diff options
Diffstat (limited to 'crates/shirabe')
19 files changed, 322 insertions, 157 deletions
diff --git a/crates/shirabe/src/advisory/auditor.rs b/crates/shirabe/src/advisory/auditor.rs index 535f6a7..18af0f3 100644 --- a/crates/shirabe/src/advisory/auditor.rs +++ b/crates/shirabe/src/advisory/auditor.rs @@ -11,6 +11,7 @@ use shirabe_php_shim::{ }; use crate::advisory::IgnoredSecurityAdvisory; +use crate::advisory::PartialOrFullSecurityAdvisory; use crate::advisory::SecurityAdvisory; use crate::io::ConsoleIO; use crate::io::IOInterface; @@ -19,7 +20,6 @@ use crate::package::CompletePackageInterfaceHandle; use crate::package::PackageInterfaceHandle; use crate::package::base_package; use crate::package::base_package::BasePackage; -use crate::repository::PartialOrSecurityAdvisory; use crate::repository::RepositorySet; use crate::util::PackageInfo; @@ -182,7 +182,7 @@ impl Auditor { let error_or_warn = if warning_only { "warning" } else { "error" }; if affected_packages_count > 0 || ignored_advisories.len() > 0 { let passes: Vec<( - &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, String, )> = vec![ ( @@ -243,12 +243,12 @@ impl Auditor { Ok(audit_bitmask) } - /// @param array<string, array<SecurityAdvisory|PartialOrSecurityAdvisory>> $advisories + /// @param array<string, array<SecurityAdvisory|PartialOrFullSecurityAdvisory>> $advisories /// @param array<string, string|null> $ignoreList /// @return bool pub fn needs_complete_advisory_load( &self, - advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, ignore_list: &IndexMap<String, Option<String>>, ) -> bool { if advisories.len() == 0 { @@ -256,16 +256,20 @@ impl Auditor { } // no partial advisories present - let advisories_values: Vec<&Vec<PartialOrSecurityAdvisory>> = advisories.values().collect(); + let advisories_values: Vec<&Vec<PartialOrFullSecurityAdvisory>> = + advisories.values().collect(); if array_all( &advisories_values, - |pkg_advisories: &&Vec<PartialOrSecurityAdvisory>| { - array_all(pkg_advisories, |_advisory: &PartialOrSecurityAdvisory| { - // TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory - // enum or trait downcast; SecurityAdvisoriesResult currently only holds - // PartialOrSecurityAdvisory so this is hard-coded to false - false - }) + |pkg_advisories: &&Vec<PartialOrFullSecurityAdvisory>| { + array_all( + pkg_advisories, + |_advisory: &PartialOrFullSecurityAdvisory| { + // TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory + // enum or trait downcast; SecurityAdvisoriesResult currently only holds + // PartialOrFullSecurityAdvisory so this is hard-coded to false + false + }, + ) }, ) { return false; @@ -307,13 +311,9 @@ impl Auditor { Ok(result) } - /// @phpstan-param array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>> $allAdvisories - /// @param array<string, string|null> $ignoreList List of advisory IDs, remote IDs, CVE IDs or package names that reported but not listed as vulnerabilities. - /// @param array<string, string|null> $ignoredSeverities List of ignored severity levels - /// @phpstan-return array{advisories: array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>>, ignoredAdvisories: array<string, array<PartialOrSecurityAdvisory|SecurityAdvisory>>} pub fn process_advisories( &self, - all_advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + all_advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, ignore_list: &IndexMap<String, Option<String>>, ignored_severities: &IndexMap<String, Option<String>>, ) -> ProcessAdvisoriesResult { @@ -324,8 +324,8 @@ impl Auditor { }; } - let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new(); - let mut ignored: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new(); + let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new(); + let mut ignored: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new(); let mut ignore_reason: Option<String> = None; for (package, pkg_advisories) in all_advisories { @@ -347,7 +347,7 @@ impl Auditor { // TODO(phase-b): `$advisory instanceof SecurityAdvisory` — needs an advisory enum // or trait downcast; the block below is skipped while SecurityAdvisoriesResult - // only holds PartialOrSecurityAdvisory + // only holds PartialOrFullSecurityAdvisory let advisory_as_full: Option<&SecurityAdvisory> = None; if let Some(full) = advisory_as_full { if is_string(&PhpMixed::String(full.severity.clone().unwrap_or_default())) @@ -411,11 +411,10 @@ impl Auditor { } } - /// @param array<string, array<PartialOrSecurityAdvisory>> $advisories /// @return array{int, int} Count of affected packages and total count of advisories fn count_advisories( &self, - advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, ) -> (i64, i64) { let mut count: i64 = 0; for package_advisories in advisories.values() { @@ -430,7 +429,7 @@ impl Auditor { fn output_advisories( &self, io: &mut dyn IOInterface, - advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, format: &str, ) -> Result<()> { match format { @@ -469,7 +468,7 @@ impl Auditor { fn output_advisories_table( &self, io: &ConsoleIO, - advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, ) { for package_advisories in advisories.values() { for advisory in package_advisories { @@ -483,7 +482,7 @@ impl Auditor { "Affected versions".to_string(), "Reported at".to_string(), ]; - // TODO(phase-b): advisory typed PartialOrSecurityAdvisory; PHP accesses + // TODO(phase-b): advisory typed PartialOrFullSecurityAdvisory; PHP accesses // SecurityAdvisory fields (title, link, reportedAt, etc.) let _ = advisory; let row: Vec<String> = vec![ @@ -519,7 +518,7 @@ impl Auditor { fn output_advisories_plain( &self, io: &mut dyn IOInterface, - advisories: &IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + advisories: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, ) { let mut error: Vec<String> = vec![]; let mut first_advisory = true; @@ -528,7 +527,7 @@ impl Auditor { if !first_advisory { error.push("--------".to_string()); } - // TODO(phase-b): advisory typed PartialOrSecurityAdvisory; PHP accesses + // TODO(phase-b): advisory typed PartialOrFullSecurityAdvisory; PHP accesses // SecurityAdvisory fields let _ = advisory; error.push(format!("Package: {}", /* advisory.packageName */ "")); @@ -687,7 +686,7 @@ impl Auditor { } fn get_advisory_id(&self, advisory: &SecurityAdvisory) -> String { - // TODO(phase-b): advisory.advisory_id lives on inner PartialOrSecurityAdvisory + // TODO(phase-b): advisory.advisory_id lives on inner PartialOrFullSecurityAdvisory let advisory_id: &str = ""; let _ = advisory; if str_starts_with(advisory_id, "PKSA-") { @@ -747,6 +746,6 @@ impl Auditor { #[derive(Debug)] pub struct ProcessAdvisoriesResult { - pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>, - pub ignored_advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, + pub ignored_advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, } diff --git a/crates/shirabe/src/advisory/mod.rs b/crates/shirabe/src/advisory/mod.rs index bcfbe93..df80735 100644 --- a/crates/shirabe/src/advisory/mod.rs +++ b/crates/shirabe/src/advisory/mod.rs @@ -1,11 +1,13 @@ pub mod audit_config; pub mod auditor; pub mod ignored_security_advisory; +pub mod partial_or_full_security_advisory; pub mod partial_security_advisory; pub mod security_advisory; pub use audit_config::*; pub use auditor::*; pub use ignored_security_advisory::*; +pub use partial_or_full_security_advisory::*; pub use partial_security_advisory::*; pub use security_advisory::*; diff --git a/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs b/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs new file mode 100644 index 0000000..bb1df78 --- /dev/null +++ b/crates/shirabe/src/advisory/partial_or_full_security_advisory.rs @@ -0,0 +1,25 @@ +use crate::advisory::PartialSecurityAdvisory; +use crate::advisory::SecurityAdvisory; +use shirabe_semver::constraint::AnyConstraint; + +#[derive(Debug, Clone)] +pub enum PartialOrFullSecurityAdvisory { + Partial(PartialSecurityAdvisory), + Full(SecurityAdvisory), +} + +impl PartialOrFullSecurityAdvisory { + pub fn advisory_id(&self) -> &str { + match self { + PartialOrFullSecurityAdvisory::Partial(p) => &p.advisory_id, + PartialOrFullSecurityAdvisory::Full(s) => s.advisory_id(), + } + } + + pub fn affected_versions(&self) -> &AnyConstraint { + match self { + PartialOrFullSecurityAdvisory::Partial(p) => &p.affected_versions, + PartialOrFullSecurityAdvisory::Full(s) => s.affected_versions(), + } + } +} diff --git a/crates/shirabe/src/advisory/partial_security_advisory.rs b/crates/shirabe/src/advisory/partial_security_advisory.rs index fe3c99e..1e92dec 100644 --- a/crates/shirabe/src/advisory/partial_security_advisory.rs +++ b/crates/shirabe/src/advisory/partial_security_advisory.rs @@ -1,7 +1,7 @@ //! ref: composer/src/Composer/Advisory/PartialSecurityAdvisory.php +use crate::advisory::PartialOrFullSecurityAdvisory; use crate::advisory::SecurityAdvisory; -use crate::repository::PartialOrSecurityAdvisory; use anyhow::Result; use chrono::{DateTime, TimeZone, Utc}; use indexmap::IndexMap; @@ -18,7 +18,7 @@ fn serialize_constraint<S: serde::Serializer>( serializer.serialize_str(&c.get_pretty_string()) } -#[derive(Debug, serde::Serialize)] +#[derive(Debug, Clone, serde::Serialize)] #[serde(rename_all = "camelCase")] pub struct PartialSecurityAdvisory { pub advisory_id: String, @@ -32,7 +32,7 @@ impl PartialSecurityAdvisory { package_name: &str, data: &IndexMap<String, PhpMixed>, parser: &VersionParser, - ) -> Result<PartialOrSecurityAdvisory> { + ) -> Result<PartialOrFullSecurityAdvisory> { let affected_versions_str = data["affectedVersions"].as_string().unwrap_or(""); let constraint: AnyConstraint = match parser.parse_constraints(affected_versions_str) { @@ -81,10 +81,10 @@ impl PartialSecurityAdvisory { .and_then(|v| v.as_string()) .map(|s| s.to_string()), ); - return Ok(PartialOrSecurityAdvisory::Full(advisory)); + return Ok(PartialOrFullSecurityAdvisory::Full(advisory)); } - Ok(PartialOrSecurityAdvisory::Partial(Self { + Ok(PartialOrFullSecurityAdvisory::Partial(Self { advisory_id: data["advisoryId"].as_string().unwrap_or("").to_string(), package_name: package_name.to_string(), affected_versions: constraint, diff --git a/crates/shirabe/src/advisory/security_advisory.rs b/crates/shirabe/src/advisory/security_advisory.rs index edb161c..c766e0f 100644 --- a/crates/shirabe/src/advisory/security_advisory.rs +++ b/crates/shirabe/src/advisory/security_advisory.rs @@ -7,7 +7,7 @@ use shirabe_semver::constraint::AnyConstraint; use crate::advisory::IgnoredSecurityAdvisory; use crate::advisory::PartialSecurityAdvisory; -#[derive(Debug, serde::Serialize)] +#[derive(Debug, Clone, serde::Serialize)] #[serde(rename_all = "camelCase")] pub struct SecurityAdvisory { #[serde(flatten)] diff --git a/crates/shirabe/src/command/init_command.rs b/crates/shirabe/src/command/init_command.rs index 38e620b..678e76d 100644 --- a/crates/shirabe/src/command/init_command.rs +++ b/crates/shirabe/src/command/init_command.rs @@ -29,6 +29,7 @@ use crate::json::JsonValidationException; use crate::package::base_package::{self, BasePackage}; use crate::repository::CompositeRepository; use crate::repository::PlatformRepository; +use crate::repository::PlatformRepositoryHandle; use crate::repository::RepositoryFactory; use crate::util::Filesystem; use crate::util::ProcessExecutor; @@ -733,7 +734,7 @@ impl InitCommand { "stable".to_string() }; // TODO(phase-b): repos instanceof CompositeRepository downcast - let _platform_repo: Option<&PlatformRepository> = None; + let _platform_repo: Option<&PlatformRepositoryHandle> = None; // (omitted: iterate repos to find PlatformRepository instance) diff --git a/crates/shirabe/src/command/package_discovery_trait.rs b/crates/shirabe/src/command/package_discovery_trait.rs index 7da2b9a..939982a 100644 --- a/crates/shirabe/src/command/package_discovery_trait.rs +++ b/crates/shirabe/src/command/package_discovery_trait.rs @@ -26,6 +26,7 @@ use crate::package::version::VersionParser; use crate::package::version::VersionSelector; use crate::repository::CompositeRepository; use crate::repository::PlatformRepository; +use crate::repository::PlatformRepositoryHandle; use crate::repository::RepositoryFactory; use crate::repository::RepositorySet; use crate::repository::{RepositoryInterface, SearchResult}; @@ -147,7 +148,7 @@ pub trait PackageDiscoveryTrait { input: &dyn InputInterface, _output: &dyn OutputInterface, mut requires: Vec<String>, - platform_repo: Option<&PlatformRepository>, + platform_repo: Option<&PlatformRepositoryHandle>, preferred_stability: &str, use_best_version_constraint: bool, fixed: bool, @@ -488,7 +489,7 @@ pub trait PackageDiscoveryTrait { io: std::rc::Rc<std::cell::RefCell<dyn IOInterface>>, input: &dyn InputInterface, name: &str, - platform_repo: Option<&PlatformRepository>, + platform_repo: Option<&PlatformRepositoryHandle>, preferred_stability: &str, fixed: bool, ) -> Result<(String, String)> { @@ -859,13 +860,14 @@ pub trait PackageDiscoveryTrait { fn get_platform_exception_details( &self, candidate: PackageInterfaceHandle, - platform_repo: Option<&PlatformRepository>, + platform_repo: Option<&PlatformRepositoryHandle>, ) -> String { let mut details: Vec<String> = vec![]; let platform_repo = match platform_repo { None => return String::new(), Some(p) => p, }; + let platform_repo = platform_repo.borrow(); for link in candidate.get_requires().values() { if !PlatformRepository::is_platform_package(link.get_target()) { diff --git a/crates/shirabe/src/command/require_command.rs b/crates/shirabe/src/command/require_command.rs index bb90361..fa9a3dc 100644 --- a/crates/shirabe/src/command/require_command.rs +++ b/crates/shirabe/src/command/require_command.rs @@ -37,6 +37,7 @@ use crate::plugin::CommandEvent; use crate::plugin::PluginEvents; use crate::repository::CompositeRepository; use crate::repository::PlatformRepository; +use crate::repository::PlatformRepositoryHandle; use crate::repository::RepositoryInterface; use crate::repository::RepositorySet; use crate::util::Filesystem; @@ -260,17 +261,12 @@ impl RequireCommand { .map(|m| m.iter().map(|(k, v)| (k.clone(), (**v).clone())).collect()) .unwrap_or_default(); // initialize self.repos as it is used by the PackageDiscoveryTrait - let platform_repo = PlatformRepository::new(vec![], platform_overrides_map)?; - let mut combined: Vec<crate::repository::RepositoryInterfaceHandle> = vec![ - // TODO(phase-c): share this platform_repo as a handle instead of constructing a - // separate one; PlatformRepository is held by value here for the requirement below. - crate::repository::RepositoryInterfaceHandle::new::<PlatformRepository>(todo!( - "share platform_repo with PlatformRepository" - )), - ]; - for _repo in repos { - // TODO(phase-b): repos are borrowed from RepositoryManager; need to take ownership - combined.push(todo!("take ownership of repo from RepositoryManager")); + let platform_repo = + PlatformRepositoryHandle::new(PlatformRepository::new(vec![], platform_overrides_map)?); + let mut combined: Vec<crate::repository::RepositoryInterfaceHandle> = + vec![platform_repo.clone().into()]; + for repo in repos { + combined.push(repo.clone()); } *self.get_repos_mut() = Some(CompositeRepository::new(combined)); @@ -392,7 +388,9 @@ impl RequireCommand { .to_string(), true, ) { - input.set_option("dev", PhpMixed::Bool(true)); + // TODO(phase-b): set_option needs &mut dyn InputInterface, but execute holds + // input as &dyn. Commented out until input is threaded as &mut. + // input.set_option("dev", PhpMixed::Bool(true)); } } @@ -488,7 +486,9 @@ impl RequireCommand { return Ok(0); } - input.set_option("dev", PhpMixed::Bool(true)); + // TODO(phase-b): set_option needs &mut dyn InputInterface, but execute holds + // input as &dyn. Commented out until input is threaded as &mut. + // input.set_option("dev", PhpMixed::Bool(true)); let swap = require_key; require_key = remove_key; remove_key = swap; @@ -523,13 +523,18 @@ impl RequireCommand { } if !input.get_option("dry-run").as_bool().unwrap_or(false) { - self.update_file( - self.json.as_ref().unwrap(), - &requirements, - require_key, - remove_key, - sort_packages, - ); + // TODO(phase-b): update_file takes &mut self, but the json argument must be borrowed + // from self.json, producing an overlapping borrow of self. Commented out until JsonFile + // is shared (Rc<RefCell> / interior mutability) so it can be passed without holding a + // borrow of self. + // self.update_file( + // self.json.as_ref().unwrap(), + // &requirements, + // require_key, + // remove_key, + // sort_packages, + // ); + let _ = sort_packages; } let updated_msg = format!( diff --git a/crates/shirabe/src/command/update_command.rs b/crates/shirabe/src/command/update_command.rs index 82f98a1..7fcfa4d 100644 --- a/crates/shirabe/src/command/update_command.rs +++ b/crates/shirabe/src/command/update_command.rs @@ -496,8 +496,6 @@ impl UpdateCommand { io_interface::NORMAL, ); let mut autocompleter_values: IndexMap<String, String> = IndexMap::new(); - // TODO(phase-c): wire the non-locked branch through get_local_repository().get_packages() - // (returns Vec<BasePackageHandle>); only the locker branch is populated for now. let installed_packages: Vec<crate::package::PackageInterfaceHandle> = if composer_ref.get_locker().borrow_mut().is_locked() { CanonicalPackagesTrait::get_packages( @@ -508,12 +506,11 @@ impl UpdateCommand { .borrow(), ) } else { - let _ = composer_ref + composer_ref .get_repository_manager() .borrow() .get_local_repository() - .get_packages(); - Vec::new() + .get_packages() }; let mut version_selector = self.create_version_selector(composer)?; for package in &installed_packages { diff --git a/crates/shirabe/src/dependency_resolver/pool.rs b/crates/shirabe/src/dependency_resolver/pool.rs index ddb4df5..708930c 100644 --- a/crates/shirabe/src/dependency_resolver/pool.rs +++ b/crates/shirabe/src/dependency_resolver/pool.rs @@ -8,7 +8,7 @@ use shirabe_semver::compiling_matcher::CompilingMatcher; use shirabe_semver::constraint::AnyConstraint; use shirabe_semver::constraint::SimpleConstraint; -use crate::advisory::PartialSecurityAdvisory; +use crate::advisory::PartialOrFullSecurityAdvisory; use crate::package::BasePackage; use crate::package::BasePackageHandle; use crate::package::version::VersionParser; @@ -31,8 +31,8 @@ pub struct Pool { /// @var array<string, array<string, string>> Map of package object hash => removed normalized versions => removed pretty version pub(crate) removed_versions_by_package: IndexMap<String, IndexMap<String, String>>, /// @var array<string, array<string, array<SecurityAdvisory|PartialSecurityAdvisory>>> Map of package name => normalized version => security advisories - // TODO(phase-b): SecurityAdvisory|PartialSecurityAdvisory union — stored as PartialSecurityAdvisory base - security_removed_versions: IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>>, + security_removed_versions: + IndexMap<String, IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>>, /// @var array<string, array<string, string>> Map of package name => normalized version => pretty version abandoned_removed_versions: IndexMap<String, IndexMap<String, String>>, } @@ -49,7 +49,10 @@ impl Pool { unacceptable_fixed_or_locked_packages: Vec<BasePackageHandle>, removed_versions: IndexMap<String, IndexMap<String, String>>, removed_versions_by_package: IndexMap<String, IndexMap<String, String>>, - security_removed_versions: IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>>, + security_removed_versions: IndexMap< + String, + IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, + >, abandoned_removed_versions: IndexMap<String, IndexMap<String, String>>, ) -> Self { let mut this = Self { @@ -151,7 +154,7 @@ impl Pool { ) { return package_with_security_advisories .iter() - .map(|advisory| advisory.advisory_id.clone()) + .map(|advisory| advisory.advisory_id().to_string()) .collect(); } } @@ -186,7 +189,7 @@ impl Pool { /// @return array<string, array<string, array<SecurityAdvisory|PartialSecurityAdvisory>>> pub fn get_all_security_removed_package_versions( &self, - ) -> &IndexMap<String, IndexMap<String, Vec<PartialSecurityAdvisory>>> { + ) -> &IndexMap<String, IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> { &self.security_removed_versions } diff --git a/crates/shirabe/src/dependency_resolver/pool_builder.rs b/crates/shirabe/src/dependency_resolver/pool_builder.rs index 18d2db4..1bbd51e 100644 --- a/crates/shirabe/src/dependency_resolver/pool_builder.rs +++ b/crates/shirabe/src/dependency_resolver/pool_builder.rs @@ -352,7 +352,7 @@ impl PoolBuilder { // filter vulnerable packages before optimizing the pool otherwise we may end up with inconsistent state where the optimizer took away versions // that were not vulnerable and now suddenly the vulnerable ones are removed and we are missing some versions to make it solvable - pool = self.run_security_advisory_filter(pool, &repositories, request); + pool = self.run_security_advisory_filter(pool, &repositories, request)?; pool = self.run_optimizer(request, pool); Intervals::clear(); @@ -1110,9 +1110,9 @@ impl PoolBuilder { pool: Pool, repositories: &Vec<RepositoryInterfaceHandle>, request: &Request, - ) -> Pool { + ) -> anyhow::Result<Pool> { if self.security_advisory_pool_filter.is_none() { - return pool; + return Ok(pool); } self.io.debug("Running security advisory pool filter.", &[]); @@ -1121,16 +1121,16 @@ impl PoolBuilder { let total = pool.get_packages().len() as f64; let repos_owned: Vec<RepositoryInterfaceHandle> = repositories.iter().cloned().collect(); - let pool = - self.security_advisory_pool_filter - .as_mut() - .unwrap() - .filter(pool, repos_owned, request); + let pool = self + .security_advisory_pool_filter + .as_mut() + .unwrap() + .filter(pool, repos_owned, request)?; let filtered = total - (pool.get_packages().len() as f64); if 0.0 == filtered { - return pool; + return Ok(pool); } self.io.write3( @@ -1154,6 +1154,6 @@ impl PoolBuilder { io_interface::VERY_VERBOSE, ); - pool + Ok(pool) } } diff --git a/crates/shirabe/src/dependency_resolver/pool_optimizer.rs b/crates/shirabe/src/dependency_resolver/pool_optimizer.rs index 18c8d01..7cba910 100644 --- a/crates/shirabe/src/dependency_resolver/pool_optimizer.rs +++ b/crates/shirabe/src/dependency_resolver/pool_optimizer.rs @@ -209,8 +209,7 @@ impl PoolOptimizer { pool.get_unacceptable_fixed_or_locked_packages().clone(), removed_versions, self.removed_versions_by_package.clone(), - // TODO(phase-b): PartialSecurityAdvisory is a PHP class (no Clone). Need shared ownership rework. - todo!("pool.get_all_security_removed_package_versions().clone()"), + pool.get_all_security_removed_package_versions().clone(), pool.get_all_abandoned_removed_package_versions().clone(), ) } diff --git a/crates/shirabe/src/dependency_resolver/rule_set_generator.rs b/crates/shirabe/src/dependency_resolver/rule_set_generator.rs index fece1e4..5979f63 100644 --- a/crates/shirabe/src/dependency_resolver/rule_set_generator.rs +++ b/crates/shirabe/src/dependency_resolver/rule_set_generator.rs @@ -309,9 +309,11 @@ impl RuleSetGenerator { for package in request.get_fixed_packages().values() { if package.get_id() == -1 { // fixed package was not added to the pool as it did not pass the stability requirements, this is fine - // TODO(phase-c): wire Pool::is_unacceptable_fixed_or_locked_package(package) here; - // the package handle and the pool's identity check are now both handle-based. - if todo!("is_unacceptable_fixed_or_locked_package with a request package handle") { + if self + .pool + .borrow() + .is_unacceptable_fixed_or_locked_package(package.clone()) + { continue; } diff --git a/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs b/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs index ec224b4..3136ce5 100644 --- a/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs +++ b/crates/shirabe/src/dependency_resolver/security_advisory_pool_filter.rs @@ -2,12 +2,14 @@ use crate::advisory::AuditConfig; use crate::advisory::Auditor; -use crate::advisory::PartialSecurityAdvisory; +use crate::advisory::PartialOrFullSecurityAdvisory; use crate::dependency_resolver::Pool; use crate::dependency_resolver::Request; use crate::package::BasePackageHandle; +use crate::repository::PlatformRepository; +use crate::repository::RepositoryInterfaceHandle; +use crate::repository::RepositorySet; use indexmap::IndexMap; -use shirabe_semver::constraint::AnyConstraint; use shirabe_semver::constraint::SimpleConstraint; #[derive(Debug)] @@ -27,37 +29,128 @@ impl SecurityAdvisoryPoolFilter { pub fn filter( &self, pool: Pool, - repositories: Vec<crate::repository::RepositoryInterfaceHandle>, + repositories: Vec<RepositoryInterfaceHandle>, request: &Request, - ) -> Pool { - // TODO(phase-c): port the filter() body. Blockers: - // * RepositorySet::new takes 6 args; ConfigSourceInterface refactor pending - // * pool.get_packages() yields BasePackageHandle; widen to PackageInterfaceHandle - // (via .into()) where the audit/repo APIs expect PackageInterface. - // * Pool::new requires owned Vecs; clone the handles out of the existing pool. - // * advisory map element type mismatch (PhpMixed vs PartialSecurityAdvisory). - let _ = ( - pool, - repositories, - request, - &self.auditor, - &self.audit_config, + ) -> anyhow::Result<Pool> { + if !self.audit_config.block_insecure { + return Ok(pool); + } + + let mut repo_set = RepositorySet::new( + "stable", + IndexMap::new(), + vec![], + IndexMap::new(), + IndexMap::new(), + IndexMap::new(), ); - todo!