Add security to support options (#11271)

This support option allows projects to specify a URL to the project's
vulnerability disclosure policy (VDP).

composer.json

@@ -98,6 +98,7 @@
     },
     "support": {
         "issues": "https://github.com/composer/composer/issues",
-        "irc": "ircs://irc.libera.chat:6697/composer"
+        "irc": "ircs://irc.libera.chat:6697/composer",
+        "security": "https://github.com/composer/composer/security/policy"
     }
 }

doc/04-schema.md

@@ -250,6 +250,7 @@ Support information includes the following:
 * **docs:** URL to the documentation.
 * **rss:** URL to the RSS feed.
 * **chat:** URL to the chat channel.
+* **security:** URL to the vulnerability disclosure policy (VDP).
 
 An example:
 

res/composer-schema.json

@@ -111,6 +111,11 @@
                     "type": "string",
                     "description": "URL to the RSS feed.",
                     "format": "uri"
+                },
+                "security": {
+                    "type": "string",
+                    "description": "URL to the vulnerability disclosure policy (VDP).",
+                    "format": "uri"
                 }
             }
         },

src/Composer/Package/CompletePackage.php

@@ -33,7 +33,7 @@ class CompletePackage extends Package implements CompletePackageInterface
     protected $homepage = null;
     /** @var array<string, string[]> Map of script name to array of handlers */
     protected $scripts = [];
-    /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} */
+    /** @var array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} */
     protected $support = [];
     /** @var array<array{url?: string, type?: string}> */
     protected $funding = [];

src/Composer/Package/CompletePackageInterface.php

@@ -118,14 +118,14 @@ public function setAuthors(array $authors): void;
     /**
      * Returns the support information
      *
-     * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string}
+     * @return array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string}
      */
     public function getSupport(): array;
 
     /**
      * Set the support information
      *
-     * @param  array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string} $support
+     * @param  array{issues?: string, forum?: string, wiki?: string, source?: string, email?: string, irc?: string, docs?: string, rss?: string, chat?: string, security?: string} $support
      */
     public function setSupport(array $support): void;
 

src/Composer/Package/Loader/ValidatingArrayLoader.php

@@ -191,7 +191,7 @@ public function load(array $config, string $class = 'Composer\Package\CompletePa
         }
 
         if ($this->validateArray('support') && !empty($this->config['support'])) {
-            foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat'] as $key) {
+            foreach (['issues', 'forum', 'wiki', 'source', 'email', 'irc', 'docs', 'rss', 'chat', 'security'] as $key) {
                 if (isset($this->config['support'][$key]) && !is_string($this->config['support'][$key])) {
                     $this->errors[] = 'support.'.$key.' : invalid value, must be a string';
                     unset($this->config['support'][$key]);
@@ -208,7 +208,7 @@ public function load(array $config, string $class = 'Composer\Package\CompletePa
                 unset($this->config['support']['irc']);
             }
 
-            foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat'] as $key) {
+            foreach (['issues', 'forum', 'wiki', 'source', 'docs', 'chat', 'security'] as $key) {
                 if (isset($this->config['support'][$key]) && !$this->filterUrl($this->config['support'][$key])) {
                     $this->warnings[] = 'support.'.$key.' : invalid value ('.$this->config['support'][$key].'), must be an http/https URL';
                     unset($this->config['support'][$key]);

tests/Composer/Test/Package/Loader/ValidatingArrayLoaderTest.php

@@ -74,6 +74,7 @@ public static function successProvider(): array
                         'irc' => 'irc://example.org/example',
                         'rss' => 'http://example.org/rss',
                         'chat' => 'http://example.org/chat',
+                        'security' => 'https://example.org/security',
                     ],
                     'funding' => [
                         [
@@ -449,6 +450,7 @@ public static function warningProvider(): array
                         'issues' => 'foo:bar',
                         'wiki' => 'foo:bar',
                         'chat' => 'foo:bar',
+                        'security' => 'foo:bar',
                     ],
                 ],
                 [
@@ -457,6 +459,7 @@ public static function warningProvider(): array
                     'support.issues : invalid value (foo:bar), must be an http/https URL',
                     'support.wiki : invalid value (foo:bar), must be an http/https URL',
                     'support.chat : invalid value (foo:bar), must be an http/https URL',
+                    'support.security : invalid value (foo:bar), must be an http/https URL',
                 ],
             ],
             [