add ini setting to control use of composer api

Add new INI setting to control use of Composer's runtime API to collect package
information. By default Composer API is not to be used.

Author: lavarou

agent/php_execute.c

@@ -1154,6 +1154,11 @@ static void nr_execute_handle_autoload(const char* filename, const size_t filena
 #define AUTOLOAD_MAGIC_FILE "vendor/autoload.php"
 #define AUTOLOAD_MAGIC_FILE_LEN (sizeof(AUTOLOAD_MAGIC_FILE) - 1)
 
+  if (!NRINI(vulnerability_management_composer_detection_enabled)) {
+    // do nothing when use of composer to collect package info is disabled
+    return;
+  }
+
   if (NRPRG(txn)->composer_info.autoload_detected) {
     // autoload already handled
     return;

agent/php_newrelic.h

@@ -593,6 +593,9 @@ nrinibool_t
 nrinibool_t
     vulnerability_management_package_detection_enabled; /* newrelic.vulnerability_management.package_detection.enabled
                                                          */
+nrinibool_t
+    vulnerability_management_composer_detection_enabled; /* newrelic.vulnerability_management.composer_detection.enabled
+                                                          */
 
 #if ZEND_MODULE_API_NO < ZEND_7_4_X_API_NO
 /*

agent/php_nrini.c

@@ -3091,6 +3091,15 @@ STD_PHP_INI_ENTRY_EX("newrelic.vulnerability_management.package_detection.enable
                      newrelic_globals,
                      nr_enabled_disabled_dh)
 
+STD_PHP_INI_ENTRY_EX("newrelic.vulnerability_management.composer_detection.enabled",
+                     "0",
+                     NR_PHP_REQUEST,
+                     nr_boolean_mh,
+                     vulnerability_management_composer_detection_enabled,
+                     zend_newrelic_globals,
+                     newrelic_globals,
+                     nr_enabled_disabled_dh)
+
 PHP_INI_END() /* } */
 
 void nr_php_register_ini_entries(int module_number TSRMLS_DC) {

agent/scripts/newrelic.ini.template

@@ -1332,3 +1332,12 @@ newrelic.daemon.logfile = "/var/log/newrelic/newrelic-daemon.log"
 ;          for vulnerability management.
 ;
 ;newrelic.vulnerability_management.package_detection.enabled = true
+
+; Setting: newrelic.vulnerability_management.composer_detection.enabled
+; Type   : boolean
+; Scope  : per-directory
+; Default: false
+; Info   : Toggles whether the agent should try using Composer's runtime API
+;          to gather package detection information for vulnerability management.
+;
+;newrelic.vulnerability_management.composer_detection.enabled = false

tests/integration/autoloader/test_autoloader_with_composer_disabled.php

@@ -0,0 +1,28 @@
+<?php
+/*
+ * Copyright 2020 New Relic Corporation. All rights reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*DESCRIPTION
+Test detection of autoloader when Composer is used and use of composer for
+package detection is disabled (default). Supportability metrics for
+Autoloader and Composer libraries metrics must not be present. Additionally,
+package supportability metrics and package harvest must not be present.
+*/
+
+/*INI
+*/
+
+/*EXPECT_PHP_PACKAGES null*/
+
+/*EXPECT_METRICS_DONT_EXIST
+Supportability/library/Autoloader/detected
+Supportability/library/Composer/detected
+Supportability/PHP/package/vendor1/package1/1/detected
+Supportability/PHP/package/vendor2/package2/2/detected
+*/
+
+/*EXPECT_TRACED_ERRORS null*/
+
+require 'autoload-with-composer/vendor/autoload.php';

tests/integration/autoloader/test_autoloader_with_composer.php renamed to tests/integration/autoloader/test_autoloader_with_composer_enabled.php

@@ -7,10 +7,12 @@
 /*DESCRIPTION
 Test detection of autoloader when Composer is used. Supportability metrics for
 Autoloader and Composer libraries should be present. Additionally, package
-supportability metrics should be present for each package detected.
+supportability metrics should be present for each package detected. Package
+harvest should contain all packages reported by composer.
 */
 
 /*INI
+newrelic.vulnerability_management.composer_detection.enabled=true
 */
 
 /*EXPECT_PHP_PACKAGES