Security Advisory: json_decode() expects parameter 1 to be string, array given

[weierophinney]

Problem:

1. Run command monitor:health
2. Warning occurs: WARNING Security Advisory: json_decode() expects parameter 1 to be string, array given

Solution:
Remove $advisories = @json_decode($advisories); in ZendDiagnostics\Check\SecurityAdvisory and the warning is gone.

[Thinkscape]

Hmm, that sounds like a configuration error on your side, or SecurityAdvisory version incompatibility.
I've just re-run tests and they're fine.

We'll need more info to investigate.

~/D/P/foo ❯❯❯ git clone [email protected]:zendframework/ZendDiagnostics.git .
Cloning into '.'...
remote: Reusing existing pack: 1082, done.
remote: Total 1082 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (1082/1082), 186.38 KiB | 198.00 KiB/s, done.
Resolving deltas: 100% (510/510), done.
Checking connectivity... done.
~/D/P/foo git:master ❯❯❯ composer install
Warning: This development build of composer is over 30 days old. It is recommended to update it by running "/usr/bin/composer self-update" to get the latest version.
Loading composer repositories with package information
Installing dependencies (including require-dev)
  - Installing symfony/yaml (v2.3.11)
    Downloading: 100%

  - Installing zendframework/zend-loader (2.3.1)
    Downloading: 100%

  - Installing symfony/console (v2.5.2)
    Loading from cache

  - Installing sensiolabs/security-checker (v1.3.4)
    Downloading: 100%

  - Installing symfony/event-dispatcher (v2.5.2)
    Downloading: 100%

  - Installing guzzle/common (v3.9.1)
    Loading from cache

  - Installing guzzle/stream (v3.9.1)
    Loading from cache

  - Installing guzzle/parser (v3.9.1)
    Loading from cache

  - Installing guzzle/http (v3.9.1)
    Loading from cache

  - Installing guzzle/plugin-mock (v3.9.1)
    Downloading: 100%

  - Installing videlalvaro/php-amqplib (v2.4.0)
    Downloading: 100%

  - Installing predis/predis (v0.8.6)
    Downloading: 100%

symfony/console suggests installing psr/log (For using the console logger)
symfony/event-dispatcher suggests installing symfony/dependency-injection ()
symfony/event-dispatcher suggests installing symfony/http-kernel ()
predis/predis suggests installing ext-phpiredis (Allows faster serialization and deserialization of the Redis protocol)
Writing lock file
Generating autoload files
~/D/P/foo git:master ❯❯❯ cd tests                                                                                                                                                                                                           ⏎
~/D/P/f/tests git:master ❯❯❯ phpunit
PHPUnit 4.0.3 by Sebastian Bergmann.

Configuration read from /Users/Thinkscape/Documents/Projects/foo/tests/phpunit.xml.dist

.....................................EE........................  63 / 817 (  7%)
............................................................... 126 / 817 ( 15%)
............................................................... 189 / 817 ( 23%)
............................................................... 252 / 817 ( 30%)
............................................................... 315 / 817 ( 38%)
............................................................... 378 / 817 ( 46%)
............................................................... 441 / 817 ( 53%)
............................................................... 504 / 817 ( 61%)
............................................................... 567 / 817 ( 69%)
............................................................... 630 / 817 ( 77%)
............................................................... 693 / 817 ( 84%)
............................................................... 756 / 817 ( 92%)
.............................................................

Time: 2.29 seconds, Memory: 12.75Mb

There were 2 errors:

1) ZendDiagnosticsTest\ChecksTest::testRabbitMQ
PhpAmqpLib\Exception\AMQPRuntimeException: Error Connecting to server(61): Connection refused

