├── .github
└── workflows
│ ├── release.yml
│ └── test.yml
├── .gitignore
├── .goreleaser.yml
├── CHANGELOG.md
├── LICENSE
├── README.md
├── go.mod
├── go.sum
├── main.go
└── security
├── advisories.go
├── analyzer.go
├── fixtures
├── integer_as_version.lock
├── locate
│ ├── composer.json
│ └── composer.lock
├── no_vulns.json
├── no_vulns.lock
├── not_a_lock.lock
└── prerelease_without_dot.lock
├── formatter.go
├── junit.go
├── lock.go
├── lock_test.go
├── time.go
├── time_test.go
└── version.go
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | name: Release
2 |
3 | on:
4 | pull_request:
5 | push:
6 |
7 | jobs:
8 | releaser:
9 | name: Release
10 | runs-on: ubuntu-latest
11 | env:
12 | flags: ""
13 | steps:
14 | - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
15 | run: echo "flags=--snapshot" >> "$GITHUB_ENV"
16 | -
17 | name: Checkout
18 | uses: actions/checkout@v4
19 | -
20 | name: Set up Go
21 | uses: actions/setup-go@v5
22 | with:
23 | go-version-file: 'go.mod'
24 | -
25 | name: Run GoReleaser
26 | uses: goreleaser/goreleaser-action@v5
27 | with:
28 | version: latest
29 | args: release --clean ${{ env.flags }}
30 | env:
31 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
32 |
--------------------------------------------------------------------------------
/.github/workflows/test.yml:
--------------------------------------------------------------------------------
1 | name: Test
2 |
3 | on:
4 | pull_request:
5 | push:
6 |
7 | jobs:
8 | test:
9 | name: Test
10 | runs-on: ubuntu-latest
11 | steps:
12 | -
13 | name: Checkout
14 | uses: actions/checkout@v4
15 | -
16 | name: Set up Go
17 | uses: actions/setup-go@v5
18 | with:
19 | go-version-file: 'go.mod'
20 | -
21 | name: Run tests
22 | run: go test ./...
23 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | dist/
2 |
--------------------------------------------------------------------------------
/.goreleaser.yml:
--------------------------------------------------------------------------------
1 | before:
2 | hooks:
3 | - go mod download
4 | builds:
5 | - env:
6 | - CGO_ENABLED=0
7 | goos:
8 | - linux
9 | - windows
10 | - darwin
11 | goarch:
12 | - 386
13 | - amd64
14 | - arm
15 | - arm64
16 | ignore:
17 | - goos: windows
18 | goarch: arm
19 | - goos: windows
20 | goarch: arm64
21 | - goos: darwin
22 | goarch: 386
23 | - goos: darwin
24 | goarch: arm
25 | archives:
26 | - format: binary
27 | name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}'
28 | checksum:
29 | name_template: 'checksums.txt'
30 | snapshot:
31 | name_template: "{{ .Tag }}-next"
32 | changelog:
33 | disable: true
34 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # 2.1.0 (TBD)
2 |
3 | * Move to Go 1.22
4 |
5 | # 2.0.0 (2022-04-09)
6 |
7 | * Add --cache-dir
8 | * Add --disable-exit-code
9 | * Move to Go 1.18
10 |
11 | # 1.2.0 (2021-09-21)
12 |
13 | * Add --no-dev
14 |
15 | # 1.1.0 (2021-08-31)
16 |
17 | * Add an example about how to use the tool in a cron
18 | * Add junit formatting
19 | * Be more lenient with non-standard pre-release versions (alpha12 -> alpha.12)
20 | * Add support for RC releases and make rc/beta/alpha non case-sensitive
21 | * Handle path prefixed with tilde sign ~
22 | * Add the --archive flag
23 | * Move to Go 1.17
24 |
25 | # 1.0.0 (2020-01-13)
26 |
27 | * Initial release
28 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU AFFERO GENERAL PUBLIC LICENSE
2 | Version 3, 19 November 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU Affero General Public License is a free, copyleft license for
11 | software and other kinds of works, specifically designed to ensure
12 | cooperation with the community in the case of network server software.
13 |
14 | The licenses for most software and other practical works are designed
15 | to take away your freedom to share and change the works. By contrast,
16 | our General Public Licenses are intended to guarantee your freedom to
17 | share and change all versions of a program--to make sure it remains free
18 | software for all its users.
19 |
20 | When we speak of free software, we are referring to freedom, not
21 | price. Our General Public Licenses are designed to make sure that you
22 | have the freedom to distribute copies of free software (and charge for
23 | them if you wish), that you receive source code or can get it if you
24 | want it, that you can change the software or use pieces of it in new
25 | free programs, and that you know you can do these things.
26 |
27 | Developers that use our General Public Licenses protect your rights
28 | with two steps: (1) assert copyright on the software, and (2) offer
29 | you this License which gives you legal permission to copy, distribute
30 | and/or modify the software.
31 |
32 | A secondary benefit of defending all users' freedom is that
33 | improvements made in alternate versions of the program, if they
34 | receive widespread use, become available for other developers to
35 | incorporate. Many developers of free software are heartened and
36 | encouraged by the resulting cooperation. However, in the case of
37 | software used on network servers, this result may fail to come about.
38 | The GNU General Public License permits making a modified version and
39 | letting the public access it on a server without ever releasing its
40 | source code to the public.
41 |
42 | The GNU Affero General Public License is designed specifically to
43 | ensure that, in such cases, the modified source code becomes available
44 | to the community. It requires the operator of a network server to
45 | provide the source code of the modified version running there to the
46 | users of that server. Therefore, public use of a modified version, on
47 | a publicly accessible server, gives the public access to the source
48 | code of the modified version.
49 |
50 | An older license, called the Affero General Public License and
51 | published by Affero, was designed to accomplish similar goals. This is
52 | a different license, not a version of the Affero GPL, but Affero has
53 | released a new version of the Affero GPL which permits relicensing under
54 | this license.
55 |
56 | The precise terms and conditions for copying, distribution and
57 | modification follow.
58 |
59 | TERMS AND CONDITIONS
60 |
61 | 0. Definitions.
62 |
63 | "This License" refers to version 3 of the GNU Affero General Public License.
64 |
65 | "Copyright" also means copyright-like laws that apply to other kinds of
66 | works, such as semiconductor masks.
67 |
68 | "The Program" refers to any copyrightable work licensed under this
69 | License. Each licensee is addressed as "you". "Licensees" and
70 | "recipients" may be individuals or organizations.
71 |
72 | To "modify" a work means to copy from or adapt all or part of the work
73 | in a fashion requiring copyright permission, other than the making of an
74 | exact copy. The resulting work is called a "modified version" of the
75 | earlier work or a work "based on" the earlier work.
76 |
77 | A "covered work" means either the unmodified Program or a work based
78 | on the Program.
79 |
80 | To "propagate" a work means to do anything with it that, without
81 | permission, would make you directly or secondarily liable for
82 | infringement under applicable copyright law, except executing it on a
83 | computer or modifying a private copy. Propagation includes copying,
84 | distribution (with or without modification), making available to the
85 | public, and in some countries other activities as well.
