From 9dca5da2a5aad1b5bc2d8f22fd398a51bcdabc10 Mon Sep 17 00:00:00 2001
From: David Buchmann <david.buchmann@liip.ch>
Date: Wed, 3 Dec 2025 15:46:24 +0100
Subject: [PATCH] add composer-audit and deprecate composer-security-check

---
 .rmt.yml                                      |  2 +-
 README.md                                     |  2 +-
 src/Liip/RMT/Prerequisite/ComposerAudit.php   | 84 +++++++++++++++++++
 .../Prerequisite/ComposerSecurityCheck.php    |  2 +
 4 files changed, 88 insertions(+), 2 deletions(-)
 create mode 100644 src/Liip/RMT/Prerequisite/ComposerAudit.php

diff --git a/.rmt.yml b/.rmt.yml
index 8b433a5..74e059f 100644
--- a/.rmt.yml
+++ b/.rmt.yml
@@ -5,7 +5,7 @@ prerequisites:
         allow-ignore: true
   - display-last-changes
   - tests-check
-  - composer-security-check
+  - composer-audit
   - command:
         cmd: git remote -v
 
diff --git a/README.md b/README.md
index a1063aa..4e66d00 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ Prerequisite actions are executed before the interactive part.
   * Option `composer`: how to run composer (default: *php composer.phar*)
 * `composer-stability-check`: will check if the composer.json is set to the right minimum-stability
   * Option `stability`: the stability that should be set in the minimum-stability field (default: *stable*)
-* `composer-security-check`: run the composer.lock against https://github.com/fabpot/local-php-security-checker to check for known vulnerabilities in the dependencies. ⚠️ The local-php-security-checker binary must be installed globally.
+* `composer-audit`: run `composer audit` - requires at least composer 2.4.
 * `composer-dependency-stability-check`: test if only allowed dependencies are using development versions
     * Option `ignore-require` and `ignore-require-dev`: don't check dependencies in `require` or `require-dev` section
     * Option `whitelist`: allow specific dependencies to use development version
diff --git a/src/Liip/RMT/Prerequisite/ComposerAudit.php b/src/Liip/RMT/Prerequisite/ComposerAudit.php
new file mode 100644
index 0000000..02639b1
--- /dev/null
+++ b/src/Liip/RMT/Prerequisite/ComposerAudit.php
@@ -0,0 +1,84 @@
+<?php
+
+/*
+ * This file is part of the project RMT
+ *
+ * Copyright (c) 2014, Liip AG, http://www.liip.ch
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Liip\RMT\Prerequisite;
+
+use Liip\RMT\Action\BaseAction;
+use Liip\RMT\Context;
+use Liip\RMT\Information\InformationRequest;
+use Symfony\Component\Process\Process;
+
+/**
+ * Uses `composer audit` to see if composer.lock contains insecure versions - needs composer installed globally
+ */
+class ComposerAudit extends BaseAction
+{
+    const SKIP_OPTION = 'skip-composer-audit';
+
+    public function execute()
+    {
+        // Handle the skip option
+        if (Context::get('information-collector')->getValueFor(self::SKIP_OPTION)) {
+            Context::get('output')->writeln('<error>composer audit skipped</error>');
+
+            return;
+        }
+
+        Context::get('output')->writeln('<comment>running composer audit</comment>');
+
+        // Run the actual security check
+        $process = new Process(['composer', 'audit', '--format', 'json']);
+        $process->run();
+
+        $report = json_decode($process->getOutput(), true);
+
+        if ($process->isSuccessful() && count($report['advisories']) === 0 && count($report['abandoned']) === 0) {
+            $this->confirmSuccess();
+            return;
+        }
+
+        if ($report === null) {
+            throw new \RuntimeException('Error while trying to execute `composer audit` command. Are you sure the binary is installed globally in your system and you have at least composer version 2.4?');
+        }
+
+        foreach ($report['advisories'] as $package => $alert) {
+            Context::get('output')->writeln("<options=bold>{$package}</options=bold> has security reports");
+            foreach ($alert as $data) {
+                Context::get('output')->writeln('');
+                Context::get('output')->writeln($data['advisoryId']);
+                Context::get('output')->writeln($data['title']);
+                Context::get('output')->writeln('');
+            }
+        }
+        foreach ($report['abandoned'] as $package => $alert) {
+            Context::get('output')->writeln("<options=bold>{$package}</options=bold> is abandoned");
+        }
+
+        // throw exception to have check fail
+        throw new \Exception(
+            'composer.lock contains insecure packages (you can force a release with option --'.self::SKIP_OPTION.')'
+        );
+    }
+
+    public function getInformationRequests(): array
+    {
+        return array(
+            new InformationRequest(
+                self::SKIP_OPTION,
+                array(
+                    'description' => 'Do not run composer security check before the release',
+                    'type' => 'confirmation',
+                    'interactive' => false,
+                )
+            ),
+        );
+    }
+}
diff --git a/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php b/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
index f403acb..539b00c 100644
--- a/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
+++ b/src/Liip/RMT/Prerequisite/ComposerSecurityCheck.php
@@ -18,6 +18,8 @@
 
 /**
  * Uses https://github.com/fabpot/local-php-security-checker to see if composer.lock contains insecure versions
+ *
+ * @deprecated This tool has been deprecated in favor of `composer audit`, use the ComposerAudit prerequisite instead.
  */
 class ComposerSecurityCheck extends BaseAction
 {