("port SecurityAdvisoryPoolFilter::filter") + for repo in repositories { + repo_set.add_repository(repo)?; + } + + let mut packages_for_advisories: Vec<BasePackageHandle> = vec![]; + for package in pool.get_packages() { + if package.as_root().is_none() + && !PlatformRepository::is_platform_package(&package.get_name()) + && !request.is_locked_package(package.clone()) + { + packages_for_advisories.push(package.clone()); + } + } + + let mut all_advisories = repo_set.get_matching_security_advisories( + packages_for_advisories.clone(), + true, + true, + )?; + if self.auditor.needs_complete_advisory_load( + &all_advisories.advisories, + &self.audit_config.ignore_list_for_blocking, + ) { + all_advisories = repo_set.get_matching_security_advisories( + packages_for_advisories.clone(), + false, + true, + )?; + } + + let advisory_map = self + .auditor + .process_advisories( + all_advisories.advisories, + &self.audit_config.ignore_list_for_blocking, + &self.audit_config.ignore_severity_for_blocking, + ) + .advisories; + + let mut packages: Vec<BasePackageHandle> = vec![]; + let mut security_removed_versions: IndexMap< + String, + IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, + > = IndexMap::new(); + let mut abandoned_removed_versions: IndexMap<String, IndexMap<String, String>> = + IndexMap::new(); + for package in pool.get_packages() { + if self.audit_config.block_abandoned + && self + .auditor + .filter_abandoned_packages( + &[package.clone()], + &self.audit_config.ignore_abandoned_for_blocking, + )? + .len() + != 0 + { + for package_name in package.get_names(false) { + abandoned_removed_versions + .entry(package_name) + .or_default() + .insert( + package.get_version().to_string(), + package.get_pretty_version().to_string(), + ); + } + continue; + } + + let matching_advisories = self.get_matching_advisories(package.clone(), &advisory_map); + if matching_advisories.len() > 0 { + for package_name in package.get_names(false) { + security_removed_versions + .entry(package_name) + .or_default() + .insert( + package.get_version().to_string(), + matching_advisories.clone(), + ); + } + + continue; + } + + packages.push(package.clone()); + } + + Ok(Pool::new( + packages, + pool.get_unacceptable_fixed_or_locked_packages().clone(), + pool.get_all_removed_versions().clone(), + pool.get_all_removed_versions_by_package().clone(), + security_removed_versions, + abandoned_removed_versions, + )) } - /// @param array<string, array<PartialSecurityAdvisory|SecurityAdvisory>> $advisoryMap - /// @return list<PartialSecurityAdvisory|SecurityAdvisory> fn get_matching_advisories( &self, package: BasePackageHandle, - advisory_map: &IndexMap<String, Vec<PartialSecurityAdvisory>>, - ) -> Vec<PartialSecurityAdvisory> { + advisory_map: &IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, + ) -> Vec<PartialOrFullSecurityAdvisory> { if package.is_dev() { return vec![]; } - let mut matching_advisories: Vec<PartialSecurityAdvisory> = vec![]; + let mut matching_advisories: Vec<PartialOrFullSecurityAdvisory> = vec![]; for package_name in package.get_names(false) { if !advisory_map.contains_key(&package_name) { continue; @@ -67,10 +160,8 @@ impl SecurityAdvisoryPoolFilter { SimpleConstraint::new("==".to_string(), package.get_version().to_string(), None) .into(); for advisory in &advisory_map[&package_name] { - // advisory is PartialSecurityAdvisory or SecurityAdvisory; both have affected_versions: Box<dyn ConstraintInterface> - if advisory.affected_versions.matches(&package_constraint) { - // TODO(phase-b): PartialSecurityAdvisory is not Clone; replace with Rc when sharing is needed - matching_advisories.push(todo!("clone PartialSecurityAdvisory")); + if advisory.affected_versions().matches(&package_constraint) { + matching_advisories.push(advisory.clone()); } } } diff --git a/crates/shirabe/src/repository/advisory_provider_interface.rs b/crates/shirabe/src/repository/advisory_provider_interface.rs index 0de9c42..4b93eca 100644 --- a/crates/shirabe/src/repository/advisory_provider_interface.rs +++ b/crates/shirabe/src/repository/advisory_provider_interface.rs @@ -1,29 +1,13 @@ //! ref: composer/src/Composer/Repository/AdvisoryProviderInterface.php -use crate::advisory::PartialSecurityAdvisory; -use crate::advisory::SecurityAdvisory; +use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory, SecurityAdvisory}; use indexmap::IndexMap; use shirabe_semver::constraint::AnyConstraint; #[derive(Debug)] -pub enum PartialOrSecurityAdvisory { - Partial(PartialSecurityAdvisory), - Full(SecurityAdvisory), -} - -impl PartialOrSecurityAdvisory { - pub fn advisory_id(&self) -> &str { - match self { - PartialOrSecurityAdvisory::Partial(p) => &p.advisory_id, - PartialOrSecurityAdvisory::Full(s) => s.advisory_id(), - } - } -} - -#[derive(Debug)] pub struct SecurityAdvisoryResult { pub names_found: Vec<String>, - pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, } pub trait AdvisoryProviderInterface { diff --git a/crates/shirabe/src/repository/composer_repository.rs b/crates/shirabe/src/repository/composer_repository.rs index d39fd82..1f2fcbf 100644 --- a/crates/shirabe/src/repository/composer_repository.rs +++ b/crates/shirabe/src/repository/composer_repository.rs @@ -15,7 +15,7 @@ use shirabe_semver::constraint::AnyConstraint; use shirabe_semver::constraint::MatchAllConstraint; use shirabe_semver::constraint::SimpleConstraint; -use crate::advisory::PartialSecurityAdvisory; +use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory}; use crate::cache::Cache; use crate::config::Config; use crate::downloader::TransportException; @@ -41,7 +41,7 @@ use