86 |
87 | To "convey" a work means any kind of propagation that enables other
88 | parties to make or receive copies. Mere interaction with a user through
89 | a computer network, with no transfer of a copy, is not conveying.
90 |
91 | An interactive user interface displays "Appropriate Legal Notices"
92 | to the extent that it includes a convenient and prominently visible
93 | feature that (1) displays an appropriate copyright notice, and (2)
94 | tells the user that there is no warranty for the work (except to the
95 | extent that warranties are provided), that licensees may convey the
96 | work under this License, and how to view a copy of this License. If
97 | the interface presents a list of user commands or options, such as a
98 | menu, a prominent item in the list meets this criterion.
99 |
100 | 1. Source Code.
101 |
102 | The "source code" for a work means the preferred form of the work
103 | for making modifications to it. "Object code" means any non-source
104 | form of a work.
105 |
106 | A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 |
111 | The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form. A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 |
122 | The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities. However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work. For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 |
135 | The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 |
139 | The Corresponding Source for a work in source code form is that
140 | same work.
141 |
142 | 2. Basic Permissions.
143 |
144 | All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met. This License explicitly affirms your unlimited
147 | permission to run the unmodified Program. The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work. This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 |
152 | You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force. You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright. Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 |
163 | Conveying under any other circumstances is permitted solely under
164 | the conditions stated below. Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 |
167 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 |
169 | No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 |
175 | When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 |
183 | 4. Conveying Verbatim Copies.
184 |
185 | You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 |
193 | You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 |
196 | 5. Conveying Modified Source Versions.
197 |
198 | You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 |
202 | a) The work must carry prominent notices stating that you modified
203 | it, and giving a relevant date.
204 |
205 | b) The work must carry prominent notices stating that it is
206 | released under this License and any conditions added under section
207 | 7. This requirement modifies the requirement in section 4 to
208 | "keep intact all notices".
209 |
210 | c) You must license the entire work, as a whole, under this
211 | License to anyone who comes into possession of a copy. This
212 | License will therefore apply, along with any applicable section 7
213 | additional terms, to the whole of the work, and all its parts,
214 | regardless of how they are packaged. This License gives no
215 | permission to license the work in any other way, but it does not
216 | invalidate such permission if you have separately received it.
217 |
218 | d) If the work has interactive user interfaces, each must display
219 | Appropriate Legal Notices; however, if the Program has interactive
220 | interfaces that do not display Appropriate Legal Notices, your
221 | work need not make them do so.
222 |
223 | A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit. Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 |
233 | 6. Conveying Non-Source Forms.
234 |
235 | You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 |
240 | a) Convey the object code in, or embodied in, a physical product
241 | (including a physical distribution medium), accompanied by the
242 | Corresponding Source fixed on a durable physical medium
243 | customarily used for software interchange.
244 |
245 | b) Convey the object code in, or embodied in, a physical product
246 | (including a physical distribution medium), accompanied by a
247 | written offer, valid for at least three years and valid for as
248 | long as you offer spare parts or customer support for that product
249 | model, to give anyone who possesses the object code either (1) a
250 | copy of the Corresponding Source for all the software in the
251 | product that is covered by this License, on a durable physical
252 | medium customarily used for software interchange, for a price no
253 | more than your reasonable cost of physically performing this
254 | conveying of source, or (2) access to copy the
255 | Corresponding Source from a network server at no charge.
256 |
257 | c) Convey individual copies of the object code with a copy of the
258 | written offer to provide the Corresponding Source. This
259 | alternative is allowed only occasionally and noncommercially, and
260 | only if you received the object code with such an offer, in accord
261 | with subsection 6b.
262 |
263 | d) Convey the object code by offering access from a designated
264 | place (gratis or for a charge), and offer equivalent access to the
265 | Corresponding Source in the same way through the same place at no
266 | further charge. You need not require recipients to copy the
267 | Corresponding Source along with the object code. If the place to
268 | copy the object code is a network server, the Corresponding Source
269 | may be on a different server (operated by you or a third party)
270 | that supports equivalent copying facilities, provided you maintain
271 | clear directions next to the object code saying where to find the
272 | Corresponding Source. Regardless of what server hosts the
273 | Corresponding Source, you remain obligated to ensure that it is
274 | available for as long as needed to satisfy these requirements.
275 |
276 | e) Convey the object code using peer-to-peer transmission, provided
277 | you inform other peers where the object code and Corresponding
278 | Source of the work are being offered to the general public at no
279 | charge under subsection 6d.
280 |
281 | A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 |
285 | A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling. In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage. For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product. A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 |
298 | "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source. The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 |
306 | If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information. But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 |
317 | The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed. Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 |
325 | Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 |
331 | 7. Additional Terms.
332 |
333 | "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law. If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 |
342 | When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it. (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.) You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 |
349 | Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 |
353 | a) Disclaiming warranty or limiting liability differently from the
354 | terms of sections 15 and 16 of this License; or
355 |
356 | b) Requiring preservation of specified reasonable legal notices or
357 | author attributions in that material or in the Appropriate Legal
358 | Notices displayed by works containing it; or
359 |
360 | c) Prohibiting misrepresentation of the origin of that material, or
361 | requiring that modified versions of such material be marked in
362 | reasonable ways as different from the original version; or
363 |
364 | d) Limiting the use for publicity purposes of names of licensors or
365 | authors of the material; or
366 |
367 | e) Declining to grant rights under trademark law for use of some
368 | trade names, trademarks, or service marks; or
369 |
370 | f) Requiring indemnification of licensors and authors of that
371 | material by anyone who conveys the material (or modified versions of
372 | it) with contractual assumptions of liability to the recipient, for
373 | any liability that these contractual assumptions directly impose on
374 | those licensors and authors.
375 |
376 | All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10. If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term. If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 |
386 | If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 |
391 | Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 |
395 | 8. Termination.
396 |
397 | You may not propagate or modify a covered work except as expressly
398 | provided under this License. Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 |
403 | However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 |
410 | Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 |
417 | Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License. If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 |
423 | 9. Acceptance Not Required for Having Copies.
424 |
425 | You are not required to accept this License in order to receive or
426 | run a copy of the Program. Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance. However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work. These actions infringe copyright if you do
431 | not accept this License. Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 |
434 | 10. Automatic Licensing of Downstream Recipients.
435 |
436 | Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License. You are not responsible
439 | for enforcing compliance by third parties with this License.
440 |
441 | An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations. If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 |
451 | You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License. For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 |
459 | 11. Patents.
460 |
461 | A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based. The
463 | work thus licensed is called the contributor's "contributor version".
464 |
465 | A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version. For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 |
475 | Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 |
480 | In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement). To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 |
487 | If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients. "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 |
501 | If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 |
509 | A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License. You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 |
524 | Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 |
528 | 12. No Surrender of Others' Freedom.
529 |
530 | If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License. If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all. For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 |
540 | 13. Remote Network Interaction; Use with the GNU General Public License.
