1use std::collections::HashMap;
20use std::fs::File;
21use std::io::Read;
22use std::path::Path;
23
24use crate::parser_warn as warn;
25use packageurl::PackageUrl;
26use serde_json::Value;
27
28use crate::models::{
29 DatasourceId, Dependency, LicenseDetection, PackageData, PackageType, Party, ResolvedPackage,
30 Sha1Digest, Sha256Digest, Sha512Digest,
31};
32
33use super::PackageParser;
34use super::license_normalization::{
35 DeclaredLicenseMatchMetadata, build_declared_license_data_from_pair,
36 normalize_spdx_declared_license,
37};
38
39const FIELD_NAME: &str = "name";
40const FIELD_VERSION: &str = "version";
41const FIELD_DESCRIPTION: &str = "description";
42const FIELD_HOMEPAGE: &str = "homepage";
43const FIELD_TYPE: &str = "type";
44const FIELD_LICENSE: &str = "license";
45const FIELD_AUTHORS: &str = "authors";
46const FIELD_KEYWORDS: &str = "keywords";
47const FIELD_REQUIRE: &str = "require";
48const FIELD_REQUIRE_DEV: &str = "require-dev";
49const FIELD_PROVIDE: &str = "provide";
50const FIELD_CONFLICT: &str = "conflict";
51const FIELD_REPLACE: &str = "replace";
52const FIELD_SUGGEST: &str = "suggest";
53const FIELD_SUPPORT: &str = "support";
54const FIELD_AUTOLOAD: &str = "autoload";
55const FIELD_PSR4: &str = "psr-4";
56const FIELD_REPOSITORIES: &str = "repositories";
57
58const FIELD_PACKAGES: &str = "packages";
59const FIELD_PACKAGES_DEV: &str = "packages-dev";
60const FIELD_SOURCE: &str = "source";
61const FIELD_DIST: &str = "dist";
62
63pub struct ComposerJsonParser;
65
66impl PackageParser for ComposerJsonParser {
67 const PACKAGE_TYPE: PackageType = PackageType::Composer;
68
69 fn extract_packages(path: &Path) -> Vec<PackageData> {
70 let json_content = match read_json_file(path) {
71 Ok(content) => content,
72 Err(e) => {
73 warn!("Failed to read composer.json at {:?}: {}", path, e);
74 return vec![default_package_data(Some(DatasourceId::PhpComposerJson))];
75 }
76 };
77
78 let full_name = json_content
79 .get(FIELD_NAME)
80 .and_then(|value| value.as_str())
81 .map(|value| value.trim())
82 .filter(|value| !value.is_empty());
83
84 let (namespace, name) = split_optional_namespace_name(full_name);
85 let is_private = name.is_none();
86
87 let version = json_content
88 .get(FIELD_VERSION)
89 .and_then(|value| value.as_str())
90 .map(|value| value.trim().to_string());
91
92 let description = json_content
93 .get(FIELD_DESCRIPTION)
94 .and_then(|value| value.as_str())
95 .map(|value| value.trim().to_string())
96 .filter(|value| !value.is_empty());
97
98 let homepage_url = json_content
99 .get(FIELD_HOMEPAGE)
100 .and_then(|value| value.as_str())
101 .map(|value| value.trim().to_string())
102 .filter(|value| !value.is_empty());
103
104 let keywords = extract_keywords(&json_content);
105
106 let (
107 extracted_license_statement,
108 declared_license_expression,
109 declared_license_expression_spdx,
110 license_detections,
111 ) = extract_license_data(&json_content, is_private);
112
113 let dependencies =
114 extract_dependencies(&json_content, FIELD_REQUIRE, "require", true, false);
115 let dev_dependencies =
116 extract_dependencies(&json_content, FIELD_REQUIRE_DEV, "require-dev", false, true);
117 let provide_dependencies =
118 extract_dependencies(&json_content, FIELD_PROVIDE, "provide", true, false);
119 let conflict_dependencies =
120 extract_dependencies(&json_content, FIELD_CONFLICT, "conflict", true, true);
121 let replace_dependencies =
