feat(agent): use composer for vuln mgmt package info #962

lavarou · 2024-09-12T21:55:14Z

If possible, use Composer's runtime API to collect information about PHP packages used by the application for New Relic Vulnerability Management. This feature is disabled by default and can be enabled by setting newrelic.vulnerability_management.composer_detection.enabled to true.

newrelic-php-agent-bot · 2024-09-12T21:55:38Z

Test Suite	Status	Result
Multiverse	✅	7/7 passing
SOAK	✅	56/56 passing

agent/lib_composer.c

zsistla · 2024-09-12T22:59:29Z

What version(s) of composer will this work with?

agent/lib_composer.c

lavarou · 2024-09-13T13:09:14Z

daemon/internal/newrelic/integration/php_packages.go

+	} else if 1 < len(splitCmd) && "composer-show.php" == splitCmd[1] {
+		lines := strings.Split(string(out), "\n")
+		version := ""
+		for _, line := range lines {
+			//fmt.Printf("line is |%s|\n", line)
+			splitLine := strings.Split(line, "=>")
+			if 2 == len(splitLine) {
+				name := strings.TrimSpace(splitLine[0])
+				version = strings.TrimSpace(splitLine[1])
+				pkgs.packages = append(pkgs.packages, PhpPackage{name, version})
+			}
+		}


This is added so that composer mock can be used to test packages payload.

lavarou · 2024-09-13T13:14:58Z

agent/lib_composer.c

+  }
+
+  nrl_verbosedebug(NRL_FRAMEWORK, "detected composer");
+  NRPRG(txn)->composer_info.composer_detected = true;


This flag is not needed and the final version will probably have this removed.

lavarou · 2024-09-13T13:19:16Z

What version(s) of composer will this work with?

So far it's been tested with 2.2 and 2.6. It should work with all versions >= 2.2.

codecov-commenter · 2024-09-13T13:51:43Z

Codecov Report

Attention: Patch coverage is 79.14692% with 44 lines in your changes missing coverage. Please review.

Project coverage is 78.50%. Comparing base (8de09b0) to head (1fda499).
Report is 1 commits behind head on dev.

Files with missing lines	Patch %	Lines
agent/lib_composer.c	77.08%	22 Missing ⚠️
axiom/nr_php_packages.c	72.00%	7 Missing ⚠️
agent/fw_laminas3.c	0.00%	2 Missing ⚠️
agent/fw_lumen.c	0.00%	2 Missing ⚠️
agent/fw_wordpress.c	0.00%	2 Missing ⚠️
agent/lib_doctrine2.c	0.00%	2 Missing ⚠️
agent/lib_mongodb.c	0.00%	2 Missing ⚠️
agent/lib_phpunit.c	0.00%	2 Missing ⚠️
axiom/nr_php_packages.h	60.00%	2 Missing ⚠️
agent/fw_slim.c	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev     #962      +/-   ##
==========================================
+ Coverage   78.35%   78.50%   +0.14%     
==========================================
  Files         194      195       +1     
  Lines       26879    27057     +178     
==========================================
+ Hits        21061    21241     +180     
+ Misses       5818     5816       -2

Flag	Coverage Δ
agent-for-php-7.2	`78.51% <79.14%> (+0.15%)`	⬆️
agent-for-php-7.3	`78.53% <79.14%> (+0.15%)`	⬆️
agent-for-php-7.4	`78.23% <78.19%> (+0.14%)`	⬆️
agent-for-php-8.0	`78.25% <78.19%> (+0.14%)`	⬆️
agent-for-php-8.1	`78.24% <78.19%> (+0.14%)`	⬆️
agent-for-php-8.2	`77.84% <77.72%> (+0.14%)`	⬆️
agent-for-php-8.3	`77.84% <77.72%> (+0.14%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

agent/lib_composer.c

lavarou · 2024-09-18T18:51:34Z

agent/fw_drupal8.c

+    nr_fw_support_add_package_supportability_metric(
+        NRPRG(txn), PHP_PACKAGE_NAME, version, p);