/Users/Thinkscape/Documents/Projects/foo/vendor/videlalvaro/php-amqplib/PhpAmqpLib/Wire/IO/StreamIO.php:48
/Users/Thinkscape/Documents/Projects/foo/vendor/videlalvaro/php-amqplib/PhpAmqpLib/Connection/AbstractConnection.php:204
/Users/Thinkscape/Documents/Projects/foo/vendor/videlalvaro/php-amqplib/PhpAmqpLib/Connection/AbstractConnection.php:186
/Users/Thinkscape/Documents/Projects/foo/vendor/videlalvaro/php-amqplib/PhpAmqpLib/Connection/AMQPStreamConnection.php:27
/Users/Thinkscape/Documents/Projects/foo/src/ZendDiagnostics/Check/RabbitMQ.php:81
/Users/Thinkscape/Documents/Projects/foo/tests/ZendDiagnosticsTest/ChecksTest.php:51

2) ZendDiagnosticsTest\ChecksTest::testRedis
Predis\Connection\ConnectionException: Connection refused [tcp://localhost:6379]

/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/AbstractConnection.php:141
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/StreamConnection.php:96
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/StreamConnection.php:70
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/AbstractConnection.php:96
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/StreamConnection.php:144
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/AbstractConnection.php:181
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/StreamConnection.php:183
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/StreamConnection.php:297
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Connection/AbstractConnection.php:120
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Client.php:246
/Users/Thinkscape/Documents/Projects/foo/vendor/predis/predis/lib/Predis/Client.php:228
/Users/Thinkscape/Documents/Projects/foo/src/ZendDiagnostics/Check/Redis.php:54
/Users/Thinkscape/Documents/Projects/foo/src/ZendDiagnostics/Check/Redis.php:54
/Users/Thinkscape/Documents/Projects/foo/tests/ZendDiagnosticsTest/ChecksTest.php:62

FAILURES!
Tests: 817, Assertions: 1037, Errors: 2.
~/D/P/f/tests git:master ❯❯❯

[kniziol]

@Thinkscape What kind of info are you expecting?

[Thinkscape]

Anything that will help :-)

Try to create a reproduce scenario, ideally send a PR with a test that shows the problem.

[kniziol]

@Thinkscape OKey, it looks like this:

1. The ZendDiagnostics\Check\SecurityAdvisory::check() method is called. Take a look at line 77 and 78:
   [77] $advisories = $this->securityChecker->check($this->lockFilePath, 'json');
   [78] $advisories = @json_decode($advisories);
2. Next we go to SensioLabs\Security\SecurityChecker::check($lock)
3. At the end of this method we have return json_decode($body, true); and the $body is a string: "[]", so finally an empty array is returned (array[0])
4. The $advisories is the empty array and is passed to the json_decode() function and this throws an exception that is displayed as a warning: WARNING Security Advisory: json_decode() expects parameter 1 to be string, array given

I hope it will be helpful :]

[Thinkscape]

Does that mean you're trying to run the check with invalid (empty, missing) advisories ?

[kniziol]

Do you mean the security_advisory node / parameter? My application's configuration looks like this:

liip_monitor:
    checks:
        (...)
        security_advisory:
            lock_file:              '%kernel.root_dir%/../composer.lock'

[kniziol]

@Thinkscape Do you know how to solve this problem?

[kniziol]

The problem still exists. I'm using the latest version (dev-master 23998e7). Are you going to solve this problem?

[weierophinney]

It looks like we could solve the issue as follows:

$advisories = $this->securityChecker->check($this->lockFilePath, 'json');
if (is_string($advisories)) {
    $advisories = @json_decode($advisories);
}
if (! is_array($advisories)) {
    return new Warning('Could not parse response from security advisory service.');
}
/* ... continue on ... */

I'll create a PR for this for you to test, @kniziol .

[weierophinney]

@kniziol you can test this pull request. :)

[kniziol]

@weierophinney thanks. It looks good and the problem is gone. Details:

• before PR

WARNING Security Advisory: json_decode() expects parameter 1 to be string, array given

• after PR

OK Security Advisory: There are currently no security advisories for packages specified in /(...)/app/../composer.lock

[weierophinney]

Merged, and tagged 1.0.3 so this will be picked up in stable versions.

[Thinkscape]

Thx.

On Monday, August 11, 2014, weierophinney [email protected] wrote:

Merged #43 #43.

—
Reply to this email directly or view it on GitHub
#43 (comment)
.

[email protected]
+1 (650) 319-7267
http://thinkscape.pro