Skip to content

Commit

Permalink
feat(php): add installed.json file support (#4865)
Browse files Browse the repository at this point in the history
  • Loading branch information
DmitriyLewen authored Jun 28, 2024
1 parent 4f8b399 commit edc556b
Show file tree
Hide file tree
Showing 22 changed files with 771 additions and 105 deletions.
3 changes: 2 additions & 1 deletion docs/docs/coverage/language/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ On the other hand, when the target is a post-build artifact, like a container im
| | egg package[^1] ||| - | - |
| | wheel package[^2] ||| - | - |
| | conda package[^3] ||| - | - |
| [PHP](php.md) | composer.lock |||||
| [PHP](php.md) | composer.lock | - | - |||
| | installed.json ||| - | - |
| [Node.js](nodejs.md) | package-lock.json | - | - |||
| | yarn.lock | - | - |||
| | pnpm-lock.yaml | - | - |||
Expand Down
18 changes: 11 additions & 7 deletions docs/docs/coverage/language/php.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,27 @@ Trivy supports [Composer][composer], which is a tool for dependency management i

The following scanners are supported.

| Package manager | SBOM | Vulnerability | License |
| --------------- | :---: | :-----------: | :-----: |
| Composer | |||
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Composer ||||

The following table provides an outline of the features Trivy offers.


| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|---------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock || Excluded |||
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock || Excluded |||
| Composer | installed.json || Excluded | - ||

## Composer
## composer.lock
In order to detect dependencies, Trivy searches for `composer.lock`.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.

## installed.json
Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.

[composer]: https://getcomposer.org/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
10 changes: 10 additions & 0 deletions integration/repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,16 @@ func TestRepository(t *testing.T) {
},
golden: "testdata/test-repo.json.golden",
},
{
name: "installed.json",
args: args{
command: "rootfs",
scanner: types.VulnerabilityScanner,
listAllPkgs: true,
input: "testdata/fixtures/repo/composer-vendor",
},
golden: "testdata/composer.vendor.json.golden",
},
{
name: "dockerfile",
args: args{
Expand Down
131 changes: 131 additions & 0 deletions integration/testdata/composer.vendor.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/repo/composer-vendor",
"ArtifactType": "filesystem",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "installed.json",
"Class": "lang-pkgs",
"Type": "composer-vendor",
"Packages": [
{
"ID": "guzzlehttp/psr7@1.8.3",
"Name": "guzzlehttp/psr7",
"Identifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
"UID": "25fca97fe23aa7b1"
},
"Version": "1.8.3",
"Licenses": [
"MIT"
],
"DependsOn": [
"psr/http-message@1.1",
"ralouphie/getallheaders@3.0.3"
],
"Layer": {},
"Locations": [
{
"StartLine": 3,
"EndLine": 115
}
]
},
{
"ID": "psr/http-message@1.1",
"Name": "psr/http-message",
"Identifier": {
"PURL": "pkg:composer/psr/http-message@1.1",
"UID": "299d8ff4461e894"
},
"Version": "1.1",
"Licenses": [
"MIT"
],
"Layer": {},
"Locations": [
{
"StartLine": 116,
"EndLine": 171
}
]
},
{
"ID": "ralouphie/getallheaders@3.0.3",
"Name": "ralouphie/getallheaders",
"Identifier": {
"PURL": "pkg:composer/ralouphie/getallheaders@3.0.3",
"UID": "c383e94d979a209c"
},
"Version": "3.0.3",
"Licenses": [
"MIT"
],
"Layer": {},
"Locations": [
{
"StartLine": 172,
"EndLine": 218
}
]
}
],
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-24775",
"PkgID": "guzzlehttp/psr7@1.8.3",
"PkgName": "guzzlehttp/psr7",
"PkgIdentifier": {
"PURL": "pkg:composer/guzzlehttp/psr7@1.8.3",
"UID": "25fca97fe23aa7b1"
},
"InstalledVersion": "1.8.3",
"FixedVersion": "1.8.4",
"Status": "fixed",
"Layer": {},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-24775",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Composer",
"URL": "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
},
"Title": "Improper Input Validation in guzzlehttp/psr7",
"Description": "### Impact\nIn proper header parsing. An attacker could sneak in a new line character and pass untrusted values. \n\n### Patches\nThe issue is patched in 1.8.4 and 2.1.1.\n\n### Workarounds\nThere are no known workarounds.\n",
"Severity": "HIGH",
"CweIDs": [
"CWE-20"
],
"VendorSeverity": {
"ghsa": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"V3Score": 7.5
}
},
"References": [
"https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96",
"https://nvd.nist.gov/vuln/detail/CVE-2022-24775"
],
"PublishedDate": "2022-03-25T19:26:33Z",
"LastModifiedDate": "2022-06-14T20:02:29Z"
}
]
}
]
}
Loading

0 comments on commit edc556b

Please sign in to comment.