chore(lockfile): add pear/packagist installed.json fixture variants#33
Merged
chore(lockfile): add pear/packagist installed.json fixture variants#33
Conversation
Combine the scanner-side fixture from future-architect/vuls (pear/log and pear/pear_exception with only install-path metadata) with the existing full-form packages (guzzlehttp/psr7, psr/http-message, ralouphie/getallheaders) in data/lockfile/installed.json. After this, vuls can delete its duplicate scanner/testdata/fixtures/installed.json and read this single file directly, while the parser test still exercises both the minimal and the full Composer 2.x package shapes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
shino
force-pushed
the
fix/merge-installed-json
branch
from
23d4e1b to
fa54f93
Compare
There was a problem hiding this comment.
Pull request overview
Merges the previously duplicated “minimal-shape” Composer installed.json fixture (pear/log + pear/pear_exception with only core fields and install-path) into this repository’s existing data/lockfile/installed.json, so downstream consumers (future-architect/vuls) can use a single shared fixture while still covering both minimal and “rich” package entries.
Changes:
- Added two minimal-form package entries (
pear/log,pear/pear_exception) to the top of thepackagesarray ininstalled.json. - Kept the existing rich-form Composer package entries (e.g.,
guzzlehttp/psr7) intact in the same fixture.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Replace the merged data/lockfile/installed.json with two siblings: data/lockfile/installed-pear/installed.json (pear/log, pear/pear_exception — minimal install-path-only entries) and data/lockfile/installed-packagist/installed.json (guzzlehttp/psr7, psr/http-message, ralouphie/getallheaders — full Packagist-shape entries). This matches the directory-per-variant convention already used for npm-v1/v2/v3, poetry-v1/v2, conan-v1/v2 and keeps the two parser-test inputs cleanly distinct. Update int-config.toml and int-redis-config.toml accordingly: [servers.composer-vendor] is replaced by [servers.composer-vendor-pear] and [servers.composer-vendor-packagist]. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shino
added a commit
to future-architect/vuls
that referenced
this pull request
Apr 28, 2026
Match the integration repo's directory split (vulsio/integration#33): the merged installed.json fixture is replaced by two distinct fixtures under installed-pear/ and installed-packagist/, exercising the minimal PEAR-style and the full Packagist-style Composer 2.x package shapes separately. Update TestAnalyzeLibrary_Golden's lockfileEntry list and regenerate the golden files; drop the now-unused installed.json.json. The submodule pointer and the integration ref in .github/workflows/test.yml will be bumped together once the companion integration PR lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shino
changed the title
shino
changed the title
shino
added a commit
to future-architect/vuls
that referenced
this pull request
Apr 28, 2026
…ff LIBS The two pseudo servers added in vulsio/integration#33 (replacing the old [servers.composer-vendor] that was never wired into LIBS) need to be listed here so make diff actually exercises the installed.json parser. Closes a pre-existing gap as a side effect: composer-vendor has been an orphan entry in int(-redis)-config.toml since it was added. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shino
added a commit
to future-architect/vuls
that referenced
this pull request
Apr 28, 2026
…plit vulsio/integration#33 has merged at 6dfd74510f5944e7c973e40d7844020d53dbb3a7. Update both sources of truth for the integration test data: - .github/workflows/test.yml: actions/checkout ref pin - integration/ submodule pointer CI on this PR can now resolve installed-pear/installed.json and installed-packagist/installed.json against the upstream merge commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shino
added a commit
to future-architect/vuls
that referenced
this pull request
Apr 28, 2026
CI broke after the previous suggestion changed the ref to refs/pull/33/merge: that ref is server-side only while the PR is open, so once vulsio/integration#33 was merged the runner got "fatal: couldn't find remote ref refs/pull/33/merge". Pin to the actual merge commit SHA (6dfd74510f5944e7c973e40d7844020d53dbb3a7). A SHA is also the correct anchor for the security argument: a mutable ref defeats the point of pinning, since whoever can move the ref can swap in arbitrary code that go test would execute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
shino
added a commit
to future-architect/vuls
that referenced
this pull request
Apr 30, 2026
* fix(scanner/fixture): source lockfiles from vulsio/integration OpenSSF Scorecard alert #81 was triggered by old packages declared in scanner/testdata/fixtures/go.mod (OPA v0.35.0, docker v20.10.11, etc.) being scanned as real dependencies of vuls. Those fixtures were just copies of files already in vulsio/integration; they had been duplicated here to avoid pulling submodules in CI, which would let a fork PR redirect .gitmodules to attacker code that "go test" would then run. Delete the 30 duplicate files and have TestAnalyzeLibrary_Golden read straight from integration/data/lockfile/. CI now fetches that repo via a separate actions/checkout step pinned by commit SHA. The pin lives in the workflow file (not .gitmodules), so a fork PR cannot redirect it without a reviewable diff. The submodule entry stays for local development and "make diff". After vulsio/integration merges the matching installed.json change, bump the ref SHA in .github/workflows/test.yml and the submodule pointer to that merge commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner/fixture): split installed.json into pear and packagist Match the integration repo's directory split (vulsio/integration#33): the merged installed.json fixture is replaced by two distinct fixtures under installed-pear/ and installed-packagist/, exercising the minimal PEAR-style and the full Packagist-style Composer 2.x package shapes separately. Update TestAnalyzeLibrary_Golden's lockfileEntry list and regenerate the golden files; drop the now-unused installed.json.json. The submodule pointer and the integration ref in .github/workflows/test.yml will be bumped together once the companion integration PR lands. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner/fixture): add composer-vendor-{pear,packagist} to make diff LIBS The two pseudo servers added in vulsio/integration#33 (replacing the old [servers.composer-vendor] that was never wired into LIBS) need to be listed here so make diff actually exercises the installed.json parser. Closes a pre-existing gap as a side effect: composer-vendor has been an orphan entry in int(-redis)-config.toml since it was added. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner/fixture): bump integration ref to merged installed.json split vulsio/integration#33 has merged at 6dfd74510f5944e7c973e40d7844020d53dbb3a7. Update both sources of truth for the integration test data: - .github/workflows/test.yml: actions/checkout ref pin - integration/ submodule pointer CI on this PR can now resolve installed-pear/installed.json and installed-packagist/installed.json against the upstream merge commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Update .github/workflows/test.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix(scanner/fixture): only skip golden tests on missing integration dir Per Copilot review: os.Stat returning a non-not-exist error (e.g., permission, IO) should fail the test, not silently skip — those indicate real issues that masking would hide. Distinguish via errors.Is(err, fs.ErrNotExist). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner/fixture): restore SHA pin for integration ref CI broke after the previous suggestion changed the ref to refs/pull/33/merge: that ref is server-side only while the PR is open, so once vulsio/integration#33 was merged the runner got "fatal: couldn't find remote ref refs/pull/33/merge". Pin to the actual merge commit SHA (6dfd74510f5944e7c973e40d7844020d53dbb3a7). A SHA is also the correct anchor for the security argument: a mutable ref defeats the point of pinning, since whoever can move the ref can swap in arbitrary code that go test would execute. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner/fixture): always fail when integration data is missing Per Copilot review: t.Skipf can mask CI misconfiguration (e.g. someone removes the integration checkout step or changes the path) and silently disable golden-test coverage. Drop the skip path entirely — both CI and local runs now hard-fail with a message pointing at the right remediation (git submodule update --init locally, or check the workflow). Removes the errors/io/fs imports that were only there for the skip branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(scanner): fix goldenFileName doc comment example to include .json suffix --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a minimal-form Composer 2.x
installed.jsonfixture alongside the existing full-form one, and group both under per-shape sub-directories:data/lockfile/installed-pear/installed.json— entries with onlyname/version/type/install-path(pear/log,pear/pear_exception). Represents PEAR-style or hand-crafted vendor entries.data/lockfile/installed.json→data/lockfile/installed-packagist/installed.json— the existing Packagist-shape entries (guzzlehttp/psr7,psr/http-message,ralouphie/getallheaders) with fullsource/dist/require/autoloadmetadata. Content unchanged.The directory-per-variant layout matches the convention already used for
npm-v1/v2/v3,poetry-v1/v2,conan-v1/v2, etc.int-config.tomlandint-redis-config.toml: replace the single[servers.composer-vendor]entry with[servers.composer-vendor-pear]and[servers.composer-vendor-packagist].Why
future-architect/vuls used to keep a duplicate of the Packagist-shape
installed.jsonunderscanner/testdata/fixtures/installed.json, plus its own minimal-form fixture. OpenSSF Scorecard (alert future-architect/vuls#81) misread those duplicates as real vuls dependencies. Bringing the minimal-form fixture into this repo lets the companion vuls PR drop the duplicates and read both shapes from here, while still exercising the parser against each shape.Companion PR
future-architect/vuls#2531 — switches
TestAnalyzeLibrary_Goldento read from this repo and pins the integration ref to the merge commit of this PR.Test plan
ref:SHA in.github/workflows/test.ymland the submodule pointer to this merge commit; CI on that PR exercises the two fixtures.