added composer security check

liip · Oct 28, 2014 · 166a799 · 166a799
1 parent 3c54426
commit 166a799
Show file tree

Hide file tree

Showing 5 changed files with 150 additions and 29 deletions.
diff --git a/.rmt.yml b/.rmt.yml
@@ -4,6 +4,7 @@ prerequisites:
   - working-copy-check
   - display-last-changes
   - tests-check
+  - composer-security-check
 
 pre-release-actions:
     bin/UpdateApplicationVersionCurrentVersion.php: ~

diff --git a/README.md b/README.md
@@ -148,6 +148,7 @@ Prerequisite actions are executed before the interactive part
   * Option `composer`: how to run composer (default: *php composer.phar*)
 * `composer-stability-check`: will check if the composer.json is set to the right minimum-stability
   * Option `stability`: the stability that should be set in the minimum-stability field (default: *stable*)
+* `composer-security-check`: run the composer.lock against https://security.sensiolabs.org/ to check for known vulnerabilities in the dependencies
 
 ### Actions
 

diff --git a/composer.json b/composer.json
@@ -26,7 +26,8 @@
         "symfony/console": "~2.0",
         "symfony/yaml": "~2.0",
         "symfony/process": "~2.0",
-        "vierbergenlars/php-semver": "~3.0"
+        "vierbergenlars/php-semver": "~3.0",
+        "sensiolabs/security-checker": "~2.0"
     },
     "autoload": {
         "psr-0": {

diff --git a/composer.lock b/composer.lock
diff --git a/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php b/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
@@ -0,0 +1,81 @@
+<?php
+/*
+ * This file is part of the project RMT
+ *
+ * Copyright (c) 2014, Liip AG, http://www.liip.ch
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Liip\RMT\Prerequisite;
+
+use Liip\RMT\Action\BaseAction;
+use Liip\RMT\Context;
+use Liip\RMT\Information\InformationRequest;
+use SensioLabs\Security\SecurityChecker;
+
+/**
+ * uses https://security.sensiolabs.org/ to see if composer.lock contains insecure versions
+ */
+class ComposerSecurityCheck extends BaseAction
+{
+    const SKIP_OPTION = 'skip-composer-security-check';
+
+    public function __construct($options)
+    {
+        $this->options = $options;
+    }
+
+    public function execute()
+    {
+        // Handle the skip option
+        if (Context::get('information-collector')->getValueFor(self::SKIP_OPTION)) {
+            Context::get('output')->writeln('<error>composer security check skipped</error>');
+
+            return;
+        }
+
+        // Run the validation and live output with the standard output class
+        Context::get('output')->write("<comment>running composer security check</comment>\n\n");
+
+        $checker = new SecurityChecker();
+        $alerts = $checker->check('composer.lock');
+
+        if (count($alerts) == 0) {
+            $this->confirmSuccess();
+
+            return;
+        }
+
+        foreach ($alerts as $package => $alert) {
+
+            Context::get("output")->writeln("<options=bold>{$package}</options=bold> {$alert['version']}");
+            foreach ($alert['advisories'] as $data) {
+                Context::get("output")->writeln("");
+                Context::get("output")->writeln($data['title']);
+                Context::get("output")->writeln("");
+                Context::get("output")->writeln($data['link']);
+                Context::get("output")->writeln("");
+            }
+        }
+
+        throw new \Exception(
+            'composer.lock contains insecure packages (you can force a release with option --'.self::SKIP_OPTION.')'
+        );
+    }
+
+    public function getInformationRequests()
+    {
+        return array(
+            new InformationRequest(
+                self::SKIP_OPTION,
+                array(
+                    'description' => 'Do not run composer security check before the release',
+                    'type' => 'confirmation',
+                    'interactive' => false
+                )
+            )
+        );
+    }
+}