122 extract_dependencies(&json_content, FIELD_REPLACE, "replace", true, true);
123 let suggest_dependencies =
124 extract_dependencies(&json_content, FIELD_SUGGEST, "suggest", true, true);
125
126 let (bug_tracking_url, code_view_url) = extract_support(&json_content);
127 let vcs_url = extract_source_vcs_url(&json_content);
128 let download_url = extract_dist_download_url(&json_content);
129 let extra_data = build_extra_data(&json_content);
130 let parties = extract_parties(&json_content, &namespace);
131
132 vec![PackageData {
133 package_type: Some(Self::PACKAGE_TYPE),
134 namespace: namespace.clone(),
135 name: name.clone(),
136 version: version.clone(),
137 qualifiers: None,
138 subpath: None,
139 primary_language: Some("PHP".to_string()),
140 description,
141 release_date: None,
142 parties,
143 keywords,
144 homepage_url,
145 download_url,
146 size: None,
147 sha1: None,
148 md5: None,
149 sha256: None,
150 sha512: None,
151 bug_tracking_url,
152 code_view_url,
153 vcs_url,
154 copyright: None,
155 holder: None,
156 declared_license_expression,
157 declared_license_expression_spdx,
158 license_detections,
159 other_license_expression: None,
160 other_license_expression_spdx: None,
161 other_license_detections: Vec::new(),
162 extracted_license_statement,
163 notice_text: None,
164 source_packages: Vec::new(),
165 file_references: Vec::new(),
166 is_private,
167 is_virtual: false,
168 extra_data,
169 dependencies: [
170 dependencies,
171 dev_dependencies,
172 provide_dependencies,
173 conflict_dependencies,
174 replace_dependencies,
175 suggest_dependencies,
176 ]
177 .concat(),
178 repository_homepage_url: build_repository_homepage_url(&namespace, &name),
179 repository_download_url: None,
180 api_data_url: build_api_data_url(&namespace, &name),
181 datasource_id: Some(DatasourceId::PhpComposerJson),
182 purl: build_package_purl(&namespace, &name, &version),
183 }]
184 }
185
186 fn is_match(path: &Path) -> bool {
187 path.file_name()
188 .and_then(|name| name.to_str())
189 .is_some_and(is_composer_manifest_filename)
190 }
191}
192
193pub struct ComposerLockParser;
195
196impl PackageParser for ComposerLockParser {
197 const PACKAGE_TYPE: PackageType = PackageType::Composer;
198
199 fn extract_packages(path: &Path) -> Vec<PackageData> {
200 let json_content = match read_json_file(path) {
201 Ok(content) => content,
202 Err(e) => {
203 warn!("Failed to read composer.lock at {:?}: {}", path, e);
204 return vec![default_package_data(Some(DatasourceId::PhpComposerLock))];
205 }
206 };
207
208 let dependencies = extract_lock_dependencies(&json_content);
209
210 let mut package_data = default_package_data(Some(DatasourceId::PhpComposerLock));
211 package_data.dependencies = dependencies;
212 vec![package_data]
213 }
214
215 fn is_match(path: &Path) -> bool {
216 path.file_name()
217 .and_then(|name| name.to_str())
218 .is_some_and(is_composer_lock_filename)
219 }
220}
221
222fn is_composer_manifest_filename(name: &str) -> bool {
223 name == "composer.json"
224 || name.ends_with(".composer.json")
225 || (name.starts_with("composer.") && name.ends_with(".json"))
226}
227
228fn is_composer_lock_filename(name: &str) -> bool {
229 name == "composer.lock"
230 || name.ends_with(".composer.lock")
231 || (name.starts_with("composer.") && name.ends_with(".lock"))
232}
233
234fn read_json_file(path: &Path) -> Result<Value, String> {
