承接 mxr576/ddqg-composer-audit 相关项目开发

从需求分析到上线部署,全程专人跟进,保证项目质量与交付效率

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

mxr576/ddqg-composer-audit

Composer 安装命令:

composer require --dev mxr576/ddqg-composer-audit

包简介

Drupal Dependency Quality Gate Composer Audit plugin

README 文档

README

This project extends composer audit command with new "advisories" originating from the results generated by the mxr576/ddqg project that aims to help run Drupal projects on secure and high-quality Drupal dependencies.

Family Guy, Consuela says: No, no, no low-quality dependencies

CHECKOUT the mxr576/composer-audit-changes "alternative" composer audit command because it can help with the adoption of this package on existing projects with collected technical debt.

Installation

$ composer require --dev mxr576/ddqg-composer-audit

Example output

$ composer audit
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/apigee_edge                                                               |
| CVE               | DDQG-D10-incompatible-drupal-apigee_edge                                         |
| Title             | The installed "2.0.7.0" version is not compatible with Drupal 10. (Reported by D |
|                   | rupal Dependency Quality Gate.)                                                  |
| URL               | https://www.drupal.org/project/apigee_edge                                       |
| Affected versions | 2.0.7.0                                                                          |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/apigee_edge                                                               |
| CVE               | DDQG-insecure-drupal-apigee_edge                                                 |
| Title             | The installed "2.0.7.0" version is insecure. (Reported by Drupal Dependency Qual |
|                   | ity Gate.)                                                                       |
| URL               | https://www.drupal.org/project/apigee_edge                                       |
| Affected versions | >=1.0.0,<1.27.0|>=2.0.0,<2.0.8                                                   |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/core                                                                      |
| CVE               | DDQG-insecure-drupal-core                                                        |
| Title             | The installed "9.4.0.0" version is insecure. (Reported by Drupal Dependency Qual |
|                   | ity Gate.)                                                                       |
| URL               | https://www.drupal.org/project/core                                              |
| Affected versions | >=9.4.0,<9.4.14|>=9.5.0,<9.5.8|>=10.0.0,<10.0.8                                  |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/feeds                                                                     |
| CVE               | DDQG-unsupported-drupal-feeds-3.0.0.0-beta3                                      |
| Title             | The installed "3.0.0.0-beta3" version is unsupported. (Reported by Drupal Depend |
|                   | ency Quality Gate.)                                                              |
| URL               | https://www.drupal.org/project/feeds                                             |
| Affected versions | 2.x-dev|3.0.0-alpha1|3.0.0-alpha2|3.0.0-alpha3|3.0.0-alpha4|3.0.0-alpha5|3.0.0-a |
|                   | lpha6|3.0.0-alpha7|3.0.0-alpha8|3.0.0-alpha9|3.0.0-alpha10|3.0.0-alpha11|3.0.0-b |
|                   | eta1|3.0.0-beta2|3.0.0-beta3|3.x-dev                                             |
| Reported at       | 2023-05-07T13:49:57+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | drupal/variationcache                                                            |
| CVE               | DDQG-deprecated-drupal-variationcache-1.2.0.0                                    |
| Title             | The installed "1.2.0.0" version is deprecated. (Reported by Drupal Dependency Qu |
|                   | ality Gate.)                                                                     |
| URL               | https://www.drupal.org/project/variationcache                                    |
| Affected versions | *                                                                                |
| Reported at       | 2024-01-08T12:15:20+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Configuration

Quality Assurance can feel painful, but it is an important part of professional software development. The goal of this project is to bring attention about dependency quality problems on a project. For all these reasons, it deliberately comes with minimal opt-out options.

Silence warning about a deprecated- or unsupported package version in use

Warning

This feature is deprecated and it is going to be removed in version 2.0.0. Composer's built-in audit ignore feature replaced it.

In a project's root composer.json, under the extra property, add a definition like this:

        "ddqg-composer-audit": {
            "ignore-deprecated-versions": {
                "vendor/package": "an_explicit_version_string",
                "drupal/swiftmailer": "2.4.0"
            }
            "ignore-unsupported-versions": {
                "vendor/package": "an_explicit_version_string",
                "drupal/tamper": "1.0.0-alpha3"
            }
        }

The other option is defining a comma separate list of ignore rules in DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS and DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS environment variables respectfully, e.g, DDQG_COMPOSER_AUDIT_IGNORE_DEPRECATED_VERSIONS=drupal/swiftmailer:2.4.0,vendor/package:1.x-dev or DDQG_COMPOSER_AUDIT_IGNORE_UNSUPPORTED_VERSIONS=drupal/tamper:1.0.0-alpha3,vendor/package:1.x-dev

An environment variable has a higher precedence than a configuration in composer.json; if it is defined, the definition in a project's root composer.json is ignored completely.

Notice: A warning is still displayed about the ignored deprecated- or unsupported package on STDERR.

Not supporting version ranges in the definition was a conscious decision because (again) the goal is making dependency quality problems constantly visible and not sweeping them under the carpet.

Check Drupal 10 compatibility

For projects running on Drupal 9 still. When this feature is enabled then composer audit can also check whether an installed package dependency version is also compatible with Drupal 10 or not. This can make the Drupal 10 upgrade more painless.

The feature is disabled by default, it can be enabled with:

        "ddqg-composer-audit": {
            "check-d10-compatibility": true
        }

or by setting the DDQG_COMPOSER_AUDIT_CHECK_D10_COMPATIBILITY=true environment variable.

This is a seasonal feature that will be removed after Drupal 9 EOL.

Integrations

FAQ

Drupal Packagist already provides package advisories, so why should I care about this plugin?

This feature is only available on Drupal Packagist since 21 September 2023. Security advisory data via Drupal Packagist only contains information based on published security advisories; it does not contain releases flagged as "insecure", but this Composer plugin does.

mxr576/ddqg-composer-audit 适用场景与选型建议

mxr576/ddqg-composer-audit 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 61.63k 次下载、GitHub Stars 达 10, 最近一次更新时间为 2023 年 04 月 20 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 「Audit」 「drupal」 「dev」 「qa」 「dependency analyses」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 mxr576/ddqg-composer-audit 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 mxr576/ddqg-composer-audit 我们能提供哪些服务?
定制开发 / 二次开发

基于 mxr576/ddqg-composer-audit 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 61.63k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 10
  • 点击次数: 31
  • 依赖项目数: 2
  • 推荐数: 0

GitHub 信息

  • Stars: 10
  • Watchers: 1
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2023-04-20