Fix PackageSecurityHealthCheck

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Fix PackageSecurityHealthCheck by using the `enlightn/security-checker` package instead of the archived `sensiolabs/security-checker` package
+
 ## [1.13.1] - 2021-10-13
 
 ### Added

composer.json

@@ -74,6 +74,6 @@
         "illuminate/redis": "Allows the redis health check to function.",
         "league/flysystem": "Allows the ftp health check to function.",
         "guzzlehttp/guzzle": "Allows the http health check to function.",
-        "sensiolabs/security-checker": "Allows the package security health check to function."
+        "enlightn/security-checker": "Allows the package security health check to function."
     }
 }

config/healthcheck.php

@@ -108,10 +108,11 @@
     ],
 
     /*
-     * A list of packages to be ignored by the Package Security health check
+     * Settings for the Package Security health check
      */
     'package-security' => [
-        'ignore' => [],
+        'exclude-dev' => false, // Exclude dev dependencies from the security check
+        'ignore' => [], // Packages to ignore
     ],
 
     'scheduler' => [
@@ -121,7 +122,7 @@
 
     /*
      * Default value for env checks.
-     * For each key, the check will call `env(KEY, config('healthcheck.env-default-key'))` 
+     * For each key, the check will call `env(KEY, config('healthcheck.env-default-key'))`
      * to avoid false positives when `env(KEY)` is defined but is null.
      */
     'env-check-key' => 'HEALTH_CHECK_ENV_DEFAULT_VALUE',

src/Checks/PackageSecurityHealthCheck.php

@@ -3,7 +3,7 @@
 namespace UKFast\HealthCheck\Checks;
 
 use Exception;
-use SensioLabs\Security\SecurityChecker;
+use Enlightn\SecurityChecker\SecurityChecker;
 use UKFast\HealthCheck\HealthCheck;
 
 class PackageSecurityHealthCheck extends HealthCheck
@@ -12,23 +12,30 @@ class PackageSecurityHealthCheck extends HealthCheck
 
     protected $vulnerablePackages = [];
 
-    public static function checkDependency()
+    public static function checkDependency($class)
     {
-        return class_exists(SecurityChecker::class);
+        return class_exists($class);
     }
 
     public function status()
     {
         try {
-            if (! static::checkDependency()) {
-                throw new Exception('You need to install the sensiolabs/security-checker package to use this check.');
+            if (! static::checkDependency(SecurityChecker::class)) {
+                if (static::checkDependency(\SensioLabs\Security\SecurityChecker::class)) {
+                    throw new Exception('The sensiolabs/security-checker package has been archived. Install enlightn/security-checker instead.');
+                }
+                throw new Exception('You need to install the enlightn/security-checker package to use this check.');
             }
 
             $checker = new SecurityChecker();
-            $result = $checker->check(base_path('composer.lock'), 'json');
+            $result = $checker->check(
+                base_path('composer.lock'),
+                config('healthcheck.package-security.exclude-dev', false)
+            );
+
+            $vulnerabilities = collect($result);
 
-            if ($result->count() > 0) {
-                $vulnerabilities = collect(json_decode((string) $result, true));
+            if ($vulnerabilities->count() > 0) {
                 $this->vulnerablePackages = $vulnerabilities->reject(function ($vulnerability, $package) {
                     return in_array($package, config('healthcheck.package-security.ignore'));
                 });

tests/Checks/PackageSecurityHealthCheckTest.php

@@ -32,21 +32,37 @@ protected function partialMock($abstract, Closure $mock = null)
      */
     public function shows_problem_if_required_package_not_loaded()
     {
-        $status = (new PackageSecurityHealthCheck($this->app))->status();
+        $status = (new MockedPackageSecurityHealthCheck)->status();
 
         $this->assertTrue($status->isProblem());
+        $this->assertSame('You need to install the enlightn/security-checker package to use this check.', $status->context()['exception']['error']);
+    }
+
+    /**
+     * @test
+     */
+    public function shows_problem_if_incorrect_package_loaded()
+    {
+        MockedPackageSecurityHealthCheck::$classResults = [
+            'Enlightn\SecurityChecker\SecurityChecker' => false,
+            'SensioLabs\Security\SecurityChecker' => true,
+        ];
+        $status = (new MockedPackageSecurityHealthCheck)->status();
+
+        $this->assertTrue($status->isProblem());
+        $this->assertSame('The sensiolabs/security-checker package has been archived. Install enlightn/security-checker instead.', $status->context()['exception']['error']);
     }
 