235 let mut file = File::open(path).map_err(|e| format!("Failed to open file: {}", e))?;
236 let mut content = String::new();
237 file.read_to_string(&mut content)
238 .map_err(|e| format!("Failed to read file: {}", e))?;
239 serde_json::from_str(&content).map_err(|e| format!("Failed to parse JSON: {}", e))
240}
241
242fn extract_dependencies(
243 json_content: &Value,
244 field: &str,
245 scope: &str,
246 is_runtime: bool,
247 is_optional: bool,
248) -> Vec<Dependency> {
249 json_content
250 .get(field)
251 .and_then(|value| value.as_object())
252 .map_or_else(Vec::new, |deps| {
253 deps.iter()
254 .filter_map(|(name, requirement)| {
255 let requirement_str = requirement.as_str()?;
256 let (namespace, package_name) = split_namespace_name(name);
257 let is_pinned = is_composer_version_pinned(requirement_str);
258 let version_for_purl = if is_pinned {
259 Some(normalize_requirement_version(requirement_str))
260 } else {
261 None
262 };
263
264 let purl = build_dependency_purl(
265 namespace.as_deref(),
266 &package_name,
267 version_for_purl.as_deref(),
268 );
269
270 Some(Dependency {
271 purl,
272 extracted_requirement: Some(requirement_str.to_string()),
273 scope: Some(scope.to_string()),
274 is_runtime: Some(is_runtime),
275 is_optional: Some(is_optional),
276 is_pinned: Some(is_pinned),
277 is_direct: Some(true),
278 resolved_package: None,
279 extra_data: None,
280 })
281 })
282 .collect()
283 })
284}
285
286fn extract_lock_dependencies(json_content: &Value) -> Vec<Dependency> {
287 let mut dependencies = Vec::new();
288
289 let packages = json_content
290 .get(FIELD_PACKAGES)
291 .and_then(|value| value.as_array())
292 .map(|packages| packages.as_slice())
293 .unwrap_or(&[]);
294 let packages_dev = json_content
295 .get(FIELD_PACKAGES_DEV)
296 .and_then(|value| value.as_array())
297 .map(|packages| packages.as_slice())
298 .unwrap_or(&[]);
299
300 dependencies.reserve(packages.len() + packages_dev.len());
301 dependencies.extend(extract_lock_package_list(packages, "require", true, false));
302 dependencies.extend(extract_lock_package_list(
303 packages_dev,
304 "require-dev",
305 false,
306 true,
307 ));
308
309 dependencies
310}
311
312fn extract_lock_package_list(
313 packages: &[Value],
314 scope: &str,
315 is_runtime: bool,
316 is_optional: bool,
317) -> Vec<Dependency> {
318 let mut dependencies = Vec::new();
319
320 for package in packages {
321 if let Some(dependency) = build_lock_dependency(package, scope, is_runtime, is_optional) {
322 dependencies.push(dependency);
323 }
324
325 dependencies.extend(extract_lock_package_relationships(package));
326 }
327
328 dependencies
329}
330
331fn extract_lock_package_relationships(package: &Value) -> Vec<Dependency> {
332 [
333 extract_dependencies(package, FIELD_REQUIRE, "require", true, false),
334 extract_dependencies(package, FIELD_REQUIRE_DEV, "require-dev", false, true),
335 extract_dependencies(package, FIELD_PROVIDE, "provide", true, false),
336 extract_dependencies(package, FIELD_CONFLICT, "conflict", true, true),
337 extract_dependencies(package, FIELD_REPLACE, "replace", true, true),
338 extract_dependencies(package, FIELD_SUGGEST, "suggest", true, true),
339 ]
340 .concat()
341}
342
343fn build_lock_dependency(
344 package: &Value,
345 scope: &str,
346 is_runtime: bool,
347 is_optional: bool,
348) -> Option<Dependency> {
349 let name = package.get(FIELD_NAME).and_then(|value| value.as_str())?;
350 let version = package
