Skip to content

Commit

Permalink
Merge pull request #1122 from joestewart/feature/security-checker-com…
Browse files Browse the repository at this point in the history 
…poseraudit

Add security-checker using Composer Audit
  • Loading branch information
@veewee
veewee authored Feb 5, 2024
2 parents f766a16 + 090365b commit 92791cc
Show file tree
Hide file tree
Showing 6 changed files with 297 additions and 2 deletions.
6 changes: 4 additions & 2 deletions doc/tasks.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ grumphp:
psalm: ~
rector: ~
robo: ~
securitychecker_composeraudit: ~
securitychecker_enlightn: ~
securitychecker_local: ~
securitychecker_roave: ~
Expand Down Expand Up @@ -119,6 +120,7 @@ Every task has its own default configuration. It is possible to overwrite the pa
- [Rector](tasks/rector.md)
- [Robo](tasks/robo.md)
- [Security Checker](tasks/securitychecker.md)
- [Composer Audit](tasks/securitychecker/composeraudit.md)
- [Enlightn](tasks/securitychecker/enlightn.md)
- [Local](tasks/securitychecker/local.md)
- [Roave](tasks/securitychecker/roave.md)
Expand Down Expand Up @@ -205,7 +207,7 @@ interface TaskInterface
}
```

* `getConfigurableOptions`: This method has to return all configurable options for the task.
* `getConfigurableOptions`: This method has to return all configurable options for the task.
* `canRunInContext`: Tells GrumPHP if it can run in `pre-commit`, `commit-msg` or `run` context.
* `run`: Executes the task and returns a result
* `getConfig`: Provides the resolved configuration for the task or an empty config for newly instantiated tasks.
Expand Down Expand Up @@ -260,7 +262,7 @@ For a more detailed view on how to use these classes, you can scroll through our

In some cases you might want to run the same task but with different configuration.
Good news: This is perfectly possible!
You can use any name you want for the task, as long as you configure an existing task in the metadata section.
You can use any name you want for the task, as long as you configure an existing task in the metadata section.
Configuration of the additional task will look like this:

```yaml
Expand Down
1 change: 1 addition & 0 deletions doc/tasks/securitychecker.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ The SensioLabs Security Checker API is abandoned

You can use one of following tasks as a replacement:

- [securitychecker_composeraudit](securitychecker/composeraudit.md)
- [securitychecker_enlightn](securitychecker/enlightn.md)
- [securitychecker_local](securitychecker/local.md)
- [securitychecker_roave](securitychecker/roave.md)
Expand Down
49 changes: 49 additions & 0 deletions doc/tasks/securitychecker/composeraudit.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# Composer Audit Security Checker

The Security Checker will check your `composer.lock` file for known security vulnerabilities.

***Config***

The task lives under the `securitychecker_composeraudit` namespace and has the following configurable parameters:

```yaml
# grumphp.yml
grumphp:
tasks:
securitychecker_composeraudit:
format: null
locked: true
no_dev: false
run_always: false
working_dir: null
```
**format**
*Default: null*
You can choose the format of the output. The available options are `table`, `plain`, `json` and `summary`. By default, grumphp will use the format `table`.

**locked**

*Default: true*

Audit packages from the lock file, regardless of what is currently in vendor dir.

**no_dev**

*Default: false*

When this option is set to `true`, the task will skip packages under `require-dev`.

**run_always**

*Default: false*

When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.

**working_dir**

*Default: null

If your `composer.lock` file is located in an exotic location, you can specify the location with this option. By default, the task will try to load a `composer.lock` file in the current directory.
7 changes: 7 additions & 0 deletions resources/config/tasks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,13 @@ services:
tags:
- {name: grumphp.task, task: securitychecker}

GrumPHP\Task\SecurityCheckerComposeraudit:
arguments:
- '@process_builder'
- '@formatter.raw_process'
tags:
- {name: grumphp.task, task: securitychecker_composeraudit}

GrumPHP\Task\SecurityCheckerEnlightn:
arguments:
- '@process_builder'
Expand Down
72 changes: 72 additions & 0 deletions src/Task/SecurityCheckerComposeraudit.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
<?php

declare(strict_types=1);

namespace GrumPHP\Task;

use GrumPHP\Formatter\ProcessFormatterInterface;
use GrumPHP\Runner\TaskResult;
use GrumPHP\Runner\TaskResultInterface;
use GrumPHP\Task\Config\ConfigOptionsResolver;
use GrumPHP\Task\Context\ContextInterface;
use GrumPHP\Task\Context\GitPreCommitContext;
use GrumPHP\Task\Context\RunContext;
use Symfony\Component\OptionsResolver\OptionsResolver;

/**
* @extends AbstractExternalTask<ProcessFormatterInterface>
*/
class SecurityCheckerComposeraudit extends AbstractExternalTask
{
public static function getConfigurableOptions(): ConfigOptionsResolver
{
$resolver = new OptionsResolver();
$resolver->setDefaults([
'format' => null,
'locked' => true,
'no_dev' => false,
'run_always' => false,
'working_dir' => null,
]);