crate::repository::RepositoryInterface; use crate::repository::RepositoryInterfaceHandle; use crate::repository::RepositoryInterfaceWeakHandle; use crate::repository::RepositorySecurityException; -use crate::repository::{PartialOrSecurityAdvisory, SecurityAdvisoryResult}; +use crate::repository::SecurityAdvisoryResult; use crate::repository::{SEARCH_FULLTEXT, SEARCH_VENDOR}; use crate::util::HttpDownloader; use crate::util::Url; @@ -1038,7 +1038,7 @@ impl ComposerRepository { }); } - let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new(); + let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new(); let mut names_found: IndexMap<String, bool> = IndexMap::new(); let api_url = self @@ -1062,9 +1062,9 @@ impl ComposerRepository { let create = |data: &IndexMap<String, PhpMixed>, name: &str, package_constraint_map: &IndexMap<String, AnyConstraint>| - -> anyhow::Result<Option<PartialOrSecurityAdvisory>> { + -> anyhow::Result<Option<PartialOrFullSecurityAdvisory>> { let advisory = PartialSecurityAdvisory::create(name, data, &semver_parser)?; - let is_full = matches!(advisory, PartialOrSecurityAdvisory::Full(_)); + let is_full = matches!(advisory, PartialOrFullSecurityAdvisory::Full(_)); if !allow_partial_advisories && !is_full { let data_mixed = PhpMixed::Array( data.iter() @@ -1084,8 +1084,8 @@ impl ComposerRepository { .into()); } let affected_versions: &AnyConstraint = match &advisory { - PartialOrSecurityAdvisory::Partial(p) => &p.affected_versions, - PartialOrSecurityAdvisory::Full(p) => p.affected_versions(), + PartialOrFullSecurityAdvisory::Partial(p) => &p.affected_versions, + PartialOrFullSecurityAdvisory::Full(p) => p.affected_versions(), }; let constraint = package_constraint_map.get(name); if let Some(c) = constraint { @@ -1138,7 +1138,7 @@ impl ComposerRepository { names_found.insert(name.clone(), true); if !sec_advs_arr.is_empty() { - let mut entries: Vec<PartialOrSecurityAdvisory> = Vec::new(); + let mut entries: Vec<PartialOrFullSecurityAdvisory> = Vec::new(); for (_k, data_mixed) in sec_advs_arr.iter() { if let Some(data) = data_mixed.as_array() { let data_map: IndexMap<String, PhpMixed> = data @@ -1229,7 +1229,7 @@ impl ComposerRepository { None => continue, }; if !list.is_empty() { - let mut entries: Vec<PartialOrSecurityAdvisory> = Vec::new(); + let mut entries: Vec<PartialOrFullSecurityAdvisory> = Vec::new(); for data_mixed in list.iter() { if let Some(data) = data_mixed.as_array() { let data_map: IndexMap<String, PhpMixed> = data @@ -1249,7 +1249,7 @@ impl ComposerRepository { } } - let advisories_filtered: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = advisories + let advisories_filtered: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = advisories .into_iter() .filter(|(_, adv)| !adv.is_empty()) .collect(); diff --git a/crates/shirabe/src/repository/handle.rs b/crates/shirabe/src/repository/handle.rs index a4225f7..38a4f28 100644 --- a/crates/shirabe/src/repository/handle.rs +++ b/crates/shirabe/src/repository/handle.rs @@ -11,7 +11,8 @@ use crate::package::BasePackageHandle; use crate::package::PackageInterfaceHandle; use crate::repository::{ FindPackageConstraint, InstalledRepositoryInterface, LoadPackagesResult, LockArrayRepository, - ProviderInfo, RepositoryInterface, SearchResult, WritableRepositoryInterface, + PlatformRepository, ProviderInfo, RepositoryInterface, SearchResult, + WritableRepositoryInterface, }; /// Shared reference to a repository. Corresponds to PHP `RepositoryInterface`. @@ -173,8 +174,7 @@ impl std::hash::Hash for RepositoryInterfaceHandle { } } -/// Typed shared handle over `LockArrayRepository`. Preserves the PHP `?LockArrayRepository` -/// typing where a `RepositoryInterfaceHandle` would be too wide. +/// Typed shared handle over `LockArrayRepository`. #[derive(Debug, Clone)] pub struct LockArrayRepositoryHandle(Rc<RefCell<LockArrayRepository>>); @@ -231,3 +231,61 @@ impl std::hash::Hash for LockArrayRepositoryHandle { self.ptr_id().hash(state); } } + +/// Typed shared handle over `PlatformRepository`. +#[derive(Debug, Clone)] +pub struct PlatformRepositoryHandle(Rc<RefCell<PlatformRepository>>); + +impl PlatformRepositoryHandle { + pub fn new(repository: PlatformRepository) -> Self { + let rc: Rc<RefCell<PlatformRepository>> = Rc::new(RefCell::new(repository)); + let rc_dyn: Rc<RefCell<dyn RepositoryInterface>> = rc.clone(); + rc.borrow().set_self_handle(Rc::downgrade(&rc_dyn)); + Self(rc) + } + + pub fn from_rc(rc: Rc<RefCell<PlatformRepository>>) -> Self { + Self(rc) + } + + pub fn as_rc(&self) -> &Rc<RefCell<PlatformRepository>> { + &self.0 + } + + pub fn borrow(&self) -> Ref<'_, PlatformRepository> { + self.0.borrow() + } + + pub fn borrow_mut(&self) -> RefMut<'_, PlatformRepository> { + self.0.borrow_mut() + } + + pub fn ptr_eq(&self, other: &Self) -> bool { + Rc::ptr_eq(&self.0, &other.0) + } + + pub fn ptr_id(&self) -> usize { + Rc::as_ptr(&self.0) as *const () as usize + } +} + +impl From<PlatformRepositoryHandle> for RepositoryInterfaceHandle { + fn from(h: PlatformRepositoryHandle) -> Self { + let rc: Rc<RefCell<dyn RepositoryInterface>> = h.0; + RepositoryInterfaceHandle::from_rc(rc) + } +} + +impl PartialEq for PlatformRepositoryHandle { + fn