only report packages that have version set

According to Composer's runtime API documentation: > If the package is being replaced or provided but is not really installed, > null will be returned as version. This means that packages without versions are not interesting because they're not really installed. -- Co-authored-by: Michael Fulbright <[email protected]>
newrelic · Sep 16, 2024 · ef227b4 · ef227b4
1 parent 5de8e7f
commit ef227b4
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/agent/lib_composer.c b/agent/lib_composer.c
@@ -151,18 +151,25 @@ static void nr_execute_handle_autoload_composer_get_packages_information(
           if (SUCCESS == result2) {
             if (nr_php_is_zval_valid_string(&retval2)) {
               version = Z_STRVAL(retval2);
+            } else if (nr_php_is_zval_null(&retval2)) {
+              nrl_verbose(NRL_INSTRUMENT,
+                          "version was IS_NULL for package %s",
+                          Z_STRVAL_P(value));
+              version = NULL;
             }
           }
         }
         zval_dtor(&retval2);
         nrl_verbosedebug(NRL_INSTRUMENT, "package %s, version %s",
                          NRSAFESTR(Z_STRVAL_P(value)), NRSAFESTR(version));
-        if (NRINI(vulnerability_management_package_detection_enabled)) {
-          nr_txn_add_php_package(NRPRG(txn), NRSAFESTR(Z_STRVAL_P(value)),
-                                 NRSAFESTR(version));
+        if (NULL != version) {
+          if (NRINI(vulnerability_management_package_detection_enabled)) {
+            nr_txn_add_php_package(NRPRG(txn), NRSAFESTR(Z_STRVAL_P(value)),
+                                  NRSAFESTR(version));
+          }
+          nr_fw_support_add_package_supportability_metric(
+              NRPRG(txn), NRSAFESTR(Z_STRVAL_P(value)), NRSAFESTR(version));
         }
-        nr_fw_support_add_package_supportability_metric(
-            NRPRG(txn), NRSAFESTR(Z_STRVAL_P(value)), NRSAFESTR(version));
       }
       ZEND_HASH_FOREACH_END();
     } else {