository::{FindPackageConstraint, RepositoryInterface, RepositoryInterfaceHandle};
#[derive(Debug, Clone)]
@@ -372,8 +371,8 @@ impl RepositorySet {
allow_partial_advisories: bool,
ignore_unreachable: bool,
unreachable_repos: &mut Vec<String>,
- ) -> Result<IndexMap<String, Vec<PartialOrSecurityAdvisory>>> {
- let mut repo_advisories: Vec<IndexMap<String, Vec<PartialOrSecurityAdvisory>>> = vec![];
+ ) -> Result<IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> {
+ let mut repo_advisories: Vec<IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> = vec![];
for repository in &self.repositories {
// TODO(phase-b): use anyhow::Result<Result<T, E>> to model PHP try/catch
let attempt: Result<()> = (|| -> Result<()> {
@@ -646,6 +645,6 @@ impl RepositorySet {
#[derive(Debug)]
pub struct SecurityAdvisoriesResult {
- pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>,
+ pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>,
pub unreachable_repos: Vec<String>,
}
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-04 17:03:23 +0000