eq(&self, other: &Self) -> bool { + Rc::ptr_eq(&self.0, &other.0) + } +} + +impl Eq for PlatformRepositoryHandle {} + +impl std::hash::Hash for PlatformRepositoryHandle { + fn hash<H: std::hash::Hasher>(&self, state: &mut H) { + self.ptr_id().hash(state); + } +} diff --git a/crates/shirabe/src/repository/package_repository.rs b/crates/shirabe/src/repository/package_repository.rs index b88de78..b5280a8 100644 --- a/crates/shirabe/src/repository/package_repository.rs +++ b/crates/shirabe/src/repository/package_repository.rs @@ -1,15 +1,13 @@ //! ref: composer/src/Composer/Repository/PackageRepository.php -use crate::advisory::PartialSecurityAdvisory; use crate::advisory::SecurityAdvisory; +use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory}; use crate::package::loader::ArrayLoader; use crate::package::loader::ValidatingArrayLoader; use crate::package::version::VersionParser; use crate::repository::ArrayRepository; use crate::repository::InvalidRepositoryException; -use crate::repository::{ - AdvisoryProviderInterface, PartialOrSecurityAdvisory, SecurityAdvisoryResult, -}; +use crate::repository::{AdvisoryProviderInterface, SecurityAdvisoryResult}; use indexmap::IndexMap; use shirabe_external_packages::composer::pcre::Preg; use shirabe_php_shim::{Exception, PhpMixed, RuntimeException, var_export}; @@ -97,7 +95,7 @@ impl AdvisoryProviderInterface for PackageRepository { let semver_parser = shirabe_semver::version_parser::VersionParser; let _ = parser; - let mut advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = IndexMap::new(); + let mut advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = IndexMap::new(); for (package_name, package_advisories) in &self.security_advisories { if !package_constraint_map.contains_key(package_name.as_str()) { continue; @@ -106,7 +104,7 @@ impl AdvisoryProviderInterface for PackageRepository { PhpMixed::List(list) => list, _ => continue, }; - let mut items: Vec<PartialOrSecurityAdvisory> = Vec::new(); + let mut items: Vec<PartialOrFullSecurityAdvisory> = Vec::new(); for data in list { let data_map: IndexMap<String, PhpMixed> = match data.as_ref() { PhpMixed::Array(m) => m.iter().map(|(k, v)| (k.clone(), *v.clone())).collect(), @@ -121,7 +119,7 @@ impl AdvisoryProviderInterface for PackageRepository { Err(_) => continue, }; if !allow_partial_advisories - && matches!(advisory, PartialOrSecurityAdvisory::Partial(_)) + && matches!(advisory, PartialOrFullSecurityAdvisory::Partial(_)) { return Err(anyhow::anyhow!(RuntimeException { message: format!( @@ -141,7 +139,7 @@ impl AdvisoryProviderInterface for PackageRepository { } let names_found: Vec<String> = advisories.keys().cloned().collect(); - let advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>> = advisories + let advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>> = advisories .into_iter() .filter(|(_, adv)| !adv.is_empty()) .collect(); diff --git a/crates/shirabe/src/repository/repository_set.rs b/crates/shirabe/src/repository/repository_set.rs index 843af80..ac904fc 100644 --- a/crates/shirabe/src/repository/repository_set.rs +++ b/crates/shirabe/src/repository/repository_set.rs @@ -13,8 +13,7 @@ use shirabe_semver::constraint::MatchAllConstraint; use shirabe_semver::constraint::MultiConstraint; use shirabe_semver::constraint::SimpleConstraint; -use crate::advisory::PartialSecurityAdvisory; -use crate::advisory::SecurityAdvisory; +use crate::advisory::{PartialOrFullSecurityAdvisory, PartialSecurityAdvisory, SecurityAdvisory}; use crate::dependency_resolver::Pool; use crate::dependency_resolver::PoolBuilder; use crate::dependency_resolver::PoolOptimizer; @@ -29,12 +28,12 @@ use crate::package::BasePackageHandle; use crate::package::CompleteAliasPackageHandle; use crate::package::PackageInterfaceHandle; use crate::package::version::StabilityFilter; +use crate::repository::AdvisoryProviderInterface; use crate::repository::CompositeRepository; use crate::repository::InstalledRepository; use crate::repository::InstalledRepositoryInterface; use crate::repository::LockArrayRepositoryHandle; use crate::repository::PlatformRepository; -use crate::repository::{AdvisoryProviderInterface, PartialOrSecurityAdvisory}; use crate::repository::{FindPackageConstraint, RepositoryInterface, RepositoryInterfaceHandle}; #[derive(Debug, Clone)] @@ -372,8 +371,8 @@ impl RepositorySet { allow_partial_advisories: bool, ignore_unreachable: bool, unreachable_repos: &mut Vec<String>, - ) -> Result<IndexMap<String, Vec<PartialOrSecurityAdvisory>>> { - let mut repo_advisories: Vec<IndexMap<String, Vec<PartialOrSecurityAdvisory>>> = vec![]; + ) -> Result<IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> { + let mut repo_advisories: Vec<IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>> = vec![]; for repository in &self.repositories { // TODO(phase-b): use anyhow::Result<Result<T, E>> to model PHP try/catch let attempt: Result<()> = (|| -> Result<()> { @@ -646,6 +645,6 @@ impl RepositorySet { #[derive(Debug)] pub struct SecurityAdvisoriesResult { - pub advisories: IndexMap<String, Vec<PartialOrSecurityAdvisory>>, + pub advisories: IndexMap<String, Vec<PartialOrFullSecurityAdvisory>>, pub unreachable_repos: Vec<String>, } |