541 |
542 | Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software. This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 |
553 | Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work. The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 |
561 | 14. Revised Versions of this License.
562 |
563 | The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time. Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 |
568 | Each version is given a distinguishing version number. If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation. If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 |
577 | If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 |
582 | Later license versions may give you additional or different
583 | permissions. However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 |
587 | 15. Disclaimer of Warranty.
588 |
589 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 |
598 | 16. Limitation of Liability.
599 |
600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 |
610 | 17. Interpretation of Sections 15 and 16.
611 |
612 | If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 |
619 | END OF TERMS AND CONDITIONS
620 |
621 | How to Apply These Terms to Your New Programs
622 |
623 | If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 |
627 | To do so, attach the following notices to the program. It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 |
632 |
633 | Copyright (C)
634 |
635 | This program is free software: you can redistribute it and/or modify
636 | it under the terms of the GNU Affero General Public License as published by
637 | the Free Software Foundation, either version 3 of the License, or
638 | (at your option) any later version.
639 |
640 | This program is distributed in the hope that it will be useful,
641 | but WITHOUT ANY WARRANTY; without even the implied warranty of
642 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
643 | GNU Affero General Public License for more details.
644 |
645 | You should have received a copy of the GNU Affero General Public License
646 | along with this program. If not, see .
647 |
648 | Also add information on how to contact you by electronic and paper mail.
649 |
650 | If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source. For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code. There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 |
658 | You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | .
662 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Local PHP Security Checker
2 | ==========================
3 |
4 | **WARNING**: This repository is now archived. Use `composer audit` instead:
5 |
6 | COMPOSER_AUDIT_ABANDONED=ignore composer audit
7 |
8 | The Local PHP Security Checker is a command line tool that checks if your PHP
9 | application depends on PHP packages with known security vulnerabilities. It
10 | uses the [Security Advisories Database][1] behind the scenes.
11 |
12 | Download a binary from the [Releases page on Github][2], rename it to
13 | `local-php-security-checker` and make it executable.
14 |
15 | From a directory containing a PHP project that uses Composer, check for known
16 | vulnerabilities by running the binary without arguments or flags:
17 |
18 | $ local-php-security-checker
19 |
20 | You can also pass a `--path` to check a specific directory:
21 |
22 | $ local-php-security-checker --path=/path/to/php/project
23 | $ local-php-security-checker --path=/path/to/php/project/composer.lock
24 |
25 | By default, the output is optimized for terminals, change it via the `--format`
26 | flag (supported formats: `ansi`, `markdown`, `json`, `junit`, and `yaml`):
27 |
28 | $ local-php-security-checker --format=json
29 |
30 | All packages are checked for security vulnerabilities by default. You can skip the checks for packages listed in `require-dev` by passing the `no-dev` flag:
31 |
32 | $ local-php-security-checker --no-dev
33 |
34 | When running the command, it checks for an updated vulnerability database and
35 | downloads it from Github if it changed since the last run. If you want to avoid
36 | the HTTP round-trip, use `--local`. To force a database update without checking
37 | for a project, use `--update-cache`.
38 |
39 | If you want to continuously check for security issues on your applications in
40 | production, you can use this tool in combination with [croncape][3] to get an
41 | email whenever a new security issue is detected:
42 |
43 | MAILTO=sysadmins@example.com
44 | 50 23 * * * croncape php-security-checker --path=/path/to/php/project
45 |
46 | This tool returns the following codes
47 |
48 | | Code | Actions |
49 | |------|------------------------------------------------------------------------------------|
50 | | 0 | `--help`
Successful run |
51 | | 1 | At least one vulnerability is found |
52 | | 2 | Invalid `--format` option |
53 | | 127 | Unable to load database
Unable to find lock file
GitHub output not available |
54 |
55 | [1]: https://github.com/FriendsOfPHP/security-advisories
56 | [2]: https://github.com/fabpot/local-php-security-checker/releases
57 | [3]: https://github.com/symfonycorp/croncape
58 |
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/fabpot/local-php-security-checker/v2
2 |
3 | go 1.22
4 |
5 | require (
6 | github.com/hashicorp/go-version v1.6.0
7 | github.com/mitchellh/go-homedir v1.1.0
8 | github.com/stretchr/testify v1.9.0
9 | gopkg.in/yaml.v3 v3.0.1
10 | )
11 |
12 | require (
13 | github.com/davecgh/go-spew v1.1.1 // indirect
14 | github.com/pmezard/go-difflib v1.0.0 // indirect
15 | )
16 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
2 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
3 | github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
4 | github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
5 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
6 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
7 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
8 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
9 | github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
10 | github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
11 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
12 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
13 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
14 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
15 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | /*
4 |
5 | Checks security issues in project dependencies. Without arguments, it looks
6 | for a "composer.lock" file in the current directory. Pass it explicitly to check
7 | a specific "composer.lock" file.
8 |
9 | */
10 |
11 | import (
12 | "flag"
13 | "fmt"
14 | "os"
15 |
16 | "github.com/fabpot/local-php-security-checker/v2/security"
17 | )
18 |
19 | var (
20 | version = "dev"
21 | date = "unknown"
22 | )
23 |
24 | func main() {
25 | format := flag.String("format", "ansi", "Output format (ansi, text, junit, markdown, json, or yaml)")
26 | path := flag.String("path", "", "composer.lock file or directory")
27 | advisoryArchiveURL := flag.String("archive", security.AdvisoryArchiveURL, "Advisory archive URL")
28 | cacheDir := flag.String("cache-dir", os.TempDir(), "Cache directory")
29 | local := flag.Bool("local", false, "Do not make HTTP calls (needs a valid cache file)")
30 | noDevPackages := flag.Bool("no-dev", false, "Do not check packages listed under require-dev")
31 | updateCacheOnly := flag.Bool("update-cache", false, "Update the cache (other flags are ignored)")
32 | disableExitCode := flag.Bool("disable-exit-code", false, "Whether to fail when issues are detected")
33 | help := flag.Bool("help", false, "Output help and version")
34 | versionFlag := flag.Bool("version", false, "Output version")
35 | flag.Parse()
36 |
37 | if *help {
38 | fmt.Printf("Local PHP Security Checker %s, built at %s\n\n", version, date)
39 | flag.Usage()
40 | os.Exit(0)
41 | }
42 |
43 | if *versionFlag {
44 | fmt.Printf("Local PHP Security Checker %s, built at %s\n", version, date)
45 | os.Exit(0)
46 | }
47 |
