Fix #3748. Use Semver::satisfies. (#3774)

* Fix #3748. Use Semver::satisfies.

* Remove min-version. We can't support it reliably.

* Back to a working url.

* fix spacing.

Author: weitzman

src/Commands/pm/SecurityUpdateCommands.php

@@ -2,6 +2,7 @@
 namespace Drush\Commands\pm;
 
 use Composer\Semver\Comparator;
+use Composer\Semver\Semver;
 use Consolidation\AnnotatedCommand\CommandData;
 use Consolidation\OutputFormatters\StructuredData\RowsOfFields;
 use Drush\Commands\DrushCommands;
@@ -35,8 +36,7 @@ class SecurityUpdateCommands extends DrushCommands
      * @field-labels
      *   name: Name
      *   version: Installed Version
-     *   min-version: Suggested version
-     * @default-fields name,version,min-version
+     * @default-fields name,version
      *
      * @filter-default-field name
      * @return \Consolidation\OutputFormatters\StructuredData\RowsOfFields
@@ -69,7 +69,7 @@ public function suggestComposerCommand($result, CommandData $commandData)
         if (!empty($this->securityUpdates)) {
             $suggested_command = 'composer require ';
             foreach ($this->securityUpdates as $package) {
-                $suggested_command .= $package['name'] . ':^' . $package['min-version'] . ' ';
+                $suggested_command .= $package['name'] . ' ';
             }
             $suggested_command .= '--update-with-dependencies';
             $this->logger()->warning("One or more of your dependencies has an outstanding security update. Please apply update(s) immediately.");
@@ -137,104 +137,15 @@ protected function loadSiteComposerLock()
     protected function registerAllSecurityUpdates($composer_lock_data, $security_advisories_composer_json)
     {
         $both = array_merge($composer_lock_data['packages-dev'], $composer_lock_data['packages']);
+        $conflict = $security_advisories_composer_json['conflict'];
         foreach ($both as $package) {
             $name = $package['name'];
-            $this->registerPackageSecurityUpdates($security_advisories_composer_json, $name, $package);
-        }
-    }
-
-    /**
-     * Determines if update is available based on a conflict constraint.
-     *
-     * @param string $conflict_constraint
-     *   The constraint for the conflicting, insecure package version.
-     *   E.g., <1.0.0.
-     * @param array $package
-     *   The package to be evaluated.
-     * @param string $name
-     *   The human readable display name for the package.
-     *
-     * @return array
-     *   An associative array containing name, version, and min-version keys.
-     */
-    public static function determineUpdatesFromConstraint(
-        $conflict_constraint,
-        $package,
-        $name
-    ) {
-        // Only parse constraints that follow pattern like "<1.0.0".
-        if (substr($conflict_constraint, 0, 1) == '<') {
-            $min_version = substr($conflict_constraint, 1);
-            if (Comparator::lessThan(
-                $package['version'],
-                $min_version
-            )) {
-                return [
+            if (!empty($conflict[$name]) && Semver::satisfies($package['version'], $security_advisories_composer_json['conflict'][$name])) {
+                $this->securityUpdates[$name] = [
                     'name' => $name,
                     'version' => $package['version'],
-                    // Assume that conflict constraint of <1.0.0 indicates that
-                    // 1.0.0 is the available, secure version.
-                    'min-version' => $min_version,
                 ];
             }
-        } // Compare exact versions that are insecure.
-        elseif (preg_match(
-            '/^[[:digit:]](?![-*><=~ ])/',
-            $conflict_constraint
-        )) {
-            $exact_version = $conflict_constraint;
-            if (Comparator::equalTo(
-                $package['version'],
-                $exact_version
-            )) {
-                $version_parts = explode('.', $package['version']);
-                if (count($version_parts) == 3) {
-                    $version_parts[2]++;
-                    $min_version = implode('.', $version_parts);
-                    return [
-                        'name' => $name,
-                        'version' => $package['version'],
-                        // Assume that conflict constraint of 1.0.0 indicates that
-                        // 1.0.1 is the available, secure version.
-                        'min-version' => $min_version,
-                    ];
-                }
-            }
-        }
-        return [];
-    }
-
-    /**
-     * Registers available security updates for a given package.
-     *
-     * @param array $security_advisories_composer_json
-     *   The composer.json array from drupal-security-advisories.
-     * @param string $name
-     *   The human readable display name for the package.
-     * @param array $package
-     *   The package to be evaluated.
-     */
-    protected function registerPackageSecurityUpdates(
-        $security_advisories_composer_json,
-        $name,
-        $package
-    ) {
-        if (empty($this->securityUpdates[$name]) &&
-            !empty($security_advisories_composer_json['conflict'][$name])) {
-            $conflict_constraints = explode(
-                ',',
-                $security_advisories_composer_json['conflict'][$name]
-            );
-            foreach ($conflict_constraints as $conflict_constraint) {
-                $available_update = $this->determineUpdatesFromConstraint(
-                    $conflict_constraint,
-                    $package,
-                    $name
-                );
-                if ($available_update) {
-                    $this->securityUpdates[$name] = $available_update;
-                }
-            }
         }
     }
 }

tests/functional/SecurityUpdatesTest.php

@@ -20,67 +20,10 @@ public function testInsecurePackage()
     {
         $this->drush('pm:security', [], ['format' => 'json'], null, null, self::EXIT_ERROR);
         $this->assertContains('One or more of your dependencies has an outstanding security update. Please apply update(s) immediately.', $this->getErrorOutput());
-        $this->assertContains('Try running: composer require drupal/alinks:^1.1 --update-with-dependencies', $this->getErrorOutput());
+        $this->assertContains('Try running: composer require drupal/alinks --update-with-dependencies', $this->getErrorOutput());
         $security_advisories = $this->getOutputFromJSON();
         $this->assertObjectHasAttribute('drupal/alinks', $security_advisories);
         $this->assertEquals('drupal/alinks', $security_advisories->{"drupal/alinks"}->name);
         $this->assertEquals('1.0.0', $security_advisories->{"drupal/alinks"}->version);
-        $this->assertEquals('1.1', $security_advisories->{"drupal/alinks"}->{"min-version"});
-    }
-
-
-  /**
-   * Test that insecure packages are correctly identified.
-   *
-   * @dataProvider conflictConstraintParsingProvider
-   */
-    public function testConflictConstraintParsing($package, $conflict_constraint, $min_version, $updates_are_available)
-    {
-        $available_updates = SecurityUpdateCommands::determineUpdatesFromConstraint($conflict_constraint, $package, $package['name']);
-        $this->assertEquals($updates_are_available, (bool) $available_updates);
-
-        if ($available_updates) {
-            $this->assertEquals($package['version'], $available_updates['version']);
-            $this->assertEquals($min_version, $available_updates['min-version']);
-        }
-    }
-
-  /**
-   * Data provider for testConflictConstraintParsing().
-   */
-    public function conflictConstraintParsingProvider()
-    {
-        return [
-        // Test "minimum version" conflict.
-        [
-        [
-          'name' => 'Alinks',
-          'version' => '1.0.0'
-        ],
-        '<1.0.1',
-        '1.0.1',
-        true,
-        ],
-        // Test "exact version" conflict.
-        [
-        [
-          'name' => 'Alinks',
-          'version' => '1.0.0'
-        ],
-        '1.0.0',
-        '1.0.1',
-        true,
-        ],
-        // Test "exact version" conflict with 2 digits. Should not work.
-        [
-        [
-          'name' => 'Alinks',
-          'version' => '1.0.0'
-        ],
-        '1.0',
-        '1.0.1',
-        false,
-        ],
-        ];
     }
 }