351 .get(FIELD_VERSION)
352 .and_then(|value| value.as_str())?;
353 let package_type = package.get(FIELD_TYPE).and_then(|value| value.as_str());
354
355 let (namespace, package_name) = split_namespace_name(name);
356 let purl = build_dependency_purl(namespace.as_deref(), &package_name, Some(version));
357
358 let source = package
359 .get(FIELD_SOURCE)
360 .and_then(|value| value.as_object());
361 let dist = package.get(FIELD_DIST).and_then(|value| value.as_object());
362
363 let (sha1, sha256, sha512, dist_shasum) = extract_dist_hashes(dist);
364 let dist_url = dist
365 .and_then(|map| map.get("url"))
366 .and_then(|value| value.as_str())
367 .map(|value| value.to_string());
368
369 let mut extra_data = HashMap::new();
370
371 if let Some(package_type) = package_type {
372 extra_data.insert("type".to_string(), Value::String(package_type.to_string()));
373 }
374
375 if let Some(source_map) = source {
376 if let Some(source_reference) = source_map.get("reference").and_then(|value| value.as_str())
377 {
378 extra_data.insert(
379 "source_reference".to_string(),
380 Value::String(source_reference.to_string()),
381 );
382 }
383
384 if let Some(source_url) = source_map.get("url").and_then(|value| value.as_str()) {
385 extra_data.insert(
386 "source_url".to_string(),
387 Value::String(source_url.to_string()),
388 );
389 }
390
391 if let Some(source_type) = source_map.get("type").and_then(|value| value.as_str()) {
392 extra_data.insert(
393 "source_type".to_string(),
394 Value::String(source_type.to_string()),
395 );
396 }
397 }
398
399 if let Some(dist_map) = dist {
400 if let Some(dist_reference) = dist_map.get("reference").and_then(|value| value.as_str()) {
401 extra_data.insert(
402 "dist_reference".to_string(),
403 Value::String(dist_reference.to_string()),
404 );
405 }
406
407 if let Some(dist_url) = dist_map.get("url").and_then(|value| value.as_str()) {
408 extra_data.insert("dist_url".to_string(), Value::String(dist_url.to_string()));
409 }
410
411 if let Some(dist_type) = dist_map.get("type").and_then(|value| value.as_str()) {
412 extra_data.insert(
413 "dist_type".to_string(),
414 Value::String(dist_type.to_string()),
415 );
416 }
417 }
418
419 if let Some(shasum) = dist_shasum {
420 extra_data.insert("dist_shasum".to_string(), Value::String(shasum));
421 }
422
423 let extra_data = if extra_data.is_empty() {
424 None
425 } else {
426 Some(extra_data)
427 };
428
429 let resolved_package = ResolvedPackage {
430 primary_language: Some("PHP".to_string()),
431 download_url: dist_url,
432 sha1: sha1.and_then(|h| Sha1Digest::from_hex(&h).ok()),
433 sha256: sha256.and_then(|h| Sha256Digest::from_hex(&h).ok()),
434 sha512: sha512.and_then(|h| Sha512Digest::from_hex(&h).ok()),
435 md5: None,
436 is_virtual: true,
437 extra_data: None,
438 dependencies: Vec::new(),
439 repository_homepage_url: None,
440 repository_download_url: None,
441 api_data_url: None,
442 datasource_id: Some(DatasourceId::PhpComposerLock),
443 purl: None,
444 ..ResolvedPackage::new(
445 ComposerLockParser::PACKAGE_TYPE,
446 namespace.clone().unwrap_or_default(),
447 package_name.clone(),
448 version.to_string(),
449 )
450 };
451
452 Some(Dependency {
453 purl,
454 extracted_requirement: None,
455 scope: Some(scope.to_string()),
456 is_runtime: Some(is_runtime),
457 is_optional: Some(is_optional),
458 is_pinned: Some(true),
459 is_direct: Some(true),
460 resolved_package: Some(Box::new(resolved_package)),