48 | db, err := security.NewDB(*local, *advisoryArchiveURL, *cacheDir)
49 | if err != nil {
50 | fmt.Fprintf(os.Stderr, "unable to load the advisory DB: %s\n", err)
51 | os.Exit(127)
52 | }
53 |
54 | if *updateCacheOnly {
55 | return
56 | }
57 |
58 | if *format != "" && *format != "markdown" && *format != "json" && *format != "text" && *format != "yaml" && *format != "ansi" && *format != "junit" {
59 | fmt.Fprintf(os.Stderr, "format \"%s\" is not supported (supported formats: markdown, ansi, json, junit, and yaml)\n", *format)
60 | os.Exit(2)
61 | }
62 |
63 | lockReader, err := security.LocateLock(*path)
64 | if err != nil {
65 | fmt.Fprintln(os.Stderr, err)
66 | os.Exit(127)
67 | }
68 |
69 | lock, err := security.NewLock(lockReader)
70 | if err != nil {
71 | fmt.Fprintf(os.Stderr, "unable to load the lock file: %s\n", err)
72 | os.Exit(127)
73 | }
74 |
75 | vulns := security.Analyze(lock, db, *noDevPackages)
76 |
77 | output, err := security.Format(vulns, *format)
78 | if err != nil {
79 | fmt.Fprintf(os.Stderr, "unable to output the results: %s\n", err)
80 | os.Exit(127)
81 | }
82 | fmt.Print(string(output))
83 |
84 | if os.Getenv("GITHUB_WORKSPACE") != "" {
85 | gOutFile := os.Getenv("GITHUB_OUTPUT")
86 |
87 | f, err := os.OpenFile(gOutFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
88 | if err != nil {
89 | fmt.Fprintf(os.Stderr, "unable to open github output: %s\n", err)
90 | os.Exit(127)
91 | }
92 | defer f.Close()
93 |
94 | // inside a Github action, export vulns
95 | if output, err := security.Format(vulns, "raw_json"); err == nil {
96 | if _, err = f.WriteString("vulns=" + string(output) + "\n"); err != nil {
97 | fmt.Fprintf(os.Stderr, "unable to write into github output: %s\n", err)
98 | os.Exit(127)
99 | }
100 | }
101 | }
102 |
103 | if vulns.Count() > 0 && !*disableExitCode {
104 | os.Exit(1)
105 | }
106 | }
107 |
--------------------------------------------------------------------------------
/security/advisories.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "archive/zip"
5 | "bytes"
6 | "encoding/json"
7 | "errors"
8 | "fmt"
9 | "io"
10 | "net/http"
11 | "os"
12 | "path/filepath"
13 | "strings"
14 |
15 | "gopkg.in/yaml.v3"
16 | )
17 |
18 | // AdvisoryArchiveURL represents the advisories database URL
19 | const AdvisoryArchiveURL = "https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master"
20 |
21 | // AdvisoryDB stores all known security advisories
22 | type AdvisoryDB struct {
23 | Advisories []Advisory
24 | cacheDir string
25 | noHTTPCalls bool
26 | }
27 |
28 | // Advisory represents a single security advisory
29 | type Advisory struct {
30 | Title string `yaml:"title"`
31 | Link string `yaml:"link"`
32 | CVE string `yaml:"cve"`
33 | Branches map[string]*Branch `yaml:"branches"`
34 | Reference string `yaml:"reference"`
35 | }
36 |
37 | // Branch represents a Git branch
38 | type Branch struct {
39 | Versions []string `yaml:"versions"`
40 | Time Time `yaml:"time"`
41 | }
42 |
43 | // Cache stores the Github response to save bandwith
44 | type Cache struct {
45 | Key string
46 | Date string
47 | Body []byte
48 | }
49 |
50 | // NewDB fetches the advisory DB from Github
51 | func NewDB(noHTTPCalls bool, advisoryArchiveURL, cacheDir string) (*AdvisoryDB, error) {
52 | db := &AdvisoryDB{noHTTPCalls: noHTTPCalls, cacheDir: cacheDir}
53 | if err := db.load(advisoryArchiveURL); err != nil {
54 | return nil, fmt.Errorf("unable to fetch advisories: %s", err)
55 | }
56 |
57 | return db, nil
58 | }
59 |
60 | // load loads fetches the database from Github and reads/loads current advisories
61 | // from the repository. Cache handling is delegated to http.Transport and
62 | // **must** be handled appropriately.
63 | func (db *AdvisoryDB) load(advisoryArchiveURL string) error {
64 | if len(db.Advisories) > 0 {
65 | return nil
66 | }
67 |
68 | db.Advisories = []Advisory{}
69 |
70 | var cache *Cache
71 | cachePath := filepath.Join(db.cacheDir, "php_sec_db.json")
72 | if cacheContent, err := os.ReadFile(cachePath); err == nil {
73 | // ignore errors
74 | json.Unmarshal(cacheContent, &cache)
75 | }
76 |
77 | if db.noHTTPCalls && cache == nil {
78 | return errors.New("--local can only be used when a local HTTP cache is available")
79 | }
80 |
81 | if !db.noHTTPCalls {
82 | req, err := http.NewRequest("GET", advisoryArchiveURL, nil)
83 | if err != nil {
84 | return err
85 | }
86 | if cache != nil {
87 | req.Header.Add("If-None-Match", cache.Key)
88 | req.Header.Add("If-Modified-Since", cache.Date)
89 | }
90 | resp, err := http.DefaultClient.Do(req)
91 | if err != nil {
92 | return err
93 | }
94 | defer resp.Body.Close()
95 | var body []byte
96 | if resp.StatusCode != http.StatusNotModified {
97 | body, err = io.ReadAll(resp.Body)
98 | if err != nil {
99 | return err
100 | }
101 | key := resp.Header.Get("ETag")
102 | date := resp.Header.Get("Date")
103 | if key != "" || date != "" {
104 | cache = &Cache{Key: key, Date: date, Body: body}
105 | }
106 | cacheContent, err := json.Marshal(cache)
107 | if err == nil {
108 | os.WriteFile(cachePath, cacheContent, 0644)
109 | }
110 | }
111 | }
112 |
113 | zipReader, err := zip.NewReader(bytes.NewReader(cache.Body), int64(len(cache.Body)))
114 | if err != nil {
115 | return err
116 | }
117 |
118 | // Read all the files from the zip archive
119 | for _, zipFile := range zipReader.File {
120 | if !strings.HasSuffix(zipFile.Name, ".yaml") {
121 | continue
122 | }
123 | f, err := zipFile.Open()
124 | if err != nil {
125 | return err
126 | }
127 | defer f.Close()
128 |
129 | contents, err := io.ReadAll(f)
130 | if err != nil {
131 | return fmt.Errorf("unable to read %s: %s", zipFile.Name, err)
132 | }
133 |
134 | var pa Advisory
135 | if err := yaml.Unmarshal(contents, &pa); err != nil {
136 | return fmt.Errorf("%s is not a valid YAML file: %s", zipFile.Name, err)
137 | }
138 |
139 | db.Advisories = append(db.Advisories, pa)
140 | }
141 |
142 | return nil
143 | }
144 |
--------------------------------------------------------------------------------
/security/analyzer.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "fmt"
5 | "os"
6 | "regexp"
7 | "sort"
8 | "strings"
9 | "time"
10 |
11 | "github.com/hashicorp/go-version"
12 | )
13 |
14 | // Vulnerabilities stores vulnerabilities for a lock file
15 | type Vulnerabilities map[string]Vulnerability
16 |
17 | // Vulnerability represents an vulnerability
18 | type Vulnerability struct {
19 | Version string `json:"version"`
20 | Advisories []SimpleAdvisory `json:"advisories"`
21 | }
22 |
23 | // SimpleAdvisory represents an advisory for export
24 | type SimpleAdvisory struct {
25 | Title string `json:"title"`
26 | Link string `json:"link"`
27 | CVE string `json:"cve"`
28 | }
29 |
30 | func (a SimpleAdvisory) String() string {
31 | str := a.Title
32 | if a.CVE != "" {
33 | str = a.CVE + ": " + str
34 | }
35 | if a.Link != "" {
36 | str = str + " - " + a.Link
37 | }
38 | return str
39 | }
40 |
41 | // CountVulnerablePackages returns the number of packages with vulnerabilities
42 | func (v *Vulnerabilities) CountVulnerablePackages() int {
43 | return len(*v)
44 | }
45 |
46 | // Count returns the number of vulnerabilities
47 | func (v *Vulnerabilities) Count() int {
48 | count := 0
49 | for _, vs := range *v {
50 | count += len(vs.Advisories)
51 | }
52 | return count
53 | }
54 |
55 | // Keys returns package names in alpha order
56 | func (v *Vulnerabilities) Keys() []string {
57 | keys := make([]string, len(*v))
58 | i := 0
59 | for k := range *v {
60 | keys[i] = k
61 | i++
62 | }
63 | sort.Strings(keys)
64 | return keys
65 | }
66 |
67 | // Get returns the list of vulnerabilities for a given package
68 | func (v *Vulnerabilities) Get(pkg string) *Vulnerability {
69 | vuln, ok := map[string]Vulnerability(*v)[pkg]
70 | if !ok {
71 | return nil
72 | }
73 | return &vuln
74 | }
75 |
76 | // Analyze checks if a give lock references packages with known security issues
77 | func Analyze(lock *Lock, db *AdvisoryDB, noDevPackages bool) *Vulnerabilities {
78 | vulnerabilities := make(Vulnerabilities)
79 | packages := lock.Packages
80 | if !noDevPackages {
81 | packages = append(packages, lock.DevPackages...)
