1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
//! ref: composer/src/Composer/Command/AuditCommand.php
use anyhow::Result;
use shirabe_external_packages::symfony::console::input::input_interface::InputInterface;
use shirabe_external_packages::symfony::console::output::output_interface::OutputInterface;
use shirabe_php_shim::{array_fill_keys, array_merge, implode, in_array, InvalidArgumentException, PhpMixed, UnexpectedValueException};
use crate::advisory::audit_config::AuditConfig;
use crate::advisory::auditor::Auditor;
use crate::command::base_command::BaseCommand;
use crate::composer::Composer;
use crate::console::input::input_option::InputOption;
use crate::package::package_interface::PackageInterface;
use crate::repository::installed_repository::InstalledRepository;
use crate::repository::repository_set::RepositorySet;
use crate::repository::repository_utils::RepositoryUtils;
#[derive(Debug)]
pub struct AuditCommand {
inner: BaseCommand,
}
impl AuditCommand {
pub fn configure(&mut self) {
self.inner
.set_name("audit")
.set_description("Checks for security vulnerability advisories for installed packages")
.set_definition(vec![
InputOption::new("no-dev", None, Some(InputOption::VALUE_NONE), "Disables auditing of require-dev packages.", None, vec![]),
InputOption::new("format", Some(PhpMixed::String("f".to_string())), Some(InputOption::VALUE_REQUIRED), "Output format. Must be \"table\", \"plain\", \"json\", or \"summary\".", Some(PhpMixed::String(Auditor::FORMAT_TABLE.to_string())), Auditor::FORMATS.iter().map(|s| s.to_string()).collect()),
InputOption::new("locked", None, Some(InputOption::VALUE_NONE), "Audit based on the lock file instead of the installed packages.", None, vec![]),
InputOption::new("abandoned", None, Some(InputOption::VALUE_REQUIRED), "Behavior on abandoned packages. Must be \"ignore\", \"report\", or \"fail\".", None, Auditor::ABANDONEDS.iter().map(|s| s.to_string()).collect()),
InputOption::new("ignore-severity", None, Some(InputOption::VALUE_IS_ARRAY | InputOption::VALUE_REQUIRED), "Ignore advisories of a certain severity level.", Some(PhpMixed::Array(indexmap::IndexMap::new())), vec!["low".to_string(), "medium".to_string(), "high".to_string(), "critical".to_string()]),
InputOption::new("ignore-unreachable", None, Some(InputOption::VALUE_NONE), "Ignore repositories that are unreachable or return a non-200 status code.", None, vec![]),
])
.set_help(
"The <info>audit</info> command checks for security vulnerability advisories for installed packages.\n\n\
If you do not want to include dev dependencies in the audit you can omit them with --no-dev\n\n\
If you want to ignore repositories that are unreachable or return a non-200 status code, use --ignore-unreachable\n\n\
Read more at https://getcomposer.org/doc/03-cli.md#audit"
);
}
pub fn execute(&mut self, input: &dyn InputInterface, _output: &dyn OutputInterface) -> Result<i64> {
let composer = self.inner.require_composer()?;
let packages = self.get_packages(&composer, input)?;
if packages.is_empty() {
self.inner.get_io().write_error("No packages - skipping audit.");
return Ok(0);
}
let auditor = Auditor::new();
let mut repo_set = RepositorySet::new();
for repo in composer.get_repository_manager().get_repositories() {
repo_set.add_repository(repo);
}
let audit_config = AuditConfig::from_config(composer.get_config())?;
let abandoned = input.get_option("abandoned").as_string_opt().map(|s| s.to_string());
if abandoned.is_some() && !in_array(PhpMixed::String(abandoned.clone().unwrap()), &PhpMixed::from(Auditor::ABANDONEDS.to_vec()), true) {
return Err(InvalidArgumentException {
message: format!("--abandoned must be one of {}.", implode(", ", &Auditor::ABANDONEDS.iter().map(|s| s.to_string()).collect::<Vec<_>>())),
code: 0,
}.into());
}
let abandoned = abandoned.unwrap_or_else(|| audit_config.audit_abandoned.clone());
let ignore_severities = array_merge(
array_fill_keys(input.get_option("ignore-severity"), PhpMixed::Null),
PhpMixed::from(audit_config.ignore_severity_for_audit.clone()),
);
let ignore_unreachable = input.get_option("ignore-unreachable").as_bool().unwrap_or(false) || audit_config.ignore_unreachable;
Ok(auditor.audit(
self.inner.get_io(),
&repo_set,
&packages,
&self.inner.get_audit_format(input, "format"),
false,
&audit_config.ignore_list_for_audit,
&abandoned,
&ignore_severities,
ignore_unreachable,
&audit_config.ignore_abandoned_for_audit,
)?.min(255))
}
fn get_packages(&self, composer: &Composer, input: &dyn InputInterface) -> Result<Vec<Box<dyn PackageInterface>>> {
if input.get_option("locked").as_bool().unwrap_or(false) {
if !composer.get_locker().is_locked() {
return Err(UnexpectedValueException {
message: "Valid composer.json and composer.lock files are required to run this command with --locked".to_string(),
code: 0,
}.into());
}
let locker = composer.get_locker();
return Ok(locker.get_locked_repository(!input.get_option("no-dev").as_bool().unwrap_or(false))?.get_packages());
}
let root_pkg = composer.get_package();
let installed_repo = InstalledRepository::new(vec![composer.get_repository_manager().get_local_repository()]);
if input.get_option("no-dev").as_bool().unwrap_or(false) {
return Ok(RepositoryUtils::filter_required_packages(installed_repo.get_packages(), root_pkg));
}
Ok(installed_repo.get_packages())
}
}
|
