Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(php): add installed.json file support #4865

Merged
merged 28 commits into from
Jun 28, 2024
Merged
Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
7e29778
add new analyzer
DmitriyLewen Jul 24, 2023
bf9ac09
add composer-installed to driver
DmitriyLewen Jul 26, 2023
717eaf9
use AnalyzePackage
DmitriyLewen Jul 26, 2023
ce26e25
add integration test
DmitriyLewen Jul 26, 2023
8ed7fc4
fix test
DmitriyLewen Jul 26, 2023
a63ad68
update docs
DmitriyLewen Jul 26, 2023
e7eeb0d
refactor
DmitriyLewen Jul 26, 2023
d62765a
scan composer.lock only in fs and repo modes
DmitriyLewen Jul 27, 2023
d72e4a4
Merge branch 'main' of github.com:DmitriyLewen/trivy into feat/compos…
DmitriyLewen Jul 27, 2023
46084c3
update test installed golden file
DmitriyLewen Jul 27, 2023
dce4bf6
Merge branch 'main' into 'feat/composer-intalled-json'
DmitriyLewen Aug 23, 2023
a7a7b76
docs: update language overview page after merge main branch
DmitriyLewen Aug 23, 2023
5be6ca0
Merge branch 'main' into 'feat/composer-intalled-json'
DmitriyLewen Aug 29, 2023
7d4aeea
move integration test fixture from fs to repo
DmitriyLewen Aug 29, 2023
6725093
Merge branch 'main' into 'feat/composer-intalled-json'
DmitriyLewen Oct 30, 2023
db74b90
fix: add missed `ComposerInstalled` const
DmitriyLewen Oct 30, 2023
21e3707
update purl
DmitriyLewen Oct 30, 2023
acc38ea
Merge branch 'main' into 'feat/composer-intalled-json'
DmitriyLewen Jan 9, 2024
062197e
Merge branch 'main' of github.com:DmitriyLewen/trivy into feat/compos…
DmitriyLewen Mar 11, 2024
21261a4
Merge branch 'main' of github.com:DmitriyLewen/trivy into feat/compos…
DmitriyLewen Mar 26, 2024
d9a108a
fix import
DmitriyLewen Mar 26, 2024
c2650af
test(integration): update golden file
DmitriyLewen Mar 26, 2024
9f67a37
Merge branch 'main' into 'feat/composer-intalled-json'
DmitriyLewen Jun 24, 2024
e2c16f0
fix: add required changes after rebase
DmitriyLewen Jun 24, 2024
fc5c306
fix: add required changes after rebase
DmitriyLewen Jun 24, 2024
c84e523
refactor: use `composer` pkg + rename to `vendor`
DmitriyLewen Jun 24, 2024
39a34db
test: add missed test files
DmitriyLewen Jun 24, 2024
4418ade
test: update image_test.go
DmitriyLewen Jun 24, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/docs/coverage/language/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ On the other hand, when the target is a post-build artifact, like a container im
| | egg package[^1] | ✅ | ✅ | - | - |
| | wheel package[^2] | ✅ | ✅ | - | - |
| | conda package[^3] | ✅ | ✅ | - | - |
| [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ |
| [PHP](php.md) | composer.lock | - | - | ✅ | ✅ |
| | installed.json | ✅ | ✅ | - | - |
| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ |
| | yarn.lock | - | - | ✅ | ✅ |
| | pnpm-lock.yaml | - | - | ✅ | ✅ |
Expand Down
18 changes: 11 additions & 7 deletions docs/docs/coverage/language/php.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,27 @@ Trivy supports [Composer][composer], which is a tool for dependency management i

The following scanners are supported.

| Package manager | SBOM | Vulnerability | License |
| --------------- | :---: | :-----------: | :-----: |
| Composer | ✓ | ✓ | ✓ |
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Composer | ✓ | ✓ | ✓ |

The following table provides an outline of the features Trivy offers.


| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|---------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
| Composer | installed.json | ✓ | Excluded | - | ✓ |

## Composer
## composer.lock
In order to detect dependencies, Trivy searches for `composer.lock`.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.

## installed.json
By default, you can find this file at `path_to_app/vendor/composer/installed.json`. Trivy doesn't support dependency graph for `installed.json` files, because this file doesn't contain Direct/Indirect dependency information.

[composer]: https://getcomposer.org/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
10 changes: 10 additions & 0 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,16 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/composer.lock.json.golden",
},
{
name: "installed.json",
args: args{
command: "rootfs",
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/repo/composer-installed",
},
golden: "testdata/composer.installed.json.golden",
},
{
name: "dockerfile",
args: args{
Expand Down
127 changes: 127 additions & 0 deletions integration/testdata/composer.installed.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/composer-installed",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "installed.json",
"Class": "lang-pkgs",
"Type": "composer-installed",
"Packages": [
{
"ID": "guzzlehttp/[email protected]",
"Name": "guzzlehttp/psr7",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/[email protected]"
},
"Version": "1.8.3",
"Licenses": [
"MIT"
],
"DependsOn": [
"psr/[email protected]",
"ralouphie/[email protected]"
],
"Layer": {},
"Locations": [
{
"StartLine": 3,
"EndLine": 115
}
]
},
{
"ID": "psr/[email protected]",
"Name": "psr/http-message",
"Identifier": {
"PURL": "pkg:composer/psr/[email protected]"
},
"Version": "1.1",
"Licenses": [
"MIT"
],
"Layer": {},
"Locations": [
{
"StartLine": 116,
"EndLine": 171
}
]
},
{
"ID": "ralouphie/[email protected]",
"Name": "ralouphie/getallheaders",
"Identifier": {
"PURL": "pkg:composer/ralouphie/[email protected]"
},
"Version": "3.0.3",
"Licenses": [
"MIT"
],
"Layer": {},
"Locations": [
{
"StartLine": 172,
"EndLine": 218
}
]
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-24775",
"PkgID": "guzzlehttp/[email protected]",
"PkgName": "guzzlehttp/psr7",
"PkgIdentifier": {
"PURL": "pkg:composer/guzzlehttp/[email protected]"
},
"InstalledVersion": "1.8.3",
"FixedVersion": "1.8.4",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Composer",
"URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
},
"Title": "Improper Input Validation in guzzlehttp/psr7",
"Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
}
},
"References": [
"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"
],
"PublishedDate": "2022-03-25T19:26:33Z",
"LastModifiedDate": "2022-06-14T20:02:29Z"
}
]
}
]
}
Loading