Merge branch '217903-offline-composer' into 'master'v3.20.0

Parse `composer.lock` file when composer CLI fails

See merge request gitlab-org/security-products/license-management!200

7 files changed, 97 insertions, 4 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9b34dcb..0933d60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # GitLab License management changelog
 
+## v3.20.0
+
+- Fallback to parsing the `composer.lock` file when it is present (!200)
+
 ## v3.19.5
 
 - Fix failing dotnet tests. (!199)
diff --git a/Gemfile.lock b/Gemfile.lock
index c3dda98..6290ce0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -8,7 +8,7 @@ GIT
 PATH
   remote: .
   specs:
-    license-management (3.19.5)
+    license-management (3.20.0)
       license_finder (~> 6.6.0)
 
 GEM
diff --git a/lib/license/finder/ext/composer.rb b/lib/license/finder/ext/composer.rb
index e6b0733..1be4e2b 100644
--- a/lib/license/finder/ext/composer.rb
+++ b/lib/license/finder/ext/composer.rb
@@ -45,9 +45,12 @@ module LicenseFinder
         :licenses,
         '--format=json'
       ], env: default_env)
-      return [] unless status.success?
+      return from_lockfile unless status.success?
 
-      JSON.parse(stdout).fetch('dependencies', {}).map do |name, data|
+      dependencies = JSON.parse(stdout).fetch('dependencies', {})
+      return from_lockfile if dependencies.empty?
+
+      dependencies.map do |name, data|
         data.merge('name' => name) if data.is_a?(Hash)
       end.compact
     end
@@ -72,5 +75,12 @@ module LicenseFinder
       ], env: default_env)
       status.success? ? stdout.split(' ').last : ''
     end
+
+    def from_lockfile
+      return [] unless lockfile_path.exist?
+
+      json = JSON.parse(lockfile_path.read)
+      json.fetch('packages', [])
+    end
   end
 end
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index 851642e..ac8abbd 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.19.5'
+    VERSION = '3.20.0'
   end
 end
diff --git a/spec/fixtures/php/composer/unreachable-network/composer.json b/spec/fixtures/php/composer/unreachable-network/composer.json
new file mode 100644
index 0000000..4c5e225
--- /dev/null
+++ b/spec/fixtures/php/composer/unreachable-network/composer.json
@@ -0,0 +1,5 @@
+{
+  "require": {
+    "monolog/monolog": "1.0.*"
+  }
+}
diff --git a/spec/fixtures/php/composer/unreachable-network/composer.lock b/spec/fixtures/php/composer/unreachable-network/composer.lock
new file mode 100644
index 0000000..73a6647
--- /dev/null
+++ b/spec/fixtures/php/composer/unreachable-network/composer.lock
@@ -0,0 +1,62 @@
+{
+  "_readme": [
+    "This file locks the dependencies of your project to a known state",
+    "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+    "This file is @generated automatically"
+  ],
+  "content-hash": "bef20e1ca06eac6c027a5bc95193a923",
+  "packages": [
+    {
+      "name": "monolog/monolog",
+      "version": "1.0.2",
+      "source": {
+        "type": "git",
+        "url": "https://example.com/Seldaek/monolog.git",
+        "reference": "b704c49a3051536f67f2d39f13568f74615b9922"
+      },
+      "dist": {
+        "type": "zip",
+        "url": "https://api.example.com/repos/Seldaek/monolog/zipball/b704c49a3051536f67f2d39f13568f74615b9922",
+        "reference": "b704c49a3051536f67f2d39f13568f74615b9922",
+        "shasum": ""
+      },
+      "require": {
+        "php": ">=5.3.0"
+      },
+      "type": "library",
+      "autoload": {
+        "psr-0": {
+          "Monolog": "src/"
+        }
+      },
+      "notification-url": "https://packagist.org/downloads/",
+      "license": [
+        "MIT"
+      ],
+      "authors": [
+        {
+          "name": "Jordi Boggiano",
+          "email": "j.boggiano@seld.be",
+          "homepage": "http://seld.be",
+          "role": "Developer"
+        }
+      ],
+      "description": "Logging for PHP 5.3",
+      "homepage": "http://example.com/Seldaek/monolog",
+      "keywords": [
+        "log",
+        "logging"
+          ],
+          "time": "2011-10-24T09:39:02+00:00"
+    }
+  ],
+  "packages-dev": [],
+  "aliases": [],
+  "minimum-stability": "stable",
+  "stability-flags": [],
+  "prefer-stable": false,
+  "prefer-lowest": false,
+  "platform": [],
+  "platform-dev": [],
+  "plugin-api-version": "1.1.0"
+}
diff --git a/spec/integration/php/composer_spec.rb b/spec/integration/php/composer_spec.rb
index 0fb09ee..b5c2d15 100644
--- a/spec/integration/php/composer_spec.rb
+++ b/spec/integration/php/composer_spec.rb
@@ -118,4 +118,16 @@ RSpec.describe "composer" do
       expect(subject.licenses_for('monolog/monolog')).to match_array(['MIT'])
     end
   end
+
+  context "when scanning a project with a lock file and sourced from an unreachable network location" do
+    before do
+      runner.mount(dir: fixture_file('php/composer/unreachable-network'))
+    end
+
+    it 'parses the information from the lockfile' do
+      expect(subject).to match_schema
+      expect(subject.dependency_names).to match_array(['monolog/monolog'])
+      expect(subject.licenses_for('monolog/monolog')).to match_array(['MIT'])
+    end
+  end
 end