fix: package info from composer wins [WIP]

Ensure that package information obtained from composer has higher precedence
over package information obtained from the package itself (legacy method).

[WIP] - unit tests updates pending...

Author: lavarou

agent/lib_composer.c

@@ -231,8 +231,8 @@ static void nr_execute_handle_autoload_composer_get_packages_information(
                          NRSAFESTR(ZSTR_VAL(package_name)),
                          NRSAFESTR(Z_STRVAL_P(package_version)));
         if (NRINI(vulnerability_management_package_detection_enabled)) {
-          nr_txn_add_php_package(NRPRG(txn), NRSAFESTR(ZSTR_VAL(package_name)),
-                                NRSAFESTR(Z_STRVAL_P(package_version)));
+          nr_txn_add_php_package_from_source(NRPRG(txn), NRSAFESTR(ZSTR_VAL(package_name)),
+                                NRSAFESTR(Z_STRVAL_P(package_version)), NR_PHP_PACKAGE_SOURCE_COMPOSER);
         }
         nr_fw_support_add_package_supportability_metric(
             NRPRG(txn), NRSAFESTR(ZSTR_VAL(package_name)),

axiom/nr_php_packages.c

@@ -23,7 +23,18 @@ typedef struct {
   bool package_added;
 } nr_php_package_json_builder_t;
 
-nr_php_package_t* nr_php_package_create(char* name, char* version) {
+static inline const char* nr_php_package_source_priority_to_string(const nr_php_package_source_priority_t source_priority) {
+  switch (source_priority) {
+    case NR_PHP_PACKAGE_SOURCE_LEGACY:
+      return "legacy";
+    case NR_PHP_PACKAGE_SOURCE_COMPOSER:
+      return "composer";
+    default:
+      return "unknown";
+  }
+}
+
+nr_php_package_t* nr_php_package_create_with_source(char* name, char* version, const nr_php_package_source_priority_t source_priority) {
   nr_php_package_t* p = NULL;
 
   if (NULL == name) {
@@ -43,12 +54,17 @@ nr_php_package_t* nr_php_package_create(char* name, char* version) {
         PHP_PACKAGE_VERSION_UNKNOWN);  // if null, version is set to an empty
                                        // string with a space according to spec
   }
+  p->source_priority = source_priority;
 
-  nrl_verbosedebug(NRL_INSTRUMENT, "Creating PHP Package '%s', version '%s'",
-                   p->package_name, p->package_version);
+  nrl_verbosedebug(NRL_INSTRUMENT, "Creating PHP Package '%s', version '%s', source %s",
+                   p->package_name, p->package_version, nr_php_package_source_priority_to_string(source_priority));
   return p;
 }
 
+nr_php_package_t* nr_php_package_create(char* name, char* version) {
+  return nr_php_package_create_with_source(name, version, NR_PHP_PACKAGE_SOURCE_LEGACY);
+}
+
 void nr_php_package_destroy(nr_php_package_t* p) {
   if (NULL != p) {
     nr_free(p->package_name);
@@ -87,7 +103,7 @@ void nr_php_packages_add_package(nr_php_packages_t* h, nr_php_package_t* p) {
   package = (nr_php_package_t*)nr_hashmap_get(h->data, p->package_name,
                                               nr_strlen(p->package_name));
   if (NULL != package) {
-    if (0 != nr_strcmp(package->package_version, p->package_version)) {
+    if (package->source_priority <= p->source_priority && 0 != nr_strcmp(package->package_version, p->package_version)) {
       nr_free(package->package_version);
       package->package_version = nr_strdup(p->package_version);
     }

axiom/nr_php_packages.h

@@ -13,17 +13,39 @@
 
 #define PHP_PACKAGE_VERSION_UNKNOWN " "
 
+typedef enum {
+  NR_PHP_PACKAGE_SOURCE_LEGACY,
+  NR_PHP_PACKAGE_SOURCE_COMPOSER
+} nr_php_package_source_priority_t;
+
 typedef struct _nr_php_package_t {
   char* package_name;
   char* package_version;
+  nr_php_package_source_priority_t source_priority;
 } nr_php_package_t;
 
 typedef struct _nr_php_packages_t {
   nr_hashmap_t* data;
 } nr_php_packages_t;
 
 /*
- * Purpose : Create a new php package. If the name is null, then no package will
+ * Purpose : Create a new php package with desired source priority. If the name is null, then no package will
+ *           be created. If the version is null (version = NULL), then
+ *           the package will still be created and the version will be set to an
+ *           empty string with a space.
+ *
+ * Params  : 1. Package name
+ *           2. Package version
+ *           3. Package source priority (legacy or composer)
+ *
+ * Returns : A php package that has a name and version. If
+ *           nr_php_packages_add_package() is not called, then it must be freed
+ *           by nr_php_package_destroy()
+ */
+extern nr_php_package_t* nr_php_package_create_with_source(char* name, char* version, const nr_php_package_source_priority_t source_priority);
+
+/*
+ * Purpose : Create a new php package with legacy source priority. If the name is null, then no package will
  *           be created. If the version is null (version = NULL), then
  *           the package will still be created and the version will be set to an
  *           empty string with a space.

axiom/nr_txn.c

@@ -3494,9 +3494,10 @@ void nr_txn_record_log_event(nrtxn_t* txn,
   nr_txn_add_logging_metrics(txn, log_level_name);
 }
 
-void nr_txn_add_php_package(nrtxn_t* txn,
+void nr_txn_add_php_package_from_source(nrtxn_t* txn,
                             char* package_name,
-                            char* package_version) {
+                            char* package_version,
+                            const nr_php_package_source_priority_t source) {
   nr_php_package_t* p = NULL;
 
   if (nrunlikely(NULL == txn)) {
@@ -3507,6 +3508,13 @@ void nr_txn_add_php_package(nrtxn_t* txn,
     return;
   }
 
-  p = nr_php_package_create(package_name, package_version);
+  p = nr_php_package_create_with_source(package_name, package_version, source);
   nr_php_packages_add_package(txn->php_packages, p);
 }
+
+void nr_txn_add_php_package(nrtxn_t* txn,
+                            char* package_name,
+                            char* package_version) {
+  nr_txn_add_php_package_from_source(txn, package_name, package_version,
+                                     NR_PHP_PACKAGE_SOURCE_LEGACY);
+}

axiom/nr_txn.h

@@ -1170,7 +1170,22 @@ static inline nr_segment_t* nr_txn_allocate_segment(nrtxn_t* txn) {
 }
 
 /*
- * Purpose : Add php packages to transaction. This function should only be
+ * Purpose : Add php package to transaction from desired source. This function should only be
+ *           called when Vulnerability Management is enabled.
+ *
+ * Params  : 1. The transaction
+ *           2. Package name
+ *           3. Package version
+ *           4. Source priority
+ *
+ */
+void nr_txn_add_php_package_from_source(nrtxn_t* txn,
+                            char* package_name,
+                            char* package_version,
+                            const nr_php_package_source_priority_t source);
+
+/*
+ * Purpose : Add php package to transaction from legacy source. This function should only be
  *           called when Vulnerability Management is enabled.
  *
  * Params  : 1. The transaction