Make Gemnasium scan, report PHP Composer dev dependencies
Release notes
N/A
Problem to solve
Gemnasium doesn't scan development dependencies of PHP Composer, but it scans dev. dependencies of npm, yarn, and Ruby bundler projects. This behaviour is inconsistent.
Proposal
- Change the dependency file parser that handles
composer.lock
to make it process bothpackages
andpackages-dev
whenopts.IncludeDev
is set to true. This is a trivial change since both share the same JSON structure, andpackages
is already parsed. - Update the expected report for the
tests/php-composer
test project; it already contains development dependencies.
Further details
The file parser currently ignores packages-dev
. See scanner/parser/composer/composer.go.
We already have a test project with dev. dependencies. See composer.json and composer.lock. Its dev dependencies are not reported. See expected report.
Implementation Plan
-
Update composer.Document
with a new field:PackagesDev []Package json:`"packages-dev"`
-
Update composer.Parse
to include the dev packages only ifopts.IncludeDev
is set to true. -
Update composer_test.go
to test exclusion of dev packages whenopts.IncludeDev
is set tofalse
. -
Update integration test in gemnasium_image_spec.rb
to include test cases when including and not including dev packages.
/cc @gonzoyumo @NicoleSchwartz
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.