drupal-composer · weitzman · Jun 30, 2020 · Jun 25, 2020 · Jun 25, 2020 · Jun 25, 2020
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ This package ensures that your application doesn't have installed dependencies w
 
 ## Installation
 
-### Drupal 8 ([composer.json](https://github.com/drupal-composer/drupal-security-advisories/blob/8.x/composer.json))
+### Drupal 8/9 ([composer.json](https://github.com/drupal-composer/drupal-security-advisories/blob/8.x/composer.json))
 
 ```sh
 ~$ composer require drupal-composer/drupal-security-advisories:8.x-dev

diff --git a/build/build-composer-json.php b/build/build-composer-json.php
@@ -58,10 +58,9 @@ function fetchAllData($url, Client $client) {
 $results = fetchAllData('https://www.drupal.org/api-d7/node.json?type=project_release&taxonomy_vocabulary_7=100&field_release_build_type=static', $client);
 foreach ($results as $result) {
   $nid = $result->field_release_project->id;
-  $core = (int) substr($result->field_release_version, 0, 1);
+  $core_compat = getCoreCompat($result);
 
-  // Skip D6 and older.
-  if ($core < 7) {
+  if ($core_compat < 7) {
     continue;
   }
 
@@ -73,12 +72,12 @@ function fetchAllData($url, Client $client) {
   }
 
   try {
-    $is_core = ($project->field_project_machine_name == 'drupal') ? TRUE : FALSE;
-    $constraint = VersionParser::generateRangeConstraint($result->field_release_version, $is_core);
+    $is_core = $project->field_project_machine_name == 'drupal';
+    $constraint = VersionParser::generateRangeConstraint($result->field_release_version, $is_core, $result);
     if (!$constraint) {
       throw new InvalidArgumentException('Invalid version number.');
     }
-    $conflict[$core]['drupal/' . $project->field_project_machine_name][] = $constraint;
+    $conflict[$core_compat]['drupal/' . $project->field_project_machine_name][] = $constraint;
   } catch (\Exception $e) {
     // @todo: log exception
     continue;
@@ -89,10 +88,10 @@ function fetchAllData($url, Client $client) {
 $results = fetchAllData('https://www.drupal.org/api-d7/node.json?type=project_release&taxonomy_vocabulary_7=188131&field_release_build_type=static', $client);
 foreach ($results as $result) {
   $nid = $result->field_release_project->id;
-  $core = (int) substr($result->field_release_version, 0, 1);
+  $core_compat = getCoreCompat($result);
 
   // Skip D6 and older.
-  if ($core < 7) {
+  if ($core_compat < 7) {
     continue;
   }
 
@@ -104,12 +103,12 @@ function fetchAllData($url, Client $client) {
   }
 
   try {
-    $is_core = ($project->field_project_machine_name == 'drupal') ? TRUE : FALSE;
-    $constraint = VersionParser::generateExplicitConstraint($result->field_release_version, $is_core);
+    $is_core = $project->field_project_machine_name == 'drupal';
+    $constraint = VersionParser::generateExplicitConstraint($result->field_release_version, $is_core, $result);
     if (!$constraint) {
       throw new InvalidArgumentException('Invalid version number.');
     }
-    $conflict[$core]['drupal/' . $project->field_project_machine_name][] = $constraint;
+    $conflict[$core_compat]['drupal/' . $project->field_project_machine_name][] = $constraint;
   } catch (\Exception $e) {
     // @todo: log exception
     continue;
@@ -121,7 +120,7 @@ function fetchAllData($url, Client $client) {
   8 => 'build-8.x',
 ];
 
-foreach ($conflict as $core => $packages) {
+foreach ($conflict as $core_compat => $packages) {
   $composer = [
     'name' => 'drupal-composer/drupal-security-advisories',
     'description' => 'Prevents installation of composer packages with known security vulnerabilities',
@@ -142,5 +141,28 @@ function fetchAllData($url, Client $client) {
   }
 
   ksort($composer['conflict']);
-  file_put_contents(__DIR__ . '/' . $target[$core] . '/composer.json', json_encode($composer, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE) . "\n");
+  file_put_contents(__DIR__ . '/' . $target[$core_compat] . '/composer.json', json_encode($composer, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE) . "\n");
+}
+
+/**
+ * @param $result
+ *
+ * @return int
+ */
+function getCoreCompat($result) {
+  switch ($result->field_release_category) {
+    case 'obsolete':
+      $core_compat = -1;
+      break;
+    case 'legacy':
+      $core_compat = 7;
+      break;
+    case 'current':
+      // Drupal's module API goes no higher than 8. Drupal 9 core advisories are published in this project's 8.x branch.
-      // Drupal's module API goes no higher than 8. Drupal 9 core advisories are published in this project's 8.x branch.
+      // packages.drupal.org/8 is used for 8.x-* versions and all future semantically-versioned releases, which might be compatible with 8 and/or 9 & later.
-      // Drupal's module API goes no higher than 8. Drupal 9 core advisories are published in this project's 8.x branch.
+      // packages.drupal.org/8 is used for 8.x-* versions and all future semantically-versioned releases, which might be compatible with 8 and/or 9 & later.
+      $core_compat = 8;
+      break;
+    default:
+      throw new InvalidArgumentException('Unrecognized field_release_category.');
+  }
+  return $core_compat;
 }
diff --git a/build/src/VersionParser.php b/build/src/VersionParser.php
@@ -4,22 +4,24 @@
 
 class VersionParser {
 
-  public static function generateRangeConstraint($version, $isCore) {
+  public static function generateRangeConstraint($version, $isCore, $result) {
     if (!static::isValid($version)) {
       return FALSE;
     }
-    return $isCore ? static::handleCore($version) : static::handleContrib($version);
+    return $isCore ? static::handleCore($version) : static::handleContrib($version, $result);
   }
 
-  public static function generateExplicitConstraint($version, $isCore) {
+  public static function generateExplicitConstraint($version, $isCore, $result) {
     if (!static::isValid($version)) {
       return FALSE;
     }
     if ($isCore) {
       return $version;
     }
     else {
-      list($core, $version) = explode('-', $version, 2);
+      // $result->taxonomy_vocabulary_6 is usually a term like 8.x (https://www.drupal.org/taxonomy/term/7234).
+      // Its absence indicates a semver release (or a core release).
+      list($core, $version) = empty($result->taxonomy_vocabulary_6) ? [NULL, $version] : explode('-', $version, 2);
     }
     return $version;
   }
@@ -29,8 +31,10 @@ public static function handleCore($version) {
     return ">=$major.$minor,<$version";
   }
 
-  public static function handleContrib($version) {
-    list($core, $version) = explode('-', $version, 2);
+  public static function handleContrib($version, $result) {
+    // $result->taxonomy_vocabulary_6 is usually a term like 8.x (https://www.drupal.org/taxonomy/term/7234).
+    // Its absence indicates a semver release (or a core release).
+    list($core, $version) = empty($result->taxonomy_vocabulary_6) ? [NULL, $version] : explode('-', $version, 2);
     list($major) = explode('.', $version);
     return ">=$major,<$version";
   }