feat(php): add installed.json file support (aquasecurity#4865)

skahn007gl · Jul 23, 2024 · d6309f2 · d6309f2
1 parent 12ea394
commit d6309f2
Show file tree

Hide file tree

Showing 22 changed files with 771 additions and 105 deletions.
diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md
@@ -26,7 +26,8 @@ On the other hand, when the target is a post-build artifact, like a container im
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |
 |                      | conda package[^3]                                                                          |     ✅     |     ✅      |       -        |       -        |
-| [PHP](php.md)        | composer.lock                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
+| [PHP](php.md)        | composer.lock                                                                              |     -     |     -      |       ✅        |       ✅        |
+|                      | installed.json                                                                             |     ✅     |     ✅      |       -        |       -        |
 | [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |       ✅        |
 |                      | yarn.lock                                                                                  |     -     |     -      |       ✅        |       ✅        |
 |                      | pnpm-lock.yaml                                                                             |     -     |     -      |       ✅        |       ✅        |

diff --git a/docs/docs/coverage/language/php.md b/docs/docs/coverage/language/php.md
@@ -4,23 +4,27 @@ Trivy supports [Composer][composer], which is a tool for dependency management i
 
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| Composer        |   ✓   |       ✓       |    ✓    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Composer        |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
 
-| Package manager | File          | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
-|-----------------|---------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
-| Composer        | composer.lock |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Package manager | File           | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+| Composer        | composer.lock  |            ✓            |     Excluded     |                  ✓                   |    ✓     |
+| Composer        | installed.json |            ✓            |     Excluded     |                  -                   |    ✓     |
 
-## Composer
+## composer.lock
 In order to detect dependencies, Trivy searches for `composer.lock`.
 
 Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
 Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
 If you want to see the dependency tree, please ensure that `composer.json` is present.
 
+## installed.json
+Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.
+
 [composer]: https://getcomposer.org/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
diff --git a/integration/repo_test.go b/integration/repo_test.go
@@ -250,6 +250,16 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/test-repo.json.golden",
 		},
+		{
+			name: "installed.json",
+			args: args{
+				command:     "rootfs",
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/repo/composer-vendor",
+			},
+			golden: "testdata/composer.vendor.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{

diff --git a/integration/testdata/composer.vendor.json.golden b/integration/testdata/composer.vendor.json.golden
@@ -0,0 +1,131 @@
+{
+  "SchemaVersion": 2,
+  "CreatedAt": "2021-08-25T12:20:30.000000005Z",
+  "ArtifactName": "testdata/fixtures/repo/composer-vendor",
+  "ArtifactType": "filesystem",
+  "Metadata": {
+    "ImageConfig": {
+      "architecture": "",
+      "created": "0001-01-01T00:00:00Z",
+      "os": "",
+      "rootfs": {
+        "type": "",
+        "diff_ids": null
+      },
+      "config": {}
+    }
+  },
+  "Results": [
+    {
+      "Target": "installed.json",
+      "Class": "lang-pkgs",
+      "Type": "composer-vendor",
+      "Packages": [
+        {
+          "ID": "guzzlehttp/[email protected]",
+          "Name": "guzzlehttp/psr7",
+          "Identifier": {
+            "PURL": "pkg:composer/guzzlehttp/[email protected]",
+            "UID": "25fca97fe23aa7b1"
+          },
+          "Version": "1.8.3",
+          "Licenses": [
+            "MIT"
+          ],
+          "DependsOn": [
+            "psr/[email protected]",
+            "ralouphie/[email protected]"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 3,
+              "EndLine": 115
+            }
+          ]
+        },
+        {
+          "ID": "psr/[email protected]",
+          "Name": "psr/http-message",
+          "Identifier": {
+            "PURL": "pkg:composer/psr/[email protected]",
+            "UID": "299d8ff4461e894"
+          },
+          "Version": "1.1",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 116,
+              "EndLine": 171
+            }
+          ]
+        },
+        {
+          "ID": "ralouphie/[email protected]",
+          "Name": "ralouphie/getallheaders",
+          "Identifier": {
+            "PURL": "pkg:composer/ralouphie/[email protected]",
+            "UID": "c383e94d979a209c"
+          },
+          "Version": "3.0.3",
+          "Licenses": [
+            "MIT"
+          ],
+          "Layer": {},
+          "Locations": [
+            {
+              "StartLine": 172,
+              "EndLine": 218
+            }
+          ]
+        }
+      ],
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2022-24775",
+          "PkgID": "guzzlehttp/[email protected]",
+          "PkgName": "guzzlehttp/psr7",
+          "PkgIdentifier": {
+            "PURL": "pkg:composer/guzzlehttp/[email protected]",
+            "UID": "25fca97fe23aa7b1"
+          },
+          "InstalledVersion": "1.8.3",
+          "FixedVersion": "1.8.4",
+          "Status": "fixed",
+          "Layer": {},
+          "SeveritySource": "ghsa",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",
+          "DataSource": {
+            "ID": "ghsa",
+            "Name": "GitHub Security Advisory Composer",
+            "URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
+          },
+          "Title": "Improper Input Validation in guzzlehttp/psr7",
+          "Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-20"
+          ],
+          "VendorSeverity": {
+            "ghsa": 3
+          },
+          "CVSS": {
+            "ghsa": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96",
+            "https://nvd.nist.gov/vuln/detail/CVE-2022-24775"
+          ],
+          "PublishedDate": "2022-03-25T19:26:33Z",
+          "LastModifiedDate": "2022-06-14T20:02:29Z"
+        }
+      ]
+    }
+  ]
+}