     /**
      * @test
      */
     public function shows_problem_if_cannot_check_packages()
     {
-        $this->partialMock('overload:SensioLabs\Security\SecurityChecker', function ($mock) {
-            $mock->shouldReceive('check')->andThrow(new Exception('Lock file does not exist.'));
+        $this->partialMock('overload:Enlightn\SecurityChecker\SecurityChecker', function ($mock) {
+            $mock->shouldReceive('check')->andThrow(new Exception('File not found at [/tmp/composer.lock]'));
         });
 
-        $status = (new PackageSecurityHealthCheck($this->app))->status();
+        $status = (new PackageSecurityHealthCheck)->status();
 
         $this->assertTrue($status->isProblem());
     }
@@ -56,12 +72,12 @@ public function shows_problem_if_cannot_check_packages()
      */
     public function shows_problem_if_package_has_vulnerability()
     {
-        $this->partialMock('overload:SensioLabs\Security\SecurityChecker', function ($mock) {
+        $this->partialMock('overload:Enlightn\SecurityChecker\SecurityChecker', function ($mock) {
             $mock->shouldReceive('check')
-                ->andReturn(new MockResult(1, file_get_contents('tests/json/sensiolabsPackageHasVulnerability.json')));
+                ->andReturn(json_decode(file_get_contents('tests/json/securityCheckerPackageHasVulnerability.json'), true));
         });
 
-        $status = (new PackageSecurityHealthCheck($this->app))->status();
+        $status = (new PackageSecurityHealthCheck)->status();
 
         $this->assertTrue($status->isProblem());
     }
@@ -77,12 +93,12 @@ public function ignores_package_if_in_config()
             ],
         ]);
 
-        $this->partialMock('overload:SensioLabs\Security\SecurityChecker', function ($mock) {
+        $this->partialMock('overload:Enlightn\SecurityChecker\SecurityChecker', function ($mock) {
             $mock->shouldReceive('check')
-                ->andReturn(new MockResult(1, file_get_contents('tests/json/sensiolabsPackageHasVulnerability.json')));
+                ->andReturn(json_decode(file_get_contents('tests/json/securityCheckerPackageHasVulnerability.json'), true));
         });
 
-        $status = (new PackageSecurityHealthCheck($this->app))->status();
+        $status = (new PackageSecurityHealthCheck)->status();
 
         $this->assertTrue($status->isOkay());
     }
@@ -92,34 +108,26 @@ public function ignores_package_if_in_config()
      */
     public function shows_okay_if_no_packages_have_vulnerabilities()
     {
-        $this->partialMock('overload:SensioLabs\Security\SecurityChecker', function ($mock) {
+        $this->partialMock('overload:Enlightn\SecurityChecker\SecurityChecker', function ($mock) {
             $mock->shouldReceive('check')
-                ->andReturn(new MockResult(0, '{}'));
+                ->andReturn([]);
         });
 
-        $status = (new PackageSecurityHealthCheck($this->app))->status();
+        $status = (new PackageSecurityHealthCheck)->status();
 
         $this->assertTrue($status->isOkay());
     }
 }
 
-class MockResult
+class MockedPackageSecurityHealthCheck extends \UKFast\HealthCheck\Checks\PackageSecurityHealthCheck
 {
-    private $vulnerabilities;
-
-    public function __construct($count, $vulnerabilities)
-    {
-        $this->count = $count;
-        $this->vulnerabilities = $vulnerabilities;
-    }
-
-    public function __toString()
-    {
-        return $this->vulnerabilities;
-    }
+    public static $classResults = [
+        'Enlightn\SecurityChecker\SecurityChecker' => false,
+        'SensioLabs\Security\SecurityChecker' => false,
+    ];
 
-    public function count()
+    public static function checkDependency($class)
     {
-        return $this->count;
+        return static::$classResults[$class];
     }
 }

tests/json/sensiolabsPackageHasVulnerability.json → tests/json/securityCheckerPackageHasVulnerability.json

@@ -1,6 +1,7 @@
 {
     "example/package": {
-        "version": "v1.2.3",
+        "version": "1.2.3",
+        "time": "2021-10-01T00:00:00+00:00",
         "advisories": [
             {
                 "title": "Example Vulnerability",
@@ -9,4 +10,4 @@
             }
         ]
     }
-}
+}