Skip to content

Added php lockfile parser#310

Open
insaaniManav wants to merge 4 commits intomainfrom
feat/php-lockfile-support
Open

Added php lockfile parser#310
insaaniManav wants to merge 4 commits intomainfrom
feat/php-lockfile-support

Conversation

@insaaniManav
Copy link
Copy Markdown
Contributor

@insaaniManav insaaniManav commented Jan 16, 2025

Fixes #257

abhisek
abhisek approved these changes Jan 17, 2025
View reviewed changes
pkg/models/models.go
EcosystemTerraform = "Terraform"
EcosystemTerraformModule = "TerraformModule"
EcosystemTerraformProvider = "TerraformProvider"
EcosystemPHPComposer = "Composer"
Copy link
Copy Markdown
Member

@abhisek abhisek Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Ecosystem for PHP Composer is actually called Packagist
https://osv.dev/list?ecosystem=Packagist

pkg/parser/composer.go
"github.com/safedep/vet/pkg/models"
)

type ComposerJSON struct {
Copy link
Copy Markdown
Member

@abhisek abhisek Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a comment with reference to Composer JSON specification from official source? We need to see if we need any other information like dependency relationships for building dependency graph.

pkg/parser/parser.go
case customParserTerraform:
return models.EcosystemTerraform
case customParserComposer:
return models.EcosystemPHPComposer
Copy link
Copy Markdown
Member

@abhisek abhisek Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be packagist ecosystem

pkg/parser/parser.go
models.EcosystemSpdxSBOM: true,
models.EcosystemGitHubActions: true,
models.EcosystemTerraform: true,
models.EcosystemPHPComposer: true,
Copy link
Copy Markdown
Member

@abhisek abhisek Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not required. We should just use the Packagist ecosystem

@abhisek
Copy link
Copy Markdown
Member

abhisek commented Jan 17, 2025

@insaaniManav As I read more about Composer, I see there are two files

  • composer.json
  • composer.lock

This is similar to npm where .json is used to describe dependencies and .lock to lock them to specific version. It seems like we already support composer.lock due to dependency on osv-scanner lockfile package which supports it. However we do not support composer.json because of the complexity that it does not contain exact versions of a dependency but version constraints / ranges. In such a case we need to find out a way to choose a suitable version for scanning in the version range.

I think we should spend some time reading about Composer and decide on how to handle it.

@abhisek abhisek self-requested a review January 17, 2025 07:08
@insaaniManav
Copy link
Copy Markdown
Contributor Author

insaaniManav commented Jan 17, 2025

According to my research
We have 2 choices

  • Best Effort Resolution:
    • Use the latest available version that satisfies the range (could lead to false negatives).
    • Use the oldest version (could lead to more vulnerabilities being flagged).
    • Allow users to choose a resolution strategy (latest, oldest, median).
  • Force user to run composer install Before Scanning:
    • This would generate a composer.lock, ensuring accurate versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhisek abhisek Awaiting requested review from abhisek

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support PHP Composer as a Lockfile Format

2 participants

@insaaniManav @abhisek