82 | }
83 | for _, p := range packages {
84 | var advs []SimpleAdvisory
85 | composerReference := "composer://" + p.Name
86 | packageBranchName := normalizeVersion(string(p.Version))
87 | for _, a := range db.Advisories {
88 | if a.Reference != composerReference {
89 | continue
90 | }
91 | for branchName, branch := range a.Branches {
92 | // dev versions must be checked via a date
93 | if isDev(p) {
94 | branchName = strings.TrimSuffix(branchName, ".x")
95 | if branchName != packageBranchName {
96 | continue
97 | }
98 | if time.Time(p.Time).IsZero() || time.Time(p.Time).After(time.Time(branch.Time)) {
99 | continue
100 | }
101 | } else {
102 | pv, err := version.NewVersion(string(p.Version))
103 | if err != nil {
104 | fmt.Fprintf(os.Stderr, "unable to parse version %s\n", p.Version)
105 | continue
106 | }
107 | constraintVersions := ""
108 | for _, v := range branch.Versions {
109 | constraintVersions = constraintVersions + ", " + string(v)
110 | }
111 | constraintVersions = strings.TrimPrefix(constraintVersions, ",")
112 | c, err := version.NewConstraint(constraintVersions)
113 | if err != nil {
114 | fmt.Fprintf(os.Stderr, "unable to parse version constraint %s\n", constraintVersions)
115 | continue
116 | }
117 | if !c.Check(pv) {
118 | continue
119 | }
120 | }
121 | advs = append(advs, SimpleAdvisory{
122 | CVE: a.CVE,
123 | Link: a.Link,
124 | Title: a.Title,
125 | })
126 | }
127 | }
128 | if len(advs) > 0 {
129 | vulnerabilities[p.Name] = Vulnerability{
130 | Version: string(p.Version),
131 | Advisories: advs,
132 | }
133 | }
134 | }
135 |
136 | return &vulnerabilities
137 | }
138 |
139 | func normalizeVersion(version string) string {
140 | version = strings.TrimPrefix(version, "dev-")
141 | version = strings.TrimSuffix(version, "-dev")
142 | version = strings.TrimSuffix(version, ".x-dev")
143 | return version
144 | }
145 |
146 | // isDev checks if the package is a dev version
147 | func isDev(p Package) bool {
148 | r := regexp.MustCompile("#.+$")
149 | version := r.ReplaceAllString(string(p.Version), "")
150 | if strings.HasPrefix(version, "dev-") || strings.HasSuffix(version, "-dev") {
151 | return true
152 | }
153 |
154 | return false
155 | }
156 |
--------------------------------------------------------------------------------
/security/fixtures/integer_as_version.lock:
--------------------------------------------------------------------------------
1 | {
2 | "_readme": [
3 | "This file locks the dependencies of your project to a known state",
4 | "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
5 | "This file is @generated automatically"
6 | ],
7 | "content-hash": "f6c44a58bec3dc9a70961bd02d0fb52b",
8 | "packages": [
9 | {
10 | "name": "symfony/apache-pack",
11 | "version": 7,
12 | "source": {
13 | "type": "git",
14 | "url": "https://github.com/symfony/apache-pack.git",
15 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c"
16 | },
17 | "dist": {
18 | "type": "zip",
19 | "url": "https://api.github.com/repos/symfony/apache-pack/zipball/3aa5818d73ad2551281fc58a75afd9ca82622e6c",
20 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c",
21 | "shasum": ""
22 | },
23 | "type": "symfony-pack",
24 | "notification-url": "https://packagist.org/downloads/",
25 | "license": [
26 | "MIT"
27 | ],
28 | "description": "A pack for Apache support in Symfony",
29 | "time": "2017-12-12T01:46:35+00:00"
30 | }
31 | ],
32 | "packages-dev": [],
33 | "aliases": [],
34 | "minimum-stability": "stable",
35 | "stability-flags": [],
36 | "prefer-stable": false,
37 | "prefer-lowest": false,
38 | "platform": [],
39 | "platform-dev": []
40 | }
41 |
--------------------------------------------------------------------------------
/security/fixtures/locate/composer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "fabpot/_temp",
3 | "require": {
4 | "symfony/apache-pack": "^1.0"
5 | },
6 | "authors": [
7 | {
8 | "name": "Fabien Potencier",
9 | "email": "fabien@potencier.org"
10 | }
11 | ]
12 | }
13 |
--------------------------------------------------------------------------------
/security/fixtures/locate/composer.lock:
--------------------------------------------------------------------------------
1 | {
2 | "_readme": [
3 | "This file locks the dependencies of your project to a known state",
4 | "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
5 | "This file is @generated automatically"
6 | ],
7 | "content-hash": "f6c44a58bec3dc9a70961bd02d0fb52b",
8 | "packages": [
9 | {
10 | "name": "symfony/apache-pack",
11 | "version": "v1.0.1",
12 | "source": {
13 | "type": "git",
14 | "url": "https://github.com/symfony/apache-pack.git",
15 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c"
16 | },
17 | "dist": {
18 | "type": "zip",
19 | "url": "https://api.github.com/repos/symfony/apache-pack/zipball/3aa5818d73ad2551281fc58a75afd9ca82622e6c",
20 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c",
21 | "shasum": ""
22 | },
23 | "type": "symfony-pack",
24 | "notification-url": "https://packagist.org/downloads/",
25 | "license": [
26 | "MIT"
27 | ],
28 | "description": "A pack for Apache support in Symfony",
29 | "time": "2017-12-12T01:46:35+00:00"
30 | }
31 | ],
32 | "packages-dev": [],
33 | "aliases": [],
34 | "minimum-stability": "stable",
35 | "stability-flags": [],
36 | "prefer-stable": false,
37 | "prefer-lowest": false,
38 | "platform": [],
39 | "platform-dev": []
40 | }
41 |
--------------------------------------------------------------------------------
/security/fixtures/no_vulns.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "fabpot/_temp",
3 | "require": {
4 | "symfony/apache-pack": "^1.0"
