Issues/451 Add advisory information to a commit messages

[slash3b]

This patch adds advisory information when advisory is added/updated

Fixes #451

Example of how it will look like.
composer.json has conflict "snipe/snipe-it": "<5.3.11|>=6.0.0-RC-1,<=6.0.0-RC-5",
after php build-conflicts.php it will become "snipe/snipe-it": "<5.4.3|>=6.0.0-RC-1,<=6.0.0-RC-5",

Commit message will be the following:

slash3b@Nostromo ~/P/p/SecurityAdvisoriesBuilder (issues/451)> php build-conflicts.php

"Committing generated "composer.json" file as per "2022-05-18T19:29:04+00:00"
Original commit: "https://github.com/FriendsOfPHP/security-advisories/commit/41f90c0690ef7ab1de89a12fada124e647ca2a87"

 Security advisories updated:
        Package name   | snipe/snipe-it
        Summary        | Cross-site Scripting in snipe-it
        URI            | https://github.com/advisories/GHSA-p885-prv3-m4xv
        Constraints    | <5.4.3

        Package name   | snipe/snipe-it
        Summary        | Old sessions not blocked by login enable function in Snipe-IT
        URI            | https://github.com/advisories/GHSA-636j-7x7r-gvw2
        Constraints    | <5.4.2

[Ocramius]

Well, this would only list new packages, but not new versions of those packages 🤔

A bit of a more elaborate intersection mechanism is needed here, perhaps reading the current composer.json into a set of exclusion ranges (we already have value objects for that)

[slash3b]

oh, okay, thank you. I'll try to tackle it this weekend 🤔

[Ocramius]

No need to push it, don't worry! We can also try discussing this 1-on-1 in the coming weeks, if you want.

[slash3b]

...and I got overwhelmed with stuff. Sorry for late response. Yes, 1-on-1 would be great as I'm not sure I understand what is needed to be done.
For example we have an old set of ranges "amphp/http-client": "<1|>=4,<4.4"
and new set of ranges that looks like so "amphp/http-client": ">=4,<4.4|>=4.6",
where >=4.6 is new and <1 was deleted/retracted.

I should mention both <1 and >=4.6 in a commit message, right ? Basically everything that is not "overlapping" between the two 🤔

@azjezz thank you for suggestions! It was a bit hard to wrap my head around some PSL stuff.

[slash3b]

been staring at this whole evening. An elaborate intersection mechanism is, of course, possible, but looks overly complex(?) 🤔
If that is for human to read, could we just do something dumb like this:

• get old and fresh json files with conflicts
• if package is completely new, mark it as such
• if package exists in both files, try to compare string values.
• if strings are different, then add it, for example, like so

"amphp/http-client"  updated from  "<1|>=4,<4.4" to  ">=4,<4.4|>=4.6"

And finally in commit message, we'd have it

Newly added:
   Package: "amphp/http"  "<1.0.1"
   Summary: "Potential SQL injection vector"
   URI: "https://github.com/...."
 
Updated:
   "amphp/http-client"  updated from  "<1|>=4,<4.4" to  ">=4,<4.4|>=4.6"
   Summary: "Potential SQL injection vector"
   URI: "https://github.com/...."

Deleted (completely):
   "foo/bar" ">1.2"
   Summary: "Potential SQL injection vector"
   URI: "https://github.com/...."

Just thinking out loud 🙈

[Ocramius]

An elaborate intersection mechanism is, of course, possible, but looks overly complex(?) thinking

We already have that.

1. read current range
2. read advisory
3. compare advisory with current range: if it is already fully included, then consider it "done"
4. otherwise, add it to the bucket of "advisories that will change composer.json"

[Ocramius]

Discussed briefly on twitter:

1. read current composer.json into a list<Component>, where each Component has its associated dependency exclusion range parsed (we already have most of that written)
2. read the individual advisories from their respective sources - keep a link to the source in each of the read advisories
3. compare the list<Component> to the list<Advisory>, and determine which Advisory instances are NOT fully contained in list<Component>
4. use the resulting data to produce the commit message

[azjezz]

I added some comments that should help you with using PSL instead of stdlib, let me know if you need help with anything else.

[azjezz]

Suggested change

	use function array_keys;
	use Psl\Vec;

$keys = Vec\keys($array);

[azjezz]

Suggested change

	use function count;
	use Psl\Iter;

$count = Iter\count($iterable);

[azjezz]

Suggested change

	use function file_get_contents;
	use Psl\Filesystem;

$content = Filesystem\read_file($filename);

[slash3b]

thank you!

[azjezz]

Suggested change

	use function in_array;
	use Psl\Iter;

$contains = Iter\contains($array, $value);
$contains_key = Iter\contains_key($array, $key);

[azjezz]

Suggested change

	use function json_decode;
	use Psl\Json;

$result = Json\decode($json);

or better:

use Psl\Json;
use Psl\Type;

$result = Json\typed($json, Type\shape([
  'foo' => Type\string(),
  'bar' => Type\vec(Type\int()), // vec<T> is list<T>
  'baz' => Type\dict(Type\int(), Type\string()), // dict<Tk, Tv> is array<Tk, Tv>
]);

[slash3b]

thank you!

[slash3b]

this one handles spaces in boundaries, coming from github advisories, not super critical but annoying

[slash3b]

not sure how to do it any other was 🤔

[slash3b]

need a little push, how do I describe type for this ?

ERROR: MixedInferredReturnType - test/RoaveTest/SecurityAdvisories/Helper/ConstraintsMapTest.php:69:16 - Providers must return iterable<array-key, array<array-key, mixed>>, possibly different array<string, mixed> provided (see https://psalm.dev/047)
     * @return array<string, mixed>


ERROR: MixedInferredReturnType - test/RoaveTest/SecurityAdvisories/Helper/ConstraintsMapTest.php:148:16 - Providers must return iterable<array-key, array<array-key, mixed>>, possibly different array<string, mixed> provided (see https://psalm.dev/047)
     * @return array<string, mixed>