Skip to content

Improve Composer meta analyzer's ability to deal with minified metadata #5019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 13, 2025
Merged

Improve Composer meta analyzer's ability to deal with minified metadata #5019

merged 2 commits into from
Jun 13, 2025

Conversation

ch8matt
Copy link
Contributor

@ch8matt ch8matt commented Jun 3, 2025
edited
Loading

Description

Some Composer repositories (e.g., Satis) do not include the "minified" key in their packages.json,
even though they return packages in minified format (arrays instead of versioned objects).

This commit enhances the isMinified() method to heuristically detect minified metadata by inspecting
the structure of the packages object. This improves compatibility with such repositories and avoids
JSON parsing issues during metadata analysis.

Addressed Issue

Additional Details

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

ch8matt added 2 commits June 2, 2025 22:30
@ch8matt
Fix: Handle JSONArray package entries in Composer metadata analysis
bd25f69 
Signed-off-by: McFY49 <g.matthieu49@gmail.com>
@ch8matt
fix(composer): improve isMinified() to detect implicit minified format
4440c8e 
Some Composer repositories (e.g., Satis) do not include the "minified" key in their packages.json,
even though they return packages in minified format (arrays instead of versioned objects).

This commit enhances the isMinified() method to heuristically detect minified metadata by inspecting
the structure of the packages object. This improves compatibility with such repositories and avoids
JSON parsing issues during metadata analysis.

Signed-off-by: ch8matt <g.matthieu49@gmail.com>
@owasp-dt-bot
Copy link

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@codacy-production Codacy Production
Copy link

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
+0.01% (target: -1.00%) 100.00% (target: 70.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (6e3b0aa) 24039 19389 80.66%
Head commit (4440c8e) 24049 (+10) 19399 (+10) 80.66% (+0.01%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#5019) 11 11 100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

@ch8matt ch8matt mentioned this pull request Jun 3, 2025
Closed
5 tasks
@ch8matt
Copy link
Contributor Author

ch8matt commented Jun 3, 2025

@valentijnscholten Can you confirm this is okay :) ?

@valentijnscholten
Copy link
Contributor

Looking at the source code of composer itself, it doesn't do this fallback check in this PR:

https://github.com/composer/composer/blob/8d239c7d3d6b7cff416f4ce3546a0b2b7633cb30/src/Composer/Repository/ComposerRepository.php#L1048C92-L1048C96

And the expand method is not called anywehere else. But yet composer does work with Satis repositories it seems. I have acccess to 1 private Satis based repository and I can see also that the minified "header" is missing.

Summarizing I don't know why we need this PR but it does solve the problem and would be safe to merge.

@ch8matt
Copy link
Contributor Author

ch8matt commented Jun 13, 2025

@nscuro Hello, could you tell me what you think about this PR ? Would love to have the feature fixed in the future version of Dependency-Track :D

@nscuro nscuro added this to the 4.14.0 milestone Jun 13, 2025
@nscuro nscuro added defect Something isn't working backport/4.13.3 PRs to be backported to v4.13.3 labels Jun 13, 2025
nscuro
nscuro approved these changes Jun 13, 2025
View reviewed changes
Copy link
Member

@nscuro nscuro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ch8matt! I wasn't sure if you were more clarification from others but the PR looks good to me.

@nscuro nscuro changed the title fix(composer): improve isMinified() to detect implicit minified format Improve Composer meta analyzer's ability to deal with minified metadata Jun 13, 2025
@nscuro nscuro merged commit e57361a into DependencyTrack:master Jun 13, 2025
11 checks passed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nscuro nscuro nscuro approved these changes

Assignees
No one assigned
Labels
backport/4.13.3 PRs to be backported to v4.13.3 defect Something isn't working
Projects
None yet
Milestone
4.14.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ch8matt @owasp-dt-bot @valentijnscholten @nscuro