mxr576/ddqg-composer-audit

Drupal Dependency Quality Gate Composer Audit plugin

Installs: 630

Dependents: 0

Suggesters: 0

Security: 0

Stars: 8

Watchers: 1

Forks: 0

Open Issues: 1

Type:composer-plugin

1.0.0-rc3 2023-10-08 18:56 UTC

This package is auto-updated.

Last update: 2023-12-08 19:34:38 UTC


README

This project extends compsoer audit command with new "advisories" originating from the results generated by the mxr576/ddqg project that aims to help run Drupal projects on secure and high-quality Drupal dependencies.

Family Guy, Consuela says: No, no, no low-quality dependencies

CHECKOUT the mxr576/composer-audit-changes "alternative" composer audit command because it can help with the adoption of this package on existing projects with collected technical debt.

Installation

$ composer require --dev mxr576/ddqg-composer-audit

Composer version support

The minimum required version is Composer 2.4.0 because the composer audit command was introduced in that version. The recommended version is Composer 2.6.0 because it introduced essential improvements for the audit feature like the support for multiple repositories to provide advisories for the same package or the advisory ignore feature.

Example output

$ composer audit
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/apigee_edge                                                               |
| CVE               | DDQG-non-D10-compatible-drupal-apigee_edge                                       |
| Title             | The installed "2.0.7.0" version is not compatible with Drupal 10. (Reported by D |
|                   | rupal Dependency Quality Gate.)                                                  |
| URL               | https://www.drupal.org/project/apigee_edge                                       |
| Affected versions | 2.0.7.0                                                                          |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/apigee_edge                                                               |
| CVE               | DDQG-insecure-drupal-apigee_edge                                                 |
| Title             | The installed "2.0.7.0" version is insecure. (Reported by Drupal Dependency Qual |
|                   | ity Gate.)                                                                       |
| URL               | https://www.drupal.org/project/apigee_edge                                       |
| Affected versions | >=1.0.0,<1.27.0|>=2.0.0,<2.0.8                                                   |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/core                                                                      |
| CVE               | DDQG-insecure-drupal-core                                                        |
| Title             | The installed "9.4.0.0" version is insecure. (Reported by Drupal Dependency Qual |
|                   | ity Gate.)                                                                       |
| URL               | https://www.drupal.org/project/core                                              |
| Affected versions | >=9.4.0,<9.4.14|>=9.5.0,<9.5.8|>=10.0.0,<10.0.8                                  |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/feeds                                                                     |
| CVE               | DDQG-unsupported-drupal-feeds-3.0.0.0-beta3                                      |
| Title             | The installed "3.0.0.0-beta3" version is unsupported. (Reported by Drupal Depend |
|                   | ency Quality Gate.)                                                              |
| URL               | https://www.drupal.org/project/feeds                                             |
| Affected versions | 2.x-dev|3.0.0-alpha1|3.0.0-alpha2|3.0.0-alpha3|3.0.0-alpha4|3.0.0-alpha5|3.0.0-a |
|                   | lpha6|3.0.0-alpha7|3.0.0-alpha8|3.0.0-alpha9|3.0.0-alpha10|3.0.0-alpha11|3.0.0-b |
|                   | eta1|3.0.0-beta2|3.0.0-beta3|3.x-dev                                             |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Configuration

Quality Assurance can feel painful, but it is an important part of professional software development. The goal of this project is to bring attention about dependency quality problems on a project. For all these reasons, it deliberately comes with minimal opt-out options.

Silence warning about an unsupported package version

Warning

For Composer < 2.6.0 only. This feature will be removed when the minimum required Composer version gets bumped to >=2.6.0.

In a project's root composer.json, under the extra property, add a definition like this:

        "ddqg-composer-audit": {
            "ignore-unsupported-versions": {
                "vendor/package": "an_explicit_version_string",
                "drupal/tamper": "1.0.0-alpha3"
            }
        }

The other option is defining a comma separate list of ignore rules in the DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS environment variable, e.g, DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS=drupal/tamper:1.0.0-alpha3,vendor/package:1.x-dev

The environment variable has a higher precedence; if it is defined, the definition in a project's root composer.json is ignored completely.

Notice: A warning is still displayed about the ignored unsupported package on STDERR.

Not supporting version ranges in the definition was a conscious decision because (again) the goal is making dependency quality problems constantly visible and not sweeping them under the carpet.

Check Drupal 10 compatibility

For projects running on Drupal 9 still. When this feature is enabled then composer audit can also check whether an installed package dependency version is also compatible with Drupal 10 or not. This can make the Drupal 10 upgrade more painless.

The feature is disabled by default, it can be enabled with:

        "ddqg-composer-audit": {
            "check-d10-compatibility": true
        }

or by setting the DDQG_COMPOSER_AUDIT_CHECK_D10_COMPATIBILITY=true environment variable.

This is a seasonal feature that will be removed after Drupal 9 EOL.

Integrations

FAQ

Drupal Packagist already provides package advisories, so why should I care about this plugin?

This feature is only available on Drupal Packagist since 21 September 2023. Security advisory data via Drupal Packagist only contains information based on published security advisories; it does not contain releases flagged as "insecure", but this Composer plugin does.