feat: SCA-293 support composer installed.json package detection

commit 6b6281c52561b343df0d7a5eb51f9b038ac38067
Author: hundredbai <yubaichao2008@126.com>
Date:   Fri Mar 6 16:00:27 2026 +0800

    SCA-293 feat: support composer installed.json package detection

Co-authored-by: hundredbai <yubaichao2008@126.com>

Author: iseki0

module/composer/composer.go

@@ -8,6 +8,7 @@ import (
 	"go.uber.org/zap"
 	"io/fs"
 	"path/filepath"
+	"sort"
 	"strings"
 )
 
@@ -25,27 +26,48 @@ func (Inspector) String() string {
 }
 
 func (Inspector) CheckDir(ctx context.Context, dir string) bool {
-	return utils.IsFile(filepath.Join(dir, "composer.json"))
+	return utils.IsFile(filepath.Join(dir, "composer.json")) ||
+		utils.IsFile(filepath.Join(dir, "composer.lock")) ||
+		utils.IsFile(filepath.Join(dir, "installed.json")) ||
+		utils.IsFile(filepath.Join(dir, "vendor", "composer", "installed.json"))
 }
 
 func (Inspector) InspectProject(ctx context.Context) error {
 	logger := logctx.Use(ctx)
 	task := model.UseInspectionTask(ctx)
 	dir := task.Dir()
-	manifest, e := readManifest(ctx, filepath.Join(dir, "composer.json"))
-	if e != nil {
-		return e
+	manifestPath := filepath.Join(dir, "composer.json")
+	modulePath := manifestPath
+	manifest := &Manifest{}
+	var e error
+	if utils.IsFile(manifestPath) {
+		manifest, e = readManifest(ctx, manifestPath)
+		if e != nil {
+			return e
+		}
+	} else {
+		logger.Sugar().Infof("composer.json not found, fallback to installed/lock files. dir=%s", dir)
+		modulePath = filepath.Join(dir, "installed.json")
+		if !utils.IsFile(modulePath) {
+			modulePath = filepath.Join(dir, "vendor", "composer", "installed.json")
+			if !utils.IsFile(modulePath) {
+				modulePath = filepath.Join(dir, "composer.lock")
+			}
+		}
 	}
 	module := &model.Module{
 		PackageManager: "composer",
 		ModuleName:     manifest.Name,
 		ModuleVersion:  manifest.Version,
-		ModulePath:     filepath.Join(dir, "composer.json"),
+		ModulePath:     modulePath,
+	}
+	if module.ModuleName == "" {
+		module.ModuleName = filepath.Base(dir)
 	}
 	lockfilePkgs := map[string]Package{}
 
 	{
-		if !utils.IsPathExist(filepath.Join(dir, "composer.lock")) {
+		if utils.IsFile(manifestPath) && !utils.IsPathExist(filepath.Join(dir, "composer.lock")) {
 			logger.Info("composer.lock doesn't exists. Try to generate it")
 			if e := doComposerInstall(context.TODO(), dir); e != nil {
 				logger.Sugar().Warnf("Do composer install fail. %s", e.Error())
@@ -59,6 +81,18 @@ func (Inspector) InspectProject(ctx context.Context) error {
 		if e != nil {
 			logger.Sugar().Infof("Read composer lock file failed: %s", e.