$resolver->addAllowedTypes('format', ['null', 'string']);
$resolver->addAllowedTypes('locked', ['bool']);
$resolver->addAllowedTypes('no_dev', ['bool']);
$resolver->addAllowedTypes('run_always', ['bool']);
$resolver->addAllowedTypes('working_dir', ['null', 'string']);

return ConfigOptionsResolver::fromOptionsResolver($resolver);
}

public function canRunInContext(ContextInterface $context): bool
{
return $context instanceof GitPreCommitContext || $context instanceof RunContext;
}

public function run(ContextInterface $context): TaskResultInterface
{
$config = $this->getConfig()->getOptions();
$files = $context->getFiles()
->path(pathinfo("composer.lock", PATHINFO_DIRNAME))
->name(pathinfo("composer.lock", PATHINFO_BASENAME));
if (0 === \count($files) && !$config['run_always']) {
return TaskResult::createSkipped($this, $context);
}

$arguments = $this->processBuilder->createArgumentsForCommand('composer');
$arguments->add('audit');
$arguments->addOptionalArgument('--format=%s', $config['format']);
$arguments->addOptionalArgument('--locked', $config['locked']);
$arguments->addOptionalArgument('--no-dev', $config['no_dev']);
$arguments->addOptionalArgument('--working-dir=%s', $config['working_dir']);

$process = $this->processBuilder->buildProcess($arguments);
$process->run();

if (!$process->isSuccessful()) {
return TaskResult::createFailed($this, $context, $this->formatter->format($process));
}

return TaskResult::createPassed($this, $context);
}
}
164 changes: 164 additions & 0 deletions test/Unit/Task/SecurityCheckerComposerauditTest.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
<?php

declare(strict_types=1);

namespace GrumPHPTest\Unit\Task;

use GrumPHP\Task\Context\GitPreCommitContext;
use GrumPHP\Task\Context\RunContext;
use GrumPHP\Task\SecurityCheckerComposeraudit;
use GrumPHP\Task\TaskInterface;
use GrumPHP\Test\Task\AbstractExternalTaskTestCase;

class SecurityCheckerComposerauditTest extends AbstractExternalTaskTestCase
{
protected function provideTask(): TaskInterface
{
return new SecurityCheckerComposeraudit(
$this->processBuilder->reveal(),
$this->formatter->reveal()
);
}

public function provideConfigurableOptions(): iterable
{
yield 'defaults' => [
[],
[
'format' => null,
'locked' => true,
'no_dev' => false,
'run_always' => false,
'working_dir' => null,
]
];
}

public function provideRunContexts(): iterable
{
yield 'run-context' => [
true,
$this->mockContext(RunContext::class)
];

yield 'pre-commit-context' => [
true,
$this->mockContext(GitPreCommitContext::class)
];

yield 'other' => [
false,
$this->mockContext()
];
}

public function provideFailsOnStuff(): iterable
{
yield 'exitCode1' => [
[],
$this->mockContext(RunContext::class, ['composer.lock']),
function () {
$this->mockProcessBuilder('composer', $process = $this->mockProcess(1));
$this->formatter->format($process)->willReturn('nope');
},
'nope'
];
}

public function providePassesOnStuff(): iterable
{
yield 'exitCode0' => [
[],
$this->mockContext(RunContext::class, ['composer.lock']),
function () {
$this->mockProcessBuilder('composer', $this->mockProcess(0));
}
];
yield 'exitCode0WhenRunAlways' => [
[
'run_always' => true
],
$this->mockContext(RunContext::class, ['notrelated.php']),
function () {
$this->mockProcessBuilder('composer', $this->mockProcess(0));
}
];
}

public function provideSkipsOnStuff(): iterable
{
yield 'no-files' => [
[],
$this->mockContext(RunContext::class),
function () {}
];
yield 'no-composer-file' => [
[],
$this->mockContext(RunContext::class, ['thisisnotacomposerfile.lock']),
function () {}
];
}

public function provideExternalTaskRuns(): iterable
{
yield 'defaults' => [
[],
$this->mockContext(RunContext::class, ['composer.lock']),
'composer',
[
'audit',
'--locked',
]
];

yield 'format' => [
[
'format' => 'json',
],
$this->mockContext(RunContext::class, ['composer.lock']),
'composer',
[
'audit',
'--format=json',
'--locked',
]
];

yield 'locked' => [
[
'locked' => false,
],
$this->mockContext(RunContext::class, ['composer.lock']),
'composer',
[
'audit',
]
];

yield 'no-dev' => [
[
'no_dev' => true,
],
$this->mockContext(RunContext::class, ['composer.lock']),
'composer',
[
'audit',
'--locked',
'--no-dev',
]
];

yield 'working-dir' => [
[
'working_dir' => 'dir',
],
$this->mockContext(RunContext::class, ['composer.lock']),
'composer',
[
'audit',
'--locked',
'--working-dir=dir',
]
];
}
}

0 comments on commit 92791cc

Please sign in to comment.