461 extra_data,
462 })
463}
464
465fn extract_dist_hashes(
466 dist: Option<&serde_json::Map<String, Value>>,
467) -> (
468 Option<String>,
469 Option<String>,
470 Option<String>,
471 Option<String>,
472) {
473 let mut sha1 = None;
474 let mut sha256 = None;
475 let mut sha512 = None;
476 let mut raw_shasum = None;
477
478 if let Some(dist) = dist {
479 if let Some(shasum) = dist.get("shasum").and_then(|value| value.as_str()) {
480 let trimmed = shasum.trim();
481 if !trimmed.is_empty() {
482 raw_shasum = Some(trimmed.to_string());
483 let (parsed_sha1, parsed_sha256, parsed_sha512) = parse_hash_value(trimmed);
484 sha1 = parsed_sha1;
485 sha256 = parsed_sha256;
486 sha512 = parsed_sha512;
487 }
488 }
489
490 if let Some(value) = dist.get("sha1").and_then(|value| value.as_str())
491 && is_hex_hash(value)
492 {
493 sha1 = Some(value.to_string());
494 }
495 if let Some(value) = dist.get("sha256").and_then(|value| value.as_str())
496 && is_hex_hash(value)
497 {
498 sha256 = Some(value.to_string());
499 }
500 if let Some(value) = dist.get("sha512").and_then(|value| value.as_str())
501 && is_hex_hash(value)
502 {
503 sha512 = Some(value.to_string());
504 }
505 }
506
507 (sha1, sha256, sha512, raw_shasum)
508}
509
510fn parse_hash_value(hash: &str) -> (Option<String>, Option<String>, Option<String>) {
511 let trimmed = hash.trim();
512 if trimmed.is_empty() || !is_hex_hash(trimmed) {
513 return (None, None, None);
514 }
515
516 match trimmed.len() {
517 40 => (Some(trimmed.to_string()), None, None),
518 64 => (None, Some(trimmed.to_string()), None),
519 128 => (None, None, Some(trimmed.to_string())),
520 _ => (None, None, None),
521 }
522}
523
524fn is_hex_hash(value: &str) -> bool {
525 value.chars().all(|c| c.is_ascii_hexdigit())
526}
527
528fn extract_license_statement(json_content: &Value) -> Option<String> {
529 let mut licenses = Vec::new();
530
531 if let Some(license_value) = json_content.get(FIELD_LICENSE) {
532 match license_value {
533 Value::String(value) => {
534 let trimmed = value.trim();
535 if !trimmed.is_empty() {
536 licenses.push(trimmed.to_string());
537 }
538 }
539 Value::Array(values) => {
540 for value in values {
541 if let Some(license_str) = value.as_str() {
542 let trimmed = license_str.trim();
543 if !trimmed.is_empty() {
544 licenses.push(trimmed.to_string());
545 }
546 }
547 }
548 }
549 _ => {}
550 }
551 }
552
553 if licenses.is_empty() {
554 return None;
555 }
556
557 if licenses.len() == 1 {
558 Some(licenses[0].clone())
559 } else {
560 Some(licenses.join(" OR "))
561 }
562}
563
564fn extract_license_data(
565 json_content: &Value,
566 is_private: bool,
567) -> (
568 Option<String>,
569 Option<String>,
570 Option<String>,
571 Vec<LicenseDetection>,
572) {
573 let extracted_license_statement = extract_license_statement(json_content)
574 .or_else(|| is_private.then(|| "proprietary-license".to_string()));
575 let (declared_license_expression, declared_license_expression_spdx, license_detections) =
576 normalize_composer_license_data(extracted_license_statement.as_deref());
577
578 (
579 extracted_license_statement,
580 declared_license_expression,
581 declared_license_expression_spdx,
582 license_detections,
583 )
584}
585
586fn normalize_composer_license_data(
587 extracted_license_statement: Option<&str>,
588) -> (Option<String>, Option<String>, Vec<LicenseDetection>) {
