Add Packagist feed support for analyzing PHP packages. (#307)

calebbrown · web-flow · commit 415cecb45867 · 2022-07-05T11:54:31.000+10:00
diff --git a/cmd/scheduler/main.go b/cmd/scheduler/main.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"math"
 	"os"
+	"regexp"
 	"time"
 
 	"gocloud.dev/pubsub"
@@ -23,10 +24,14 @@ const (
 	retryExpRate  = 1.5
 )
 
-var supportedPkgManagers = map[string]bool{
-	"npm":      true,
-	"pypi":     true,
-	"rubygems": true,
+// supportedPkgManagers lists the package managers Package Analysis can
+// analyze. Each entry can contain zero or more regexp filters that exclude
+// unwanted versions to minimize noise.
+var supportedPkgManagers = map[string][]*regexp.Regexp{
+	"npm":       {},
+	"pypi":      {},
+	"rubygems":  {},
+	"packagist": {regexp.MustCompile(`^dev-`), regexp.MustCompile(`\.x-dev$`)},
 }
 
 func main() {
@@ -79,8 +84,14 @@ func listenLoop(subUrl, topicURL string) error {
 		if err := json.Unmarshal(m.Body, &pkg); err != nil {
 			return nil, fmt.Errorf("error unmarshalling json: %w", err)
 		}
-		if _, ok := supportedPkgManagers[pkg.Type]; !ok {
+		if filters, ok := supportedPkgManagers[pkg.Type]; !ok {
 			return nil, fmt.Errorf("package type is not supported: %v", pkg.Type)
+		} else {
+			for _, filter := range filters {
+				if filter.MatchString(pkg.Version) {
+					return nil, fmt.Errorf("package version '%v' is filtered for type: %v", pkg.Version, pkg.Type)
+				}
+			}
 		}
 		return &pubsub.Message{
 			Body: []byte{},
diff --git a/internal/pkgecosystem/ecosystem.go b/internal/pkgecosystem/ecosystem.go
@@ -14,9 +14,10 @@ type PkgManager struct {
 
 var (
 	supportedPkgManagers = map[string]*PkgManager{
-		npmPkgManager.name:      &npmPkgManager,
-		pypiPkgManager.name:     &pypiPkgManager,
-		rubygemsPkgManager.name: &rubygemsPkgManager,
+		npmPkgManager.name:       &npmPkgManager,
+		pypiPkgManager.name:      &pypiPkgManager,
+		rubygemsPkgManager.name:  &rubygemsPkgManager,
+		packagistPkgManager.name: &packagistPkgManager,
 	}
 )
 
diff --git a/internal/pkgecosystem/packagist.go b/internal/pkgecosystem/packagist.go
@@ -0,0 +1,58 @@
+package pkgecosystem
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+)
+
+type packagistJSON struct {
+	Packages map[string][]struct {
+		Version           string    `json:"version"`
+		VersionNormalized string    `json:"version_normalized"`
+		License           []string  `json:"license,omitempty"`
+		Time              time.Time `json:"time"`
+		Name              string    `json:"name,omitempty"`
+	} `json:"packages"`
+}
+
+func getPackagistLatest(pkg string) (string, error) {
+	resp, err := http.Get(fmt.Sprintf("https://repo.packagist.org/p2/%s.json", pkg))
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+
+	decoder := json.NewDecoder(resp.Body)
+	var details packagistJSON
+	err = decoder.Decode(&details)
+	if err != nil {
+		return "", err
+	}
+
+	latestVersion := ""
+	var lastTime time.Time
+	for _, versions := range details.Packages {
+		for _, v := range versions {
+			if v.Time.Before(lastTime) {
+				continue
+			}
+			lastTime = v.Time
+			latestVersion = v.Version
+		}
+	}
+
+	return latestVersion, nil
+}
+
+var packagistPkgManager = PkgManager{
+	name:    "packagist",
+	image:   "gcr.io/ossf-malware-analysis/packagist",
+	command: "/usr/local/bin/analyze.php",
+	latest:  getPackagistLatest,
+	dynamicPhases: []string{
+		"install",
+		"import",
+	},
+}

Original file line number	Diff line number	Diff line change
`@@ -14,9 +14,10 @@ type PkgManager struct {`
`14`	`14`
`15`	`15`	`var (`
`16`	`16`	`supportedPkgManagers = map[string]*PkgManager{`
`17`		`- npmPkgManager.name: &npmPkgManager,`
`18`		`- pypiPkgManager.name: &pypiPkgManager,`
`19`		`- rubygemsPkgManager.name: &rubygemsPkgManager,`
	`17`	`+ npmPkgManager.name: &npmPkgManager,`
	`18`	`+ pypiPkgManager.name: &pypiPkgManager,`
	`19`	`+ rubygemsPkgManager.name: &rubygemsPkgManager,`
	`20`	`+ packagistPkgManager.name: &packagistPkgManager,`
`20`	`21`	`}`
`21`	`22`	`)`
`22`	`23`