feat: add support for extracting Drupal packages from composer.lock files

Author: G-Rath

extractor/filesystem/language/php/composerlock/composerlock.go

@@ -40,6 +40,7 @@ type composerPackage struct {
 	Dist    struct {
 		Reference string `json:"reference"`
 	} `json:"dist"`
+	Extra map[string]any `json:"extra"`
 }
 
 type composerLock struct {
@@ -87,10 +88,16 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (in
 	)
 
 	for _, composerPackage := range parsedLockfile.Packages {
+		purlType := purl.TypeComposer
+
+		if _, ok := composerPackage.Extra["drupal"]; ok {
+			purlType = purl.TypeDrupal
+		}
+
 		packages = append(packages, &extractor.Package{
 			Name:      composerPackage.Name,
 			Version:   composerPackage.Version,
-			PURLType:  purl.TypeComposer,
+			PURLType:  purlType,
 			Locations: []string{input.Path},
 			SourceCode: &extractor.SourceCodeIdentifier{
 				Commit: composerPackage.Dist.Reference,
@@ -102,10 +109,16 @@ func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (in
 	}
 
 	for _, composerPackage := range parsedLockfile.PackagesDev {
+		purlType := purl.TypeComposer
+
+		if _, ok := composerPackage.Extra["drupal"]; ok {
+			purlType = purl.TypeDrupal
+		}
+
 		packages = append(packages, &extractor.Package{
 			Name:      composerPackage.Name,
 			Version:   composerPackage.Version,
-			PURLType:  purl.TypeComposer,
+			PURLType:  purlType,
 			Locations: []string{input.Path},
 			SourceCode: &extractor.SourceCodeIdentifier{
 				Commit: composerPackage.Dist.Reference,

extractor/filesystem/language/php/composerlock/composerlock_test.go

@@ -198,6 +198,50 @@ func TestExtractor_Extract(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "drupal_packages",
+			InputConfig: extracttest.ScanInputMockConfig{
+				Path: "testdata/drupal-packages.json",
+			},
+			WantPackages: []*extractor.Package{
+				{
+					Name:      "drupal/core",
+					Version:   "10.4.5",
+					PURLType:  purl.TypeComposer,
+					Locations: []string{"testdata/drupal-packages.json"},
+					SourceCode: &extractor.SourceCodeIdentifier{
+						Commit: "5247dbaa65b42b601058555f4a8b2bd541f5611f",
+					},
+					Metadata: osv.DepGroupMetadata{
+						DepGroupVals: []string{},
+					},
+				},
+				{
+					Name:      "drupal/tfa",
+					Version:   "2.0.0-alpha4",
+					PURLType:  purl.TypeDrupal,
+					Locations: []string{"testdata/drupal-packages.json"},
+					SourceCode: &extractor.SourceCodeIdentifier{
+						Commit: "2.0.0-alpha4",
+					},
+					Metadata: osv.DepGroupMetadata{
+						DepGroupVals: []string{},
+					},
+				},
+				{
+					Name:      "theseer/tokenizer",
+					Version:   "1.1.3",
+					PURLType:  purl.TypeComposer,
+					Locations: []string{"testdata/drupal-packages.json"},
+					SourceCode: &extractor.SourceCodeIdentifier{
+						Commit: "11336f6f84e16a720dae9d8e6ed5019efa85a0f9",
+					},
+					Metadata: osv.DepGroupMetadata{
+						DepGroupVals: []string{},
+					},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {