feat: filter out root package

lavarou · lavarou · commit ee79ae39b36e · 2024-09-16T22:56:21.000-04:00
Neither `composer show` returns, nor users of vulnerability management are
interested in the root package of the application - it is an arbitrary name
most likely unknown to any CVE database. Therefore the agent should not
report it.
diff --git a/agent/lib_composer.c b/agent/lib_composer.c
@@ -30,7 +30,8 @@ static bool nr_execute_handle_autoload_composer_is_initialized() {
     return false;
   }
 #else
-  if (NULL == nr_php_find_class_method(zce, "getallrawdata")) {
+  if (NULL == nr_php_find_class_method(zce, "getallrawdata")
+      || NULL == nr_php_find_class_method(zce, "getrootpackage")) {
     nrl_verbosedebug(
         NRL_INSTRUMENT,
         "Composer\\InstalledVersions class found, but methods not found");
@@ -135,9 +136,13 @@ static void nr_execute_handle_autoload_composer_get_packages_information(
         = ""
         "(function() {"
         "  try {"
+        "    $root_package = \\Composer\\InstalledVersions::getRootPackage();"
         "    $packages = array();"
         "    foreach (\\Composer\\InstalledVersions::getAllRawData() as $installed) { "
         "      foreach ($installed['versions'] as $packageName => $packageData) {"
+        "        if ($packageName == @$root_package['name']) {"
+        "          continue;"
+        "        }"
         "        if (isset($packageData['pretty_version'])) {"
         "          $packages[$packageName] = ltrim($packageData['pretty_version'], 'v');"
         "        }"
diff --git a/tests/integration/autoloader/autoload-with-composer/vendor/composer/InstalledVersions.php b/tests/integration/autoloader/autoload-with-composer/vendor/composer/InstalledVersions.php
@@ -35,6 +35,14 @@ public static function getAllRawData()
         return array($installed);
     }
 
+    // This Composer's runtime API method is used by the agent to get the root package:
+    public static function getRootPackage()
+    {
+        $installed = require __DIR__ . '/installed.php';
+        // This mock only returns a single dataset; in real life, there could be more
+        return $installed[0]['root'];
+    }
+
     // Mock of 'composer show' used by integration tests to generate list of packages:
     public static function show() {
         $installed = self::getAllRawData();
