Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security-checker using Composer Audit #1122

Merged

Conversation

joestewart
Copy link
Contributor

@joestewart joestewart commented Jan 29, 2024

Q A
Branch v2.x
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? no
Documented? yes
Fixed tickets comma-separated list of tickets fixed by the PR, if any

Add security-checker using Composer Audit

https://getcomposer.org/doc/03-cli.md#audit

New Task Checklist:

  • Are the dependencies added to the composer.json suggestions?
  • Is the doc/tasks.md file updated?
  • Are the task parameters documented?
  • Is the task registered in the tasks.yml file?
  • Does the task contains phpunit tests?
  • Is the configuration having logical allowed types?
  • Does the task run in the correct context?
  • Is the run() method readable?
  • Is the run() method using the configuration correctly?
  • Are all CI services returning green?

Copy link
Contributor

@veewee veewee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR. Looks like a nice addition.
I've added a couple of small remarks here and there. Can you take a second look at them.

working_dir: ./
```

**format**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add this one (with default value) to the code sample as well - for completeness.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this.

];
}

public function provideExternalTaskRuns(): iterable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal of this test is to check what impact a change in configuraton has on the executed command.
Can you add a test for every configuration option as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! added tests for the options.

Copy link
Contributor

@oallain oallain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great feature, 👍
Just 2 littles comments.

src/Task/SecurityCheckerComposeraudit.php Outdated Show resolved Hide resolved

yield 'working-dir' => [
[
'working_dir' => './',
Copy link
Contributor

@oallain oallain Feb 2, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

./ Is the default value, can you test with src/ for example?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually might need help here. When manually testing to another path the option works. But when modifying the test to another path I wasn't able to get the test to pass yet.

Also a side note, I think it might be a good idea for this to be fully optional ( default to null) but would require more logic to check the path for a changed composer.lock file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for bringing it up.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can probably take a look at

$resolver->addAllowedTypes('working_directory', ['null', 'string']);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is addressed now.

Copy link
Contributor

@oallain oallain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGFM 👍

@veewee veewee merged commit 92791cc into phpro:v2.x Feb 5, 2024
20 checks passed
@veewee
Copy link
Contributor

veewee commented Feb 5, 2024

Looks good, thanks!

@joestewart joestewart deleted the feature/security-checker-composeraudit branch February 5, 2024 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants