Skip to content

Commit

Permalink
Switch default audit.abandoned to fail for 2.7 release
Browse files Browse the repository at this point in the history
  • Loading branch information
@Seldaek
Seldaek committed Dec 18, 2023
1 parent 8f190fc commit e0f7527
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 8 deletions.
6 changes: 1 addition & 5 deletions src/Composer/Advisory/Auditor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,8 @@ class Auditor
* @return int Amount of packages with vulnerabilities found
* @throws InvalidArgumentException If no packages are passed in
*/
public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true, array $ignoreList = [], string $abandoned = self::ABANDONED_REPORT): int
public function audit(IOInterface $io, RepositorySet $repoSet, array $packages, string $format, bool $warningOnly = true, array $ignoreList = [], string $abandoned = self::ABANDONED_FAIL): int
{
if ($abandoned === 'default' && $format !== self::FORMAT_SUMMARY) {
$io->writeError('<warning>The new audit.abandoned setting (currently defaulting to "report" will default to "fail" in Composer 2.7, make sure to set it to "report" or "ignore" explicitly by then if you do not want this.</warning>');
}

$allAdvisories = $repoSet->getMatchingSecurityAdvisories($packages, $format === self::FORMAT_SUMMARY);
// we need the CVE & remote IDs set to filter ignores correctly so if we have any matches using the optimized codepath above
// and ignores are set then we need to query again the full data to make sure it can be filtered
Expand Down
2 changes: 1 addition & 1 deletion src/Composer/Command/AuditCommand.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int

$auditConfig = $composer->getConfig()->get('audit');

return min(255, $auditor->audit($this->getIO(), $repoSet, $packages, $this->getAuditFormat($input, 'format'), false, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_REPORT));
return min(255, $auditor->audit($this->getIO(), $repoSet, $packages, $this->getAuditFormat($input, 'format'), false, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_FAIL));
}

/**
Expand Down
2 changes: 1 addition & 1 deletion src/Composer/Config.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class Config
'allow-plugins' => [],
'use-parent-dir' => 'prompt',
'preferred-install' => 'dist',
'audit' => ['ignore' => [], 'abandoned' => 'default'], // TODO in 2.7 switch to ABANDONED_FAIL
'audit' => ['ignore' => [], 'abandoned' => Auditor::ABANDONED_FAIL],
'notify-on-install' => true,
'github-protocols' => ['https', 'ssh', 'git'],
'gitlab-protocol' => null,
Expand Down
2 changes: 1 addition & 1 deletion src/Composer/Installer.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -419,7 +419,7 @@ public function run(): int

$auditConfig = $this->config->get('audit');

return $auditor->audit($this->io, $repoSet, $packages, $this->auditFormat, true, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_REPORT) > 0 && $this->errorOnAudit ? self::ERROR_AUDIT_FAILED : 0;
return $auditor->audit($this->io, $repoSet, $packages, $this->auditFormat, true, $auditConfig['ignore'] ?? [], $auditConfig['abandoned'] ?? Auditor::ABANDONED_FAIL) > 0 && $this->errorOnAudit ? self::ERROR_AUDIT_FAILED : 0;
} catch (TransportException $e) {
$this->io->error('Failed to audit '.$target.' packages.');
if ($this->io->isVerbose()) {
Expand Down

1 comment on commit e0f7527

@Seldaek
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes #11643

Please sign in to comment.