Clean up docs, and ensure we read the env in Config class

composer · Feb 7, 2024 · 24b458a · 24b458a
1 parent d5a15c3
commit 24b458a
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 32 deletions.
diff --git a/doc/03-cli.md b/doc/03-cli.md
@@ -1237,6 +1237,11 @@ similar use case), and need to support proxies, please provide the `CGI_HTTP_PRO
 environment variable instead. See [httpoxy.org](https://httpoxy.org/) for further
 details.
 
+### COMPOSER_AUDIT_ABANDONED
+
+Set to `ignore`, `report` or `fail` to override the [audit.abandoned](06-config.md#abandoned)
+config option.
+
 ### COMPOSER_MAX_PARALLEL_HTTP
 
 Set to an integer to configure how many files can be downloaded in parallel. This

diff --git a/doc/06-config.md b/doc/06-config.md
@@ -143,7 +143,17 @@ Defaults to `report` in Composer 2.6, and defaults to `fail` from Composer 2.7 o
 - `report` means abandoned packages are reported as an error but do not cause the command to exit with a non-zero code.
 - `fail` means abandoned packages will cause audits to fail with a non-zero code.
 
-Since Composer 2.6.7 the default and the configuration in composer.json can be overriden via the `COMPOSER_AUDIT_ABANDONED` environmant variable.
+```json
+{
+    "config": {
+        "audit": {
+            "abandoned": "report"
+        }
+    }
+}
+```
+
+Since Composer 2.7 the option can be overriden via the [`COMPOSER_AUDIT_ABANDONED`](03-cli.md#composer-audit-abandoned) environment variable.
 
 ## use-parent-dir
 

diff --git a/src/Composer/Advisory/Auditor.php b/src/Composer/Advisory/Auditor.php
@@ -59,10 +59,6 @@ class Auditor
      */
     public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true, array $ignoreList = [], string $abandoned = self::ABANDONED_FAIL): int
     {
-        if (Platform::getEnv('COMPOSER_AUDIT_ABANDONED') !== FALSE) {
-            $abandoned = Platform::getEnv('COMPOSER_AUDIT_ABANDONED');
-        }
-
         $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packages, $format === self::FORMAT_SUMMARY);
         // we need the CVE & remote IDs set to filter ignores correctly so if we have any matches using the optimized codepath above
         // and ignores are set then we need to query again the full data to make sure it can be filtered

diff --git a/src/Composer/Config.php b/src/Composer/Config.php
@@ -436,6 +436,20 @@ public function get(string $key, int $flags = 0)
 
                 return $this->process($this->config[$key], $flags);
 
+            case 'audit':
+                $result = $this->config[$key];
+                $abandonedEnv = $this->getComposerEnv('COMPOSER_AUDIT_ABANDONED');
+                if (false !== $abandonedEnv) {
+                    if (!in_array($abandonedEnv, $validChoices = [Auditor::ABANDONED_IGNORE, Auditor::ABANDONED_REPORT, Auditor::ABANDONED_FAIL], true)) {
+                        throw new \RuntimeException(
+                            "Invalid value for COMPOSER_AUDIT_ABANDONED: {$abandonedEnv}. Expected ".Auditor::ABANDONED_IGNORE.", ".Auditor::ABANDONED_REPORT." or ".Auditor::ABANDONED_FAIL
+                        );
+                    }
+                    $result['abandoned'] = $abandonedEnv;
+                }
+
+                return $result;
+
             default:
                 if (!isset($this->config[$key])) {
                     return null;

diff --git a/tests/Composer/Test/Advisory/AuditorTest.php b/tests/Composer/Test/Advisory/AuditorTest.php
@@ -145,29 +145,6 @@ public static function auditProvider()
     }
 }',
         ];
-
-        yield 'abandoned packages reporting mode override via env var' => [
-            'data' => [
-                'packages' => [
-                    $abandonedWithReplacement,
-                    $abandonedNoReplacement,
-                ],
-                'warningOnly' => false,
-                'abandoned' => Auditor::ABANDONED_FAIL,
-                'abandoned_via_env_var' => Auditor::ABANDONED_REPORT,
-                'format' => Auditor::FORMAT_TABLE,
-            ],
-            'expected' => 0,
-            'output' => 'No security vulnerability advisories found.
-Found 2 abandoned packages:
-+-------------------+----------------------------------------------------------------------------------+
-| Abandoned Package | Suggested Replacement                                                            |
-+-------------------+----------------------------------------------------------------------------------+
-| vendor/abandoned  | foo/bar                                                                          |
-| vendor/abandoned2 | none                                                                             |
-+-------------------+----------------------------------------------------------------------------------+',
-        ];
-
     }
 
     /**
@@ -180,13 +157,9 @@ public function testAudit(array $data, int $expected, string $output): void
             $this->expectException(InvalidArgumentException::class);
         }
         $auditor = new Auditor();
-        if (array_key_exists('abandoned_via_env_var', $data)) {
-            Platform::putEnv('COMPOSER_AUDIT_ABANDONED', $data['abandoned_via_env_var']);
-        }
         $result = $auditor->audit($io = new BufferIO(), $this->getRepoSet(), $data['packages'], $data['format'] ?? Auditor::FORMAT_PLAIN, $data['warningOnly'], [], $data['abandoned'] ?? Auditor::ABANDONED_IGNORE);
         $this->assertSame($expected, $result);
         $this->assertSame($output, trim(str_replace("\r", '', $io->getOutput())));
-        Platform::clearEnv('COMPOSER_AUDIT_ABANDONED');
     }
 
     public function ignoredIdsProvider(): \Generator {

diff --git a/tests/Composer/Test/ConfigTest.php b/tests/Composer/Test/ConfigTest.php
@@ -12,6 +12,7 @@
 
 namespace Composer\Test;
 
+use Composer\Advisory\Auditor;
 use Composer\Config;
 use Composer\IO\IOInterface;
 use Composer\Util\Platform;
@@ -382,6 +383,25 @@ public function testGetSourceOfValueEnvVariables(): void
         $this->assertEquals('COMPOSER_HTACCESS_PROTECT', $result);
     }
 
+    public function testAudit()
+    {
+        $config = new Config(true);
+        $result = $config->get('audit');
+        self::assertSame(Auditor::ABANDONED_FAIL, $result['abandoned']);
+        self::assertSame([], $result['ignore']);
+
+        Platform::putEnv('COMPOSER_AUDIT_ABANDONED', Auditor::ABANDONED_IGNORE);
+        $result = $config->get('audit');
+        Platform::clearEnv('COMPOSER_AUDIT_ABANDONED');
+        self::assertSame(Auditor::ABANDONED_IGNORE, $result['abandoned']);
+        self::assertSame([], $result['ignore']);
+
+        $config->merge(['config' => ['audit' => ['ignore' => ['A', 'B']]]]);
+        $config->merge(['config' => ['audit' => ['ignore' => ['A', 'C']]]]);
+        $result = $config->get('audit');
+        self::assertSame(['A', 'B', 'A', 'C'], $result['ignore']);
+    }
+
     public function testGetDefaultsToAnEmptyArray(): void
     {
         $config = new Config;