Gemnasium not in sync with packagist.org

Summary

PHP packages listed on Gemnasium are not in sync with public package registry packagist.org. As a consequence, it's not possible to create a security advisory for a PHP package hosted on packagist.org if one of the affected or fixed versions is not already in the Gemnasium DB. Existing advisories related to PHP packages are served without any problem.

Currently the workaround is to insert package versions manually in the Gemnasium DB, which is tedious and error prone. Obviously that doesn't scale.

Steps to reproduce

Using k8s, run Gemnasium package-syncer on some packagist package like Symfony:

package-syncer sync packagist/symfony/symfony

Package synchronization fails.

Possible fixes

See https://gitlab.com/gitlab-org/security-products/gemnasium/package-syncer/issues/2