Provide vulnerability remediations for PHP Composer projects
Problem to solve
Remediation data allows to create merge requests to fix vulnerabilities.
Currently, PHP Composer based projects aren't supported (only Yarn based ones).
Intended users
User experience goal
As a developer of JS project using PHP Composer as the package manager, I want to be able to easily create merge requests to fix vulnerabilities, based on information provided by GitLab's Dependency Scanning feature.
Proposal
Make the Gemnasium analyzer generating remediations data, that will be automatically leveraged in the rails application to provide MR creation capabilities.
See what can be leveraged to support this
| Feature | Supported | Comments |
|---|---|---|
| Update top-level dependency via CLI |
composer update |
|
| Update transient dependency via CLI | composer update |
|
| Upgrade top-level dependency via CLI | |
composer update |
| Easy to edit dependency file | JSON file | |
| API endpoint to list dependencies | JSON, one query to list the dependencies of all package versions | |
| List dependencies via CLI | JSON, one execution to list the dependency of one package version | |
| Add top-level dependency via CLI | composer require |
|
| Local packages support | |
via local repository |
| Conflicts reported by CLI | to be checked |
(A dependency upgrade changes the requirements declared in the dep. file whereas an update only changes the lock files, without modifying the dep. file.)
Local packages are supported by using local package repos. Composer requires to run composer install after adding a dependency to the project, which might result in a full update of the previously defined dependency (as opposed to a conservative upgrade).
Implementation plan
TODO
Permissions and Security
Documentation
-
update corresponding documentation to add PHP Composer as supported projects: https://docs.gitlab.com/ee/user/application_security/#solutions-for-vulnerabilities-auto-remediation
Availability & Testing
-
provide a test project (or a dedicated branch in an existing project) to validate remediations work for PHP Composer projects.
What does success look like, and how can we measure that?
Findings found on PHP Composer projects can be resolved by creating a Merge request automatically.
This could be measured with #229644 (closed) once implemented, but this is outside of the scope of this issue.
What is the type of buyer?
Is this a cross-stage feature?
No.