589 let Some(extracted_license_statement) = extracted_license_statement
590 .map(str::trim)
591 .filter(|value| !value.is_empty())
592 else {
593 return super::license_normalization::empty_declared_license_data();
594 };
595
596 if extracted_license_statement.eq_ignore_ascii_case("proprietary") {
597 return build_declared_license_data_from_pair(
598 "proprietary-license",
599 "LicenseRef-scancode-proprietary-license",
600 DeclaredLicenseMatchMetadata::single_line(extracted_license_statement),
601 );
602 }
603
604 if extracted_license_statement.eq_ignore_ascii_case("proprietary-license") {
605 return build_declared_license_data_from_pair(
606 "proprietary-license",
607 "LicenseRef-scancode-proprietary-license",
608 DeclaredLicenseMatchMetadata::single_line(extracted_license_statement),
609 );
610 }
611
612 normalize_spdx_declared_license(Some(extracted_license_statement))
613}
614
615fn extract_keywords(json_content: &Value) -> Vec<String> {
616 json_content
617 .get(FIELD_KEYWORDS)
618 .and_then(|value| value.as_array())
619 .map(|values| {
620 values
621 .iter()
622 .filter_map(|value| value.as_str().map(|value| value.to_string()))
623 .collect()
624 })
625 .unwrap_or_default()
626}
627
628fn extract_parties(json_content: &Value, namespace: &Option<String>) -> Vec<Party> {
629 let mut parties = Vec::new();
630
631 if let Some(authors) = json_content
632 .get(FIELD_AUTHORS)
633 .and_then(|value| value.as_array())
634 {
635 for author in authors {
636 if let Some(author) = author.as_object() {
637 let name = author
638 .get("name")
639 .and_then(|value| value.as_str())
640 .map(|value| value.to_string());
641 let role = author
642 .get("role")
643 .and_then(|value| value.as_str())
644 .map(|value| value.to_string())
645 .or(Some("author".to_string()));
646 let email = author
647 .get("email")
648 .and_then(|value| value.as_str())
649 .map(|value| value.to_string());
650 let url = author
651 .get("homepage")
652 .and_then(|value| value.as_str())
653 .map(|value| value.to_string());
654
655 if name.is_some() || email.is_some() || url.is_some() {
656 parties.push(Party {
657 r#type: Some("person".to_string()),
658 role,
659 name,
660 email,
661 url,
662 organization: None,
663 organization_url: None,
664 timezone: None,
665 });
666 }
667 }
668 }
669 }
670
671 if let Some(vendor) = namespace
672 .as_ref()
673 .map(|value| value.trim())
674 .filter(|value| !value.is_empty())
675 {
676 parties.push(Party {
677 r#type: Some("person".to_string()),
678 role: Some("vendor".to_string()),
679 name: Some(vendor.to_string()),
680 email: None,
681 url: None,
682 organization: None,
683 organization_url: None,
684 timezone: None,
685 });
686 }
687
688 parties
689}
690
691fn extract_support(json_content: &Value) -> (Option<String>, Option<String>) {
692 let support = json_content.get(FIELD_SUPPORT).and_then(|v| v.as_object());
693
694 if let Some(support_obj) = support {
695 let bug_tracking_url = support_obj
696 .get("issues")
697 .and_then(|v| v.as_str())
698 .map(|s| s.to_string());
699
700 let code_view_url = support_obj
701 .get("source")
702 .and_then(|v| v.as_str())
703 .map(|s| s.to_string());
704
705 (bug_tracking_url, code_view_url)
706 } else {
707 (None, None)
708 }
709}
710
711fn build_extra_data(json_content: &Value) -> Option<HashMap<String, Value>> {
712 let mut extra_data = HashMap::new();
713
714 if let Some(package_type) = json_content
715 .get(FIELD_TYPE)
716 .and_then(|value| value.as_str())
