Skip to content

Add PURL on package page and accept them in security advisories API #1574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add PURL on package page and accept them in security advisories API #1574

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions src/Controller/ApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,12 @@ public function securityAdvisoryAction(Request $request, ProviderManager $provid

$statsd->increment('advisory_api');

// resolve Package-URL to package names https://github.com/package-url/purl-spec/blob/main/PURL-SPECIFICATION.rst
$packageNames = array_map(
fn ($name) => Preg::replace('{^pkg:/?/?composer/([^/]+/[^/@?]+).*}', '$1', $name),
$packageNames
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonder if this needs to parse the purl more completely then and reject if the repository_url is something other than packagist.org?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nevermind, since the advisory API isn't restricted to packages actually served by this repo, doesn't matter what repo is in the purl.

);

$advisories = $this->getEM()->getRepository(SecurityAdvisory::class)->searchSecurityAdvisories($packageNames, $updatedSince);
$response = ['advisories' => $advisories];

Expand Down
2 changes: 1 addition & 1 deletion templates/api_doc/index.html.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -451,7 +451,7 @@ GET https://{{ packagist_host }}/statistics.json

<p>This endpoint provides a list of security advisories. Either a list of packages as query or request parameter OR a timestamp as updatedSince query parameter needs to be passed.</p>

<p>When querying with a list of packages, known packages will be included in the response with an empty array if they don't have any listed vulnerability. Package names which are not known to have no vulnerability will not be included at all to show that we do not have data on those.</p>
<p>When querying with a list of packages, known packages will be included in the response with an empty array if they don't have any listed vulnerability. Package names which are not known to have no vulnerability will not be included at all to show that we do not have data on those. Note that <a href="https://github.com/package-url/purl-spec/blob/main/PURL-SPECIFICATION.rst">PURL</a> package URLs like <code>pkg:composer/foo/bar</code> can also be provided to the packages parameter.</p>

<pre>
GET https://{{ packagist_host }}/api/security-advisories/?packages[]=[vendor/package]
Expand Down
2 changes: 2 additions & 0 deletions templates/package/view_package.html.twig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,8 @@
{% if package.type is not empty and package.type != 'library' %}
<p><span>Type:</span>{{ package.type }}</p>
{% endif %}

<p><span title="PURL / Package-URL">pkg:composer/{{ package.name }}</span></p>
</div>
</div>
</div>
Expand Down