Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

composer audit used Composer version #11216

Closed
glaubinix opened this issue Dec 7, 2022 · 7 comments · Fixed by #11761
Closed

composer audit used Composer version #11216

glaubinix opened this issue Dec 7, 2022 · 7 comments · Fixed by #11761
Labels
Feature
Milestone
2.7

Comments

@glaubinix
Copy link
Contributor

Now that Composer can audit a lock file, it would be helpful if Composer could check if the currently used Composer version is affected by any security advisories. This should make it more obvious to users in case they use a Composer version that has security issues.

Not quite sure whether this should happen as part of the regular composer audit functionality or whether this should happen in some other place.
@Seldaek Seldaek added the Feature label Dec 8, 2022
@Seldaek Seldaek added this to the Nice To Have milestone Dec 8, 2022
@Seldaek
Copy link
Member

Seldaek commented Dec 8, 2022

Should be doable as part of audit command for sure, I don't know if I would otherwise do it on every run, probably rather not.

@stof
Copy link
Contributor

stof commented Dec 8, 2022

To me, it would be better if composer audit stayed focused on auditing the project itself and not the composer phar (as the way to fix it is totally different). We might have a composer self-audit to audit the composer.lock of the phar itself.

@stof
Copy link
Contributor

stof commented Dec 8, 2022

Doing a self audit as part of composer diagnose might make sense though.

@malcomio
Copy link

malcomio commented Nov 4, 2023

If the project includes any dependencies on composer/composer, you may think that this feature is already in place, although it is auditing the version in the project's vendor directory, rather than the version actually being used when you run composer.

When I run composer audit in a project where the lock file includes

            "name": "composer/composer",
            "version": "2.6.3",

then I get the following output:

composer audit
The new audit.abandoned setting (currently defaulting to "report" will default to "fail" in Composer 2.7, make sure to set it to "report" or "ignore" explicitly by then if you do not want this.
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | composer/composer                                                                |
| CVE               | CVE-2023-43655                                                                   |
| Title             | Composer Remote Code Execution vulnerability via web-accessible composer.phar    |
| URL               | https://github.com/advisories/GHSA-jm6m-4632-36hf                                |
| Affected versions | >=2.3.0,<2.6.4|>=2.0.0,<2.2.22|<1.10.27                                          |
| Reported at       | 2023-09-29T20:39:21+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
Local dev developer@doc

The behaviour is slightly confusing, because if I run composer -V I see that I'm using version 2.6.5 - audit must be checking the version in vendor

@Seldaek
Copy link
Member

Seldaek commented Dec 18, 2023

@malcomio yes indeed it checks the one in vendor as audit looks at the vendor dir only. So it still is good to report it in that case IMO. But anyway requiring composer is generally not a great idea, and something I discourage unless you have no other choice.

@Seldaek Seldaek modified the milestones: Nice To Have, 2.7 Dec 18, 2023
Seldaek added a commit to Seldaek/composer that referenced this issue Dec 18, 2023
@Seldaek
Perform audit on Composer and its dependencies during diagnose, fixes c…
476be97 
…omposer#11216
@Seldaek Seldaek mentioned this issue Dec 18, 2023
Merged
@Seldaek
Copy link
Member

Seldaek commented Dec 18, 2023

See #11761

Seldaek added a commit that referenced this issue Jan 4, 2024
@Seldaek
Perform audit on Composer and its dependencies during diagnose, fixes #…
efe6e44 
…11216 (#11761)
@malcomio
Copy link

malcomio commented Jan 4, 2024
edited

Thanks - https://github.com/drupal/core-dev includes composer/composer as a dependency.

I've created https://www.drupal.org/project/drupal/issues/3412268 on that project with a link to this.

theoboldalex pushed a commit to theoboldalex/composer that referenced this issue Jan 10, 2024
@Seldaek @theoboldalex
Perform audit on Composer and its dependencies during diagnose, fixes c…
cb73d2f 
…omposer#11216 (composer#11761)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
2.7
Development

Successfully merging a pull request may close this issue.

Perform audit on Composer and its dependencies during diagnose Seldaek/composer
4 participants
@Seldaek @malcomio @stof @glaubinix