Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Composer version not always a string #1138

Open
3asm opened this issue Jul 24, 2024 · 7 comments · May be fixed by #1139
Open

Composer version not always a string #1138

3asm opened this issue Jul 24, 2024 · 7 comments · May be fixed by #1139
Assignees
@G-Rath
Labels
bug Something isn't working

Comments

@3asm
Copy link

3asm commented Jul 24, 2024

While analyzer a composer.lock file we have the following error:

(extracting as composer.lock) could not extract from /app/composer.lock: json: cannot unmarshal number into Go struct field ComposerPackage.packages.version of type string

The version in this case is not a string:

➜  /tmp grep version composer.lock
            "version": "5.9.1",
            "version": "1.99",
            "version": "0.1.1",
            "version": "1.2.8",
            "version": "v1.9.0",
            "version": "4.6.2",
            "version": "v2.11.0",
            "version": "5.5.3",
            "version": "5.5.3",
            "version": "2.0.0",
            "version": "v1.8.0",
            "version": "v0.8.1",
            "version": "1.8.2",
            "version": "2.4.20.3",
            "version": "2.6.1",
            "version": "3.7.2",
            "version": "1.4.3",
            "version": "20190220",
            "version": "1.11.5",
            "version": "3.1",
            "version": "1.5",
            "version": "0.5.7",
@G-Rath
Copy link
Collaborator

G-Rath commented Jul 24, 2024

Can you name the package(s) with the erroring versions? My understanding is that composer requires versions to be semantic

@3asm
Copy link
Author

3asm commented Jul 24, 2024

Thanks @G-Rath for the quick answer. The package name is wpackagist-plugin/block-bad-queries.

@G-Rath
Copy link
Collaborator

G-Rath commented Jul 24, 2024

Cool thanks - if you can, it would be good if you could provide a small but complete lock file reproducing the error but otherwise now that I've got the name I can look into it tomorrow morning :)

@3asm
Copy link
Author

3asm commented Jul 24, 2024

Awesome thanks @G-Rath . Here is a link to the file.

@G-Rath G-Rath added the bug Something isn't working label Jul 24, 2024
@G-Rath G-Rath self-assigned this Jul 24, 2024
@G-Rath
Copy link
Collaborator

G-Rath commented Jul 24, 2024

@3asm could you speak more about how you generated this, including the composer version and json file?

I suspect this is technically invalid (or maybe not natural?) - using this composer.json:

{
  "repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org",
      "only": [
        "wpackagist-plugin/*",
        "wpackagist-theme/*"
      ]
    }
  ],
  "require": {
    "wpackagist-plugin/block-bad-queries": "20190220"
  },
  "config": {
    "allow-plugins": {
      "composer/installers": true
    }
  }
}

Gives me a lockfile with that version but as a string rather than a number.

In saying that if I edit the lockfile to be a number, composer doesn't seem to complain...

It should be straightforward to support this case (we've having to do it in a couple of the other parsers), but interested in knowing more about it's real-world implications since this is the first time I've come across this

@G-Rath G-Rath linked a pull request Jul 24, 2024 that will close this issue
Open
@another-rex
Copy link
Collaborator

@3asm Friendly ping on if you know how this file is generated? :)

@3asm
Copy link
Author

3asm commented Aug 15, 2024

Sorry @another-rex I missed that. No, I don't, the file was collected during a vulnerability scan.

marob added a commit to marob/cdxgen that referenced this issue Aug 22, 2024
@marob
Make sure composer.lock dependency package version is a string
d9c8aeb 
composer.lock files may have a dependency package version as a number instead of a string (see: google/osv-scanner#1138). In that case `new PackageURL(...)` throws the following error: Error: Invalid purl: "versions" argument must be a string.

Signed-off-by: Maxime Robert <[email protected]>
@marob marob mentioned this issue Aug 22, 2024
Merged
prabhu pushed a commit to CycloneDX/cdxgen that referenced this issue Aug 26, 2024
@marob
Make sure composer.lock dependency package version is a string (#1325)
82a55b5 
composer.lock files may have a dependency package version as a number instead of a string (see: google/osv-scanner#1138). In that case `new PackageURL(...)` throws the following error: Error: Invalid purl: "versions" argument must be a string.

Signed-off-by: Maxime Robert <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@G-Rath G-Rath

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@3asm @G-Rath @another-rex