Merge pull request #3 from OWS/feature/no-dev

Add option to check only production dependencies
OWS · Jul 2, 2021 · bed46d6 · bed46d6
2 parents c5ba501 + 4e1ecef
commit bed46d6
Show file tree

Hide file tree

Showing 6 changed files with 4,811 additions and 20 deletions.
diff --git a/src/SecurityChecker.php b/src/SecurityChecker.php
@@ -44,6 +44,8 @@ public function __construct(array $urls_advisories = [])
      *
      * @param string $composer_lock
      *   The composer.lock file to check.
+     * @param bool $exclude_dev
+     *   Only check for production dependencies.
      *
      * @return array
      *   An array with the status and the possibles vulnerabilities founded.
@@ -52,7 +54,7 @@ public function __construct(array $urls_advisories = [])
      *
      * @throws \Exception
      */
-    public function checkComposer($composer_lock)
+    public function checkComposer($composer_lock, bool $exclude_dev = false)
     {
         $vulnerabilities = [];
         $status = 'ok';
@@ -62,7 +64,8 @@ public function checkComposer($composer_lock)
             $security_advisories_composer_json = $this->fetchAdvisoryComposerJson($url);
             $updates = $this->calculateSecurityUpdates(
                 $composer_lock_data,
-                $security_advisories_composer_json
+                $security_advisories_composer_json,
+                $exclude_dev
             );
             if (!empty($updates)) {
                 $vulnerabilities += $updates;
@@ -113,6 +116,8 @@ protected function fetchAdvisoryComposerJson($url)
      *   The contents of a composer.lock file.
      * @param array $security_advisories_composer_json
      *   The composer.json array from the security-advisory.
+     * @param bool $exclude_dev
+     *   Only check for production dependencies.
      *
      * @return array
      *   Security updates availables, keyed by package name,
@@ -121,15 +126,20 @@ protected function fetchAdvisoryComposerJson($url)
      *   - version
      *   - links.
      */
-    protected function calculateSecurityUpdates(array $composer_lock_data, array $security_advisories_composer_json)
+    protected function calculateSecurityUpdates(array $composer_lock_data, array $security_advisories_composer_json, bool $exclude_dev = false)
     {
+        if ($exclude_dev) {
+            $packages = $composer_lock_data['packages'];
+        }
+        else {
+            $packages = array_merge(
+                $composer_lock_data['packages-dev'],
+                $composer_lock_data['packages']
+            );
+        }
         $updates = [];
-        $both = array_merge(
-            $composer_lock_data['packages-dev'],
-            $composer_lock_data['packages']
-        );
         $conflict = $security_advisories_composer_json['conflict'];
-        foreach ($both as $package) {
+        foreach ($packages as $package) {
             $name = $package['name'];
             $version = $package['version'];
             if (empty($conflict[$name]) || !Semver::satisfies($version, $conflict[$name])) {