osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Composer version not always a string

Open 3asm opened this issue 1 year ago • 7 comments

While analyzer a composer.lock file we have the following error:

(extracting as composer.lock) could not extract from /app/composer.lock: json: cannot unmarshal number into Go struct field ComposerPackage.packages.version of type string

The version in this case is not a string:

➜  /tmp grep version composer.lock
            "version": "5.9.1",
            "version": "1.99",
            "version": "0.1.1",
            "version": "1.2.8",
            "version": "v1.9.0",
            "version": "4.6.2",
            "version": "v2.11.0",
            "version": "5.5.3",
            "version": "5.5.3",
            "version": "2.0.0",
            "version": "v1.8.0",
            "version": "v0.8.1",
            "version": "1.8.2",
            "version": "2.4.20.3",
            "version": "2.6.1",
            "version": "3.7.2",
            "version": "1.4.3",
            "version": "20190220",
            "version": "1.11.5",
            "version": "3.1",
            "version": "1.5",
            "version": "0.5.7",

3asm avatar Jul 24 '24 09:07 3asm

Can you name the package(s) with the erroring versions? My understanding is that composer requires versions to be semantic

G-Rath avatar Jul 24 '24 09:07 G-Rath

Thanks @G-Rath for the quick answer. The package name is wpackagist-plugin/block-bad-queries.

3asm avatar Jul 24 '24 09:07 3asm

Cool thanks - if you can, it would be good if you could provide a small but complete lock file reproducing the error but otherwise now that I've got the name I can look into it tomorrow morning :)

G-Rath avatar Jul 24 '24 09:07 G-Rath

Awesome thanks @G-Rath . Here is a link to the file.

3asm avatar Jul 24 '24 15:07 3asm

@3asm could you speak more about how you generated this, including the composer version and json file?

I suspect this is technically invalid (or maybe not natural?) - using this composer.json:

{
  "repositories": [
    {
      "type": "composer",
      "url": "https://wpackagist.org",
      "only": [
        "wpackagist-plugin/*",
        "wpackagist-theme/*"
      ]
    }
  ],
  "require": {
    "wpackagist-plugin/block-bad-queries": "20190220"
  },
  "config": {
    "allow-plugins": {
      "composer/installers": true
    }
  }
}

Gives me a lockfile with that version but as a string rather than a number.

In saying that if I edit the lockfile to be a number, composer doesn't seem to complain...

It should be straightforward to support this case (we've having to do it in a couple of the other parsers), but interested in knowing more about it's real-world implications since this is the first time I've come across this

G-Rath avatar Jul 24 '24 20:07 G-Rath

@3asm Friendly ping on if you know how this file is generated? :)

another-rex avatar Aug 05 '24 06:08 another-rex

Sorry @another-rex I missed that. No, I don't, the file was collected during a vulnerability scan.

3asm avatar Aug 15 '24 07:08 3asm

Déjate de pendejafad

saularellano903-dev avatar Sep 14 '25 06:09 saularellano903-dev

Closing for now since it hasn't really popped up again.

another-rex avatar Sep 16 '25 01:09 another-rex