This change (and similar changes in other fw_*.c modules) is required so that if composer api is enabled, the major version value, used in the metric name, will be from package info collected using composer api rather than from the package itself (from static VERSION constant or calling some version of get_version method in the package). The former method yields more useful and accurate results.

lavarou · 2024-09-18T18:56:56Z

axiom/nr_php_packages.h

 typedef struct _nr_php_package_t {
  char* package_name;
  char* package_version;
+  nr_php_package_source_priority_t source_priority;


source_priority decides if package_version gets overwritten when a package with the same package_name is added to nr_php_packages_t.data again - see implementation of nr_php_packages_add_package.

axiom/tests/test_php_packages.c

agent/fw_drupal.c

agent/fw_support.c

agent/lib_composer.c

Use php_packages API rather than raw hashmap API to get the package from php_packages.

Co-authored-by: bduranleau-nr <[email protected]> Co-authored-by: Hitesh Ahuja <[email protected]>

Use correct value for failure when initializing a variable of zend_result type. Co-authored-by: Amber Sistla <[email protected]>

Co-authored-by: bduranleau-nr <[email protected]>

`vendor_path` needs to be freed when an error occurs.

Ensure the code will not crash under unlikely conditions of pointers that are guaranteed to not be NULL being NULL.

Remove methods from the mock that are not relevant to composer instrumentation.

This reverts commit 80fdbdd. `zend_eval_string` expects `char *` not `const char *` so making `code` `const char *` does not make much sense because it would have to be casted back to `char *`.

Add more tests with composer API that throws Exception and Error.

Test autoloader detection when Composer api is enabled but package detection is disabled. Neither autoloader nor composer should be detected and used.

Test detection of packages when Composer is used but package metadata is bogus: - package_name is null, package_version is valid - package_name is valid, package_version is null - package_name is null, package_version is null.

This partially reverts commit 3a356ea. `NRSAFESTR` should still be used when accessing package_name and package_version for debug log message.

zsistla

Thanks for all the hard work that went into this! LGTM.

Change how the package major number metrics are created. This now occurs in R_SHUTDOWN. This allows the use of package versions from ALL sources including the Composer API. Whenever instrumentation for a package detects a package, it can create a package suggestion. Initially if a version is not known it is fine to use PHP_PACKAGE_VERSION_UNKNOWN. If later the instrumentation determines a version from a class constant, etc, then the suggestion can be updated with the version. At the end of the transaction the suggestions are iterated over and the actual package data (which could include Composer API data) is referenced and a major number supportability metric is created with the best version available. --------- Co-authored-by: Michal Nowacki <[email protected]>

mfulb

Very nice work Michal!

lavarou requested review from mfulb and hahuja2 September 12, 2024 21:55

lavarou self-assigned this Sep 12, 2024

lavarou changed the base branch from main to dev September 12, 2024 21:55

lavarou force-pushed the feat/vm/user-composer-for-package-info branch from 68dc921 to 6123bb4 Compare September 12, 2024 21:55

zsistla reviewed Sep 12, 2024

View reviewed changes

agent/lib_composer.c Outdated Show resolved Hide resolved

zsistla reviewed Sep 12, 2024

View reviewed changes

agent/lib_composer.c Show resolved Hide resolved

zsistla reviewed Sep 12, 2024

View reviewed changes

agent/lib_composer.c Outdated Show resolved Hide resolved

lavarou commented Sep 13, 2024

View reviewed changes

lavarou modified the milestones: next release, next-release Sep 13, 2024

lavarou commented Sep 17, 2024

View reviewed changes

agent/lib_composer.c Outdated Show resolved Hide resolved

lavarou commented Sep 18, 2024

View reviewed changes

lavarou marked this pull request as ready for review September 19, 2024 17:54

lavarou force-pushed the feat/vm/user-composer-for-package-info branch from 0654d0a to 444a272 Compare September 19, 2024 20:56

zsistla reviewed Sep 19, 2024

View reviewed changes

axiom/tests/test_php_packages.c Show resolved Hide resolved

lavarou force-pushed the feat/vm/user-composer-for-package-info branch from 444a272 to ff6ef07 Compare September 20, 2024 03:38