Debug audit check actual installed packages#15
Conversation
There was a problem hiding this comment.
Additional Comments (2)
-
src/Services/Audits/DebugModeAuditService.php, line 35 (link)syntax: Comment outdated - now checks
vendor/composer/installed.json, notcomposer.json -
src/Services/Audits/DebugModeAuditService.php, line 121-122 (link)logic: Missing JSON decode error handling - if
installed.jsonis corrupted,json_decodereturnsnullandarray_columnon line 109 will fail
2 files reviewed, 2 comments
|
Thankyou for the PR @MarkLanser, it's a great addition to the package! I will get a release drafted up today to ship this out 🎉 Have a great christmas and a happy new year! 🎅 |
Fantastic. Thanks for the quick reply! Happy new year 🎉 |
Needs #14 merged first, ignore first commit
First off, many thanks for this package. We recently implemented it and it has benefitted us already.
Problem definition
We use scheduled audits on production for many of our apps. We composer install with the
--no-devoption, so that no dev packages make it to the production environment. However, we kept getting the following message:We use this package as a dev-dependency. Since we are using
--no-devon production, it is not present in the installed packages there. So we should not be getting this error.Currently, the code looks at the composer.json, in both the
requireandrequire-devsections.Proposed solution
Check the actually installed packages using the composer installed manifest. This eliminates the problem altogether.
Notes
This does not include support for Composer v1, which has a different installed.json format. But since this version is no longer maintained or encouraged, this should not be a problem.
I tried to be as uniform as possible with the code style.
I tested this locally in another project, as i could not get the tests to run out of the box.
Happy holidays!
Greptile Summary
This PR fixes false positive warnings for dev packages in production by checking actually installed packages from
vendor/composer/installed.jsoninstead ofcomposer.jsondeclarations. This correctly handlescomposer install --no-devscenarios where dev dependencies are excluded.Key Changes:
.ideato.gitignorefor IntelliJ IDE supportcomposer.jsonparsing withvendor/composer/installed.jsonparsing to check actual installed packagesgetInstalledPackages()andgetInstalledPackagesNames()helper methodspackagesarray structure)Issues Found:
installed.jsonis corruptedcomposer.jsoninstead ofinstalled.jsonConfidence Score: 3/5
installed.jsonis corrupted. Similar services in the codebase (ComposerAuditService, NpmAuditService) properly validatejson_decoderesults. The outdated comment is a minor documentation issue.src/Services/Audits/DebugModeAuditService.phplines 121-122 for the JSON decode error handlingImportant Files Changed
vendor/composer/installed.jsoninstead ofcomposer.json, fixing false positives for--no-devinstalls. Has outdated comment and missing JSON error handling.Sequence Diagram
sequenceDiagram participant Audit as DebugModeAuditService participant FS as File System participant Composer as vendor/composer/installed.json Audit->>FS: Check if production environment alt Is Production Audit->>FS: Read composer.json FS-->>Audit: Return composer.json contents Audit->>Composer: Read installed.json Composer-->>Audit: Return installed packages Audit->>Audit: Extract package names from packages array loop For each dev package Audit->>Audit: Check if in installed packages alt Dev package found Audit->>Audit: Add finding (High severity) end end Audit->>Audit: Check Telescope/Horizon/Routes end Audit-->>Audit: Return audit results