717 {
718 extra_data.insert("type".to_string(), Value::String(package_type.to_string()));
719 }
720
721 if let Some(autoload) = json_content
722 .get(FIELD_AUTOLOAD)
723 .and_then(|value| value.as_object())
724 && let Some(psr4) = autoload.get(FIELD_PSR4)
725 {
726 extra_data.insert("autoload_psr4".to_string(), psr4.clone());
727 }
728
729 if let Some(repositories) = json_content.get(FIELD_REPOSITORIES) {
730 extra_data.insert("repositories".to_string(), repositories.clone());
731 }
732
733 if extra_data.is_empty() {
734 None
735 } else {
736 Some(extra_data)
737 }
738}
739
740fn extract_source_vcs_url(json_content: &Value) -> Option<String> {
741 let source = json_content.get(FIELD_SOURCE)?.as_object()?;
742 let source_type = source.get("type")?.as_str()?.trim();
743 let source_url = source.get("url")?.as_str()?.trim();
744 let source_reference = source
745 .get("reference")
746 .and_then(|value| value.as_str())
747 .map(str::trim)
748 .filter(|value| !value.is_empty());
749
750 if source_type.is_empty() || source_url.is_empty() {
751 return None;
752 }
753
754 Some(match source_reference {
755 Some(reference) => format!("{}+{}@{}", source_type, source_url, reference),
756 None => format!("{}+{}", source_type, source_url),
757 })
758}
759
760fn extract_dist_download_url(json_content: &Value) -> Option<String> {
761 json_content
762 .get(FIELD_DIST)
763 .and_then(|value| value.as_object())
764 .and_then(|dist| dist.get("url"))
765 .and_then(|value| value.as_str())
766 .map(|value| value.trim().to_string())
767 .filter(|value| !value.is_empty())
768}
769
770fn build_repository_homepage_url(
771 namespace: &Option<String>,
772 name: &Option<String>,
773) -> Option<String> {
774 match (
775 namespace.as_ref().filter(|value| !value.is_empty()),
776 name.as_ref(),
777 ) {
778 (Some(ns), Some(name)) => Some(format!("https://packagist.org/packages/{}/{}", ns, name)),
779 (None, Some(name)) => Some(format!("https://packagist.org/packages/{}", name)),
780 _ => None,
781 }
782}
783
784fn build_api_data_url(namespace: &Option<String>, name: &Option<String>) -> Option<String> {
785 match (namespace.as_ref(), name.as_ref()) {
786 (Some(ns), Some(name)) if !ns.is_empty() => Some(format!(
787 "https://packagist.org/p/packages/{}/{}.json",
788 ns, name
789 )),
790 (None, Some(name)) => Some(format!("https://packagist.org/p/packages/{}.json", name)),
791 (Some(_), Some(name)) => Some(format!("https://packagist.org/p/packages/{}.json", name)),
792 _ => None,
793 }
794}
795
796fn build_package_purl(
797 namespace: &Option<String>,
798 name: &Option<String>,
799 version: &Option<String>,
800) -> Option<String> {
801 let name = name.as_ref()?;
802 let mut package_url = match PackageUrl::new(ComposerJsonParser::PACKAGE_TYPE.as_str(), name) {
803 Ok(purl) => purl,
804 Err(e) => {
805 warn!(
806 "Failed to create PackageUrl for composer package '{}': {}",
807 name, e
808 );
809 return None;
810 }
811 };
812
813 if let Some(namespace) = namespace.as_ref().filter(|value| !value.is_empty())
814 && let Err(e) = package_url.with_namespace(namespace)
815 {
816 warn!(
817 "Failed to set namespace '{}' for composer package '{}': {}",
818 namespace, name, e
819 );
820 return None;
821 }
822
823 if let Some(version) = version.as_ref()
824 && let Err(e) = package_url.with_version(version)
825 {
826 warn!(
827 "Failed to set version '{}' for composer package '{}': {}",
828 version, name, e
829 );
830 return None;
831 }
832
833 Some(package_url.to_string())
834}
835
836fn build_dependency_purl(
837 namespace: Option<&str>,
838 name: &str,
839 version: Option<&str>,
840) -> Option<String> {
841 let mut package_url = match PackageUrl::new(ComposerJsonParser::PACKAGE_TYPE.as_str(), name) {
842 Ok(purl) => purl,
843 Err(e) => {
844 warn!(
845 "Failed to create PackageUrl for composer package '{}': {}",
846 name, e
847 );
848 return None;
849 }
850 };
851
852 if let Some(namespace) = namespace.filter(|value| !value.is_empty())
853 && let Err(e) = package_url.with_namespace(namespace)
854 {
855 warn!(
856 "Failed to set namespace '{}' for composer package '{}': {}",
857 namespace, name, e
858 );
859 return None;
860 }
861
862 if let Some(version) = version
863 && let Err(e) = package_url.with_version(version)
864 {
865 warn!(
866 "Failed to set version '{}' for composer package '{}': {}",
867 version, name, e
868 );
869 return None;
870 }
871
872 Some(package_url.to_string())
873}
874
875fn split_optional_namespace_name(full_name: Option<&str>) -> (Option<String>, Option<String>) {
876 match full_name {
877 Some(full_name) => {
878 let (namespace, name) = split_namespace_name(full_name);
879 (namespace, Some(name))
880 }
881 None => (None, None),
882 }
883}
884
885fn split_namespace_name(full_name: &str) -> (Option<String>, String) {
886 let mut iter = full_name.splitn(2, '/');
887 let first = iter.next().unwrap_or("");
888 let second = iter.next();
889
890 if let Some(name) = second {
891 (Some(first.to_string()), name.to_string())
892 } else {
893 (None, first.to_string())
894 }
895}
896
897fn normalize_requirement_version(requirement: &str) -> String {
898 let trimmed = requirement.trim();
899 trimmed.trim_start_matches('=').trim().to_string()
900}
901
902fn is_composer_version_pinned(version: &str) -> bool {
903 let trimmed = version.trim();
904 if trimmed.is_empty() {
905 return false;
906 }
907
908 if trimmed.contains(" - ")
909 || trimmed.contains('|')
910 || trimmed.contains(',')
911 || trimmed.contains('^')
912 || trimmed.contains('~')
913 || trimmed.contains('>')
914 || trimmed.contains('<')
915 || trimmed.contains('*')
916 {
917 return false;
918 }
919
920 let without_prefix = trimmed.trim_start_matches('=').trim();
921 let without_prefix = without_prefix.strip_prefix('v').unwrap_or(without_prefix);
922 if without_prefix.is_empty() {
923 return false;
924 }
925
926 let lower = without_prefix.to_lowercase();
927 if lower.contains("dev") {
928 return false;
929 }
930
931 if without_prefix
932 .chars()
933 .any(|c| !c.is_ascii_digit() && c != '.' && c != '-' && c != '+')
934 {
935 return false;
936 }
937
938 without_prefix.matches('.').count() >= 2
939}
940
941fn default_package_data(datasource_id: Option<DatasourceId>) -> PackageData {
942 PackageData {
943 package_type: Some(ComposerJsonParser::PACKAGE_TYPE),
944 primary_language: Some("PHP".to_string()),
945 datasource_id,
946 ..Default::default()
947 }
948}
949
950crate::register_parser!(
951 "PHP composer manifest",
952 &["**/*composer.json", "**/composer.*.json"],
953 "composer",
954 "PHP",
955 Some("https://getcomposer.org/doc/04-schema.md"),
956);
957
958crate::register_parser!(
959 "PHP composer lockfile",
960 &["**/*composer.lock", "**/composer.*.lock"],
961 "composer",
962 "PHP",
963 Some("https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file"),
964);