5 | },
6 | "authors": [
7 | {
8 | "name": "Fabien Potencier",
9 | "email": "fabien@potencier.org"
10 | }
11 | ]
12 | }
13 |
--------------------------------------------------------------------------------
/security/fixtures/no_vulns.lock:
--------------------------------------------------------------------------------
1 | {
2 | "_readme": [
3 | "This file locks the dependencies of your project to a known state",
4 | "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
5 | "This file is @generated automatically"
6 | ],
7 | "content-hash": "f6c44a58bec3dc9a70961bd02d0fb52b",
8 | "packages": [
9 | {
10 | "name": "symfony/apache-pack",
11 | "version": "v1.0.1",
12 | "source": {
13 | "type": "git",
14 | "url": "https://github.com/symfony/apache-pack.git",
15 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c"
16 | },
17 | "dist": {
18 | "type": "zip",
19 | "url": "https://api.github.com/repos/symfony/apache-pack/zipball/3aa5818d73ad2551281fc58a75afd9ca82622e6c",
20 | "reference": "3aa5818d73ad2551281fc58a75afd9ca82622e6c",
21 | "shasum": ""
22 | },
23 | "type": "symfony-pack",
24 | "notification-url": "https://packagist.org/downloads/",
25 | "license": [
26 | "MIT"
27 | ],
28 | "description": "A pack for Apache support in Symfony",
29 | "time": "2017-12-12T01:46:35+00:00"
30 | }
31 | ],
32 | "packages-dev": [],
33 | "aliases": [],
34 | "minimum-stability": "stable",
35 | "stability-flags": [],
36 | "prefer-stable": false,
37 | "prefer-lowest": false,
38 | "platform": [],
39 | "platform-dev": []
40 | }
41 |
--------------------------------------------------------------------------------
/security/fixtures/not_a_lock.lock:
--------------------------------------------------------------------------------
1 | {
2 | "_readme": [
3 | "This file locks the dependencies of your project to a known state",
4 | "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
5 | "This file is @generated automatically"
6 | ],
7 | "content-hash": "f6c44a58bec3dc9a70961bd02d0fb52b",
8 | "aliases": [],
9 | "minimum-stability": "stable",
10 | "stability-flags": [],
11 | "prefer-stable": false,
12 | "prefer-lowest": false,
13 | "platform": [],
14 | "platform-dev": []
15 | }
16 |
--------------------------------------------------------------------------------
/security/fixtures/prerelease_without_dot.lock:
--------------------------------------------------------------------------------
1 | {
2 | "packages": [
3 | {
4 | "name": "symfony/apache-pack",
5 | "version": "v1.0.0-alpha10"
6 | },
7 | {
8 | "name": "test/packagename",
9 | "version": "2.0-beta3"
10 | },
11 | {
12 | "name": "test/another",
13 | "version": "2.0-RC1"
14 | }
15 | ]
16 | }
17 |
--------------------------------------------------------------------------------
/security/formatter.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "encoding/json"
5 | "fmt"
6 | "os"
7 | "regexp"
8 | "strings"
9 |
10 | "gopkg.in/yaml.v3"
11 | )
12 |
13 | // Format formats the vulnerabilities in the given format
14 | func Format(vulns *Vulnerabilities, format string) ([]byte, error) {
15 | if format == "ansi" {
16 | return ToANSI(vulns, false), nil
17 | } else if format == "text" || format == "txt" || format == "markdown" || format == "md" {
18 | return ToMarkdown(vulns), nil
19 | } else if format == "json" {
20 | return ToJSON(vulns, true)
21 | } else if format == "raw_json" {
22 | return ToJSON(vulns, false)
23 | } else if format == "junit" {
24 | return ToJunit(vulns)
25 | } else if format == "yaml" || format == "yml" {
26 | return ToYAML(vulns)
27 | }
28 | return nil, fmt.Errorf("unknown format %s", format)
29 | }
30 |
31 | // ToANSI returns vulnerabilities as text with ANSI code for colors
32 | func ToANSI(vulns *Vulnerabilities, forceANSICodes bool) []byte {
33 | if !hasPosixColorSupport() && !forceANSICodes {
34 | return ToMarkdown(vulns)
35 | }
36 |
37 | var output string
38 | output += "\u001B[33mSymfony Security Check Report\u001B[0m\n"
39 | output += "\u001B[33m=============================\u001B[0m\n\n"
40 | if vulns.CountVulnerablePackages() == 1 {
41 | output += "\u001B[41m1 package\u001B[0m has known vulnerabilities.\n"
42 | } else if vulns.CountVulnerablePackages() > 0 {
43 | output += fmt.Sprintf("\u001B[41m%d packages\u001B[0m have known vulnerabilities.\n", vulns.CountVulnerablePackages())
44 | } else {
45 | output += "\u001B[32mNo packages have known vulnerabilities.\u001B[0m"
46 | }
47 | output += fmt.Sprintln("")
48 | links := ""
49 | ref := 0
50 | for _, pkg := range vulns.Keys() {
51 | v := vulns.Get(pkg)
52 | str := fmt.Sprintf("%s (%s)", pkg, v.Version)
53 | output += fmt.Sprintf("\u001B[33m%s\u001B[0m\n\u001B[33m%s\u001B[0m\n\n", str, strings.Repeat("-", len(str)))
54 | for _, a := range v.Advisories {
55 | cve := a.CVE
56 | if cve == "" {
57 | ref++
58 | cve = fmt.Sprintf("CVE-NONE-%04d", ref)
59 | }
60 | title := strings.TrimPrefix(a.Title, a.CVE+": ")
61 |
62 | if a.Link == "" {
63 | output += fmt.Sprintf(" * \u001B[34m%s\u001B[0m: %s\n", cve, title)
64 | } else {
65 | output += fmt.Sprintf(" * [\u001B[34m%s\u001B[0m][]: %s\n", cve, title)
66 | links += fmt.Sprintf("[%s]: \u001B]8;;%s\u0007%s\u001B]8;;\u0007\u001B[0m\n", cve, a.Link, a.Link)
67 | }
68 | }
69 | output += fmt.Sprintln("")
70 | }
71 | output += links
72 | output += fmt.Sprintln("")
73 |
74 | output += "\u001B[33mNote that this checker can only detect vulnerabilities that are referenced in the security advisories database.\n" +
75 | "Execute this command regularly to check the newly discovered vulnerabilities.\u001B[0m\n"
76 |
77 | return []byte(output)
78 | }
79 |
80 | var ansiRe = regexp.MustCompile("(\u001B\\[\\d+m|\u001B\\]8;;.*?\u0007)")
81 |
82 | // ToMarkdown returns vulnerabilities as Markdown
83 | func ToMarkdown(vulns *Vulnerabilities) []byte {
84 | return ansiRe.ReplaceAll(ToANSI(vulns, true), nil)
85 | }
86 |
87 | // ToJSON outputs vulnerabilities as JSON
88 | func ToJSON(vulns *Vulnerabilities, prettify bool) ([]byte, error) {
89 | if prettify {
90 | return json.MarshalIndent(vulns, "", " ")
91 | }
92 |
93 | return json.Marshal(vulns)
94 | }
95 |
96 | // ToYAML outputs vulnerabilities as YAML
97 | func ToYAML(vulns *Vulnerabilities) ([]byte, error) {
98 | return yaml.Marshal(vulns)
99 | }
100 |
101 | func hasPosixColorSupport() bool {
102 | return os.Getenv("ANSICON") != "" || os.Getenv("ConEmuANSI") == "ON" || strings.HasPrefix(os.Getenv("TERM"), "xterm") || os.Getenv("TERM_PROGRAM") == "Hyper" || os.Getenv("SHLVL") != ""
103 | }
104 |
--------------------------------------------------------------------------------
/security/junit.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "encoding/xml"
5 | "fmt"
6 | )
7 |
8 | type testsuites struct {
9 | XMLName xml.Name `xml:"testsuites"`
10 | Name string `xml:"name,attr"`
11 | Testsuites []testsuite
12 | }
13 |
14 | type testsuite struct {
15 | XMLName xml.Name `xml:"testsuite"`
16 | Package string `xml:"package,attr"`
17 | Errors int `xml:"errors,attr"`
18 | Failures int `xml:"failures,attr"`
19 | Tests int `xml:"tests,attr"`
20 | Testcases []testcase
21 | }
22 |
23 | type testcase struct {
24 | XMLName xml.Name `xml:"testcase"`
25 | Name string `xml:"name,attr"`
26 | Classname string `xml:"classname,attr"`
27 | Failure []string `xml:"failure,omitempty"`
28 | }
29 |
30 | func ToJunit(vulns *Vulnerabilities) ([]byte, error) {
31 | var packages []testsuite
32 | var cases []testcase
33 | ts := testsuite{}
34 | for _, pkg := range vulns.Keys() {
35 | v := vulns.Get(pkg)
36 | tc := testcase{
37 | Classname: "packages",
38 | Name: fmt.Sprintf("%s (%s)", pkg, v.Version),
39 | }
40 | for _, a := range v.Advisories {
41 | tc.Failure = append(tc.Failure, fmt.Sprintf("%s - %s (%s)", a.CVE, a.Title, a.Link))
42 | }
43 | cases = append(cases, tc)
44 | ts.Failures++
45 | ts.Tests++
46 | }
47 | ts.Testcases = cases
48 | packages = append(packages, ts)
49 | out := testsuites{
50 | Name: "Symfony Security Check Report",
51 | Testsuites: packages,
52 | }
53 | return xml.MarshalIndent(&out, " ", " ")
54 | }
55 |
--------------------------------------------------------------------------------
/security/lock.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "encoding/json"
5 | "errors"
6 | "fmt"
7 | "github.com/mitchellh/go-homedir"
8 | "io"
9 | "os"
10 | "path/filepath"
11 | "strings"
12 | )
13 |
14 | // Package represents a Composer package
15 | type Package struct {
16 | Name string `json:"name"`
17 | Version Version `json:"version"`
18 | Time Time `json:"time,omitempty"`
19 | }
20 |
21 | // Lock represents a Composer lock file
22 | type Lock struct {
23 | Packages []Package `json:"packages"`
24 | DevPackages []Package `json:"packages-dev"`
25 | }
26 |
27 | // NewLock creates a lock file wrapper
28 | func NewLock(reader io.Reader) (*Lock, error) {
29 | contents, err := io.ReadAll(reader)
30 | if err != nil {
31 | return nil, errors.New("unable to read lock file")
32 | }
33 | var l *Lock
34 | if err = json.Unmarshal(contents, &l); err != nil {
35 | return nil, errors.New("lock file is not valid JSON (not a composer.lock file?)")
36 | }
37 | if l.Packages == nil && l.DevPackages == nil {
38 | return nil, errors.New("lock file is not valid (no packages and no dev packages)")
39 | }
40 | return l, nil
41 | }
42 |
43 | // LocateLock locates a composer.lock
44 | func LocateLock(path string) (io.Reader, error) {
45 | path, err := homedir.Expand(path)
46 | if err != nil {
47 | return nil, err
48 | }
49 |
50 | if path == "" {
51 | cwd, err := os.Getwd()
52 | if err != nil {
53 | return nil, err
54 | }
55 | path = filepath.Join(cwd, "composer.lock")
56 | } else if stat, err := os.Stat(path); err == nil && stat.IsDir() {
57 | path = filepath.Join(path, "composer.lock")
58 | } else if strings.HasSuffix(path, "composer.json") {
59 | path = strings.Replace(path, "composer.json", "composer.lock", 1)
60 | }
61 |
62 | reader, err := os.Open(path)
63 | if err != nil {
64 | return nil, fmt.Errorf("%s is not a valid lock file: %s", path, err)
65 | }
66 |
67 | return reader, nil
68 | }
69 |
--------------------------------------------------------------------------------
/security/lock_test.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "bufio"
5 | "os"
6 | "testing"
7 |
8 | "github.com/stretchr/testify/assert"
9 | )
10 |
11 | func TestLock(t *testing.T) {
12 | file, err := os.Open("fixtures/no_vulns.lock")
13 | if err != nil {
14 | panic(err)
15 | }
16 | lock, err := NewLock(bufio.NewReader(file))
17 | assert.Nil(t, err)
18 | assert.Equal(t, len(lock.DevPackages), 0)
19 | assert.Equal(t, len(lock.Packages), 1)
20 | assert.Equal(t, lock.Packages[0].Name, "symfony/apache-pack")
21 | }
22 |
23 | func TestIntegerAsVersionLock(t *testing.T) {
24 | file, err := os.Open("fixtures/integer_as_version.lock")
25 | if err != nil {
26 | panic(err)
27 | }
28 | lock, err := NewLock(bufio.NewReader(file))
29 | assert.Nil(t, err)
30 | assert.Equal(t, 0, len(lock.DevPackages))
31 | assert.Equal(t, 1, len(lock.Packages))
32 | assert.Equal(t, "symfony/apache-pack", lock.Packages[0].Name)
33 | assert.Equal(t, "7", string(lock.Packages[0].Version))
34 | }
35 |
36 | func TestNotALock(t *testing.T) {
37 | file, err := os.Open("fixtures/not_a_lock.lock")
38 | if err != nil {
39 | panic(err)
40 | }
41 | _, err = NewLock(bufio.NewReader(file))
42 | assert.Equal(t, "lock file is not valid (no packages and no dev packages)", err.Error())
43 | }
44 |
45 | func TestLocateLock(t *testing.T) {
46 | for _, path := range []string{"fixtures/locate", "fixtures/locate/composer.json", "fixtures/locate/composer.lock"} {
47 | _, err := LocateLock(path)
48 | assert.Nil(t, err)
49 | }
50 | }
51 |
52 | func TestPrereleaseWithoutDot(t *testing.T) {
53 | file, err := os.Open("fixtures/prerelease_without_dot.lock")
54 | if err != nil {
55 | panic(err)
56 | }
57 | lock, err := NewLock(bufio.NewReader(file))
58 | if err != nil {
59 | panic(err)
60 | }
61 | assert.Equal(t, lock.Packages[0].Version, Version("v1.0.0-alpha.10"))
62 | assert.Equal(t, lock.Packages[1].Version, Version("2.0-beta.3"))
63 | assert.Equal(t, lock.Packages[2].Version, Version("2.0-RC.1"))
64 | }
65 |
--------------------------------------------------------------------------------
/security/time.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "encoding/json"
5 | "fmt"
6 | "time"
7 | )
8 |
9 | const rfc3339Extended = "2006-01-02T15:04:05.999999999-0700"
10 |
11 | var formats = []string{
12 | "2006-01-02 15:04:05.999999999 -0700 MST",
13 | "2006-01-2 15:04:05",
14 | "2006-01-2 15:04",
15 | "2006-01-2 15:04:05 -0700",
16 | "2006-01-2 15:04 -0700",
17 | "2006-01-2 15:04:05 -07:00",
18 | "2006-01-2 15:04 -07:00",
19 | "2006-01-2 15:04:05 MST",
20 | "2006-01-2 15:04 MST",
21 | time.RFC3339,
22 | rfc3339Extended,
23 | time.RFC3339Nano,
24 | time.RFC822,
25 | time.RFC822Z,
26 | time.RFC850,
27 | time.RFC1123,
28 | time.RFC1123Z,
29 | time.UnixDate,
30 | time.RubyDate,
31 | time.ANSIC,
32 | time.Kitchen,
33 | time.Stamp,
34 | time.StampMilli,
35 | time.StampMicro,
36 | time.StampNano,
37 | }
38 |
39 | // Time represents a Composer-like date
40 | type Time time.Time
41 |
42 | // Format proxifies call to time.Time.Format
43 | func (t Time) Format(layout string) string {
44 | return time.Time(t).Format(layout)
45 | }
46 |
47 | // UnmarshalYAML parses a Composer-like date from YAML to a Go time.Time
48 | func (t *Time) UnmarshalYAML(unmarshal func(interface{}) error) error {
49 | var date string
50 | var err error
51 | if err := unmarshal(&date); err != nil {
52 | return err
53 | }
54 | *t, err = parseDate(date)
55 | return err
56 | }
57 |
58 | // UnmarshalJSON parses a Composer-like date from JSON to a Go time.Time
59 | func (t *Time) UnmarshalJSON(data []byte) error {
60 | var err error
61 | var date string
62 | if err := json.Unmarshal(data, &date); err != nil {
63 | return err
64 | }
65 | *t, err = parseDate(date)
66 | return err
67 | }
68 |
69 | // MarshalJSON dumps a Composer-like date to JSON from a Go time.Time
70 | func (t Time) MarshalJSON() ([]byte, error) {
71 | return time.Time(t).MarshalJSON()
72 | }
73 |
74 | func parseDate(date string) (Time, error) {
75 | if date == "" {
76 | // far away in the future, means no fix available
77 | date = "2123-01-02"
78 | }
79 |
80 | if tt, ok := TryParseTime(date); ok {
81 | return Time(tt), nil
82 | }
83 |
84 | return Time(time.Now()), fmt.Errorf("unable to parse date: %s", date)
85 | }
86 |
87 | // TryParseTime tries to parse time using a couple of formats before giving up
88 | func TryParseTime(value string) (time.Time, bool) {
89 | var t time.Time
90 | var err error
91 | for _, layout := range formats {
92 | t, err = time.Parse(layout, value)
93 | if err == nil {
94 | return t, true
95 | }
96 | }
97 |
98 | return t, false
99 | }
100 |
--------------------------------------------------------------------------------
/security/time_test.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "testing"
5 | "time"
6 |
7 | "github.com/stretchr/testify/assert"
8 | )
9 |
10 | func TestTimeParsing(t *testing.T) {
11 | date := time.Date(2018, 11, 22, 23, 7, 0, 0, time.UTC)
12 | for _, testCase := range []string{
13 | "2018-11-22 23:07 UTC",
14 | "2018-11-22 23:07:00",
15 | "2018-11-22 23:07:00 UTC",
16 | } {
17 | tt, ok := TryParseTime(testCase)
18 | assert.True(t, ok)
19 | assert.NotNil(t, tt)
20 | assert.Equal(t, date.Format(time.RFC822Z), tt.Format(time.RFC822Z))
21 | }
22 |
23 | date = time.Date(2018, 11, 22, 23, 7, 0, 0, time.UTC)
24 | for _, testCase := range []string{
25 | "2018-11-22 23:07:00 +00:00",
26 | "2018-11-22 23:07 +00:00",
27 | } {
28 | tt, ok := TryParseTime(testCase)
29 | assert.True(t, ok)
30 | assert.NotNil(t, tt)
31 | assert.Equal(t, date.Format(time.RFC822Z), tt.Format(time.RFC822Z))
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/security/version.go:
--------------------------------------------------------------------------------
1 | package security
2 |
3 | import (
4 | "encoding/json"
5 | "regexp"
6 | )
7 |
8 | // Version represents a composer.json version (can be a string or an integer)
9 | type Version string
10 |
11 | // UnmarshalJSON converts versions as integers to strings
12 | func (v *Version) UnmarshalJSON(b []byte) error {
13 | var tmpNumber json.Number
14 | if err := json.Unmarshal(b, &tmpNumber); err == nil {
15 | if _, err := tmpNumber.Int64(); err == nil {
16 | *v = Version(tmpNumber.String())
17 | return nil
18 | }
19 | }
20 | var tmp string
21 | if err := json.Unmarshal(b, &tmp); err != nil {
22 | return err
23 | }
24 |
25 | // be more lenient with pre-release versions, convert "2.0.0-alpha12" to "2.0.0-alpha.12"
26 | re := regexp.MustCompile(`(?i)(alpha|beta|rc)(\d+)$`)
27 | tmp = re.ReplaceAllString(tmp, "$1.$2")
28 |
29 | *v = Version(tmp)
30 | return nil
31 | }
32 |
--------------------------------------------------------------------------------