feat: Prefer installed setups over lock files (#325)

Signed-off-by: Jan Kowalleck <[email protected]>
CycloneDX · Mar 6, 2023 · ba6fa8a · ba6fa8a
1 parent 3bf24a9
commit ba6fa8a
Show file tree

Hide file tree

Showing 19 changed files with 812 additions and 480 deletions.
diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml
@@ -36,11 +36,12 @@ env:
 jobs:
   reproducible:
     name: >
-      Reproducible "${{ matrix.subject }}"
+      R: "${{ matrix.subject }}"
       (${{ matrix.spec-version }}
       ${{ matrix.output-format }},
       c${{ matrix.composer }}
       p${{ matrix.php }},
+      i:${{ matrix.install }}
       stdout:${{ matrix.stdout }})
     runs-on: ubuntu-latest
     timeout-minutes: 10
@@ -70,6 +71,7 @@ jobs:
           - "1.1"
           # - "1.0" # not implemented
         stdout: [ false ]
+        install: [ true , false ]
         exclude:
           # exclude unsupported combinations: json is defined in spec >= 1.2
           - output-format: json
@@ -138,9 +140,15 @@ jobs:
           restore-keys: |
             composer-${{ github.job }}-${{ matrix.subject }}-php${{ matrix.php }}-
             composer-${{ github.job }}-${{ matrix.subject }}-
-      - name: Install dependencies
+      - name: Install composer plugin
+        working-directory: ${{ env.DEMO_TOOL_PATH }}
+        run: composer install
+      - name: Install project dependencies & kick lockfile
+        if: ${{ matrix.install }}
         working-directory: ${{ env.DEMO_PROJECT_DIR }}
-        run: composer setup
+        run: |
+          composer setup
+          rm composer.lock
       - name: Make SBOM to file
         if: ${{ ! matrix.stdout }}
         working-directory: ${{ env.DEMO_TOOL_PATH }}

diff --git a/HISTORY.md b/HISTORY.md
@@ -19,11 +19,13 @@ All notable changes to this project will be documented in this file.
   * Dependencies
     * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250])
 * Changed
+  * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250])
   * Root component's versions is unset, if version detection fails ([#154] via [#250])
   * Composer packages of type "composer-installer" are treated as composer plugins (via [#250])
 * Added
-  * Support for CycloneDX Spec v1.4 (via [#250])
+  * Evidence collection knows actually installed packages ([#122] via [#250])
   * SBOM results
+    * Support for CycloneDX Spec v1.4 (via [#250])
     * might have `serialnumber` populated ([#279] via [#250])
     * might have `metadata.timestamp` populated ([#112] via [#250])
     * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250])
@@ -40,6 +42,7 @@ All notable changes to this project will be documented in this file.
 [#91]:  https://github.com/CycloneDX/cyclonedx-php-composer/issues/91
 [#102]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/102
 [#112]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/112
+[#122]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/122
 [#128]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/128
 [#153]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/153
 [#154]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/154

diff --git a/README.md b/README.md
@@ -79,6 +79,16 @@ Options:
 
 For a demo of _cyclonedx-php-composer_ see the [demo projects][demo_readme].
 
+## How it works
+
+This composer plugin actually utilizes composer itself, to collect evidence for installed composer packages.  
+In terms of evidence collection, actually installed setups are preferred over pure lock file analysis.  
+Required  evidence:
+- composer config/manifest file (e.g. `composer.json` file)
+- any of:
+  - an actual composer setup (e.g. `vendor` directory, after running `composer install` on your project)
+  - a working composer lock file (e.g. `composer.lock` file)
+
 ## Internals
 
 This _Composer_ plugin utilizes the [CycloneDX library][cyclonedx-library] to generate the actual data structures.

diff --git a/composer-require-checker.json b/composer-require-checker.json
@@ -13,6 +13,8 @@
     "Composer\\Plugin\\Capability\\CommandProvider",
     "Composer\\Plugin\\Capable",
     "Composer\\Plugin\\PluginInterface",
+    "Composer\\Repository\\InstalledRepositoryInterface",
+    "Composer\\Repository\\LockArrayRepository",
     "Composer\\Semver\\Constraint\\MatchAllConstraint",
     "Symfony\\Component\\Console\\Command\\Command",
     "Symfony\\Component\\Console\\Formatter\\OutputFormatter",

diff --git a/demo/devReq/project/composer.json b/demo/devReq/project/composer.json
@@ -20,13 +20,6 @@
     "require-dev": {
         "phpunit/phpunit": "9.5.26"
     },
-    "repositories": [
-        {
-            "type": "path",
-            "url": "../../..",
-            "symlink": true
-        }
-    ],
     "minimum-stability": "dev",
     "prefer-stable": true,
     "config": {

diff --git a/demo/devReq/project/composer.lock b/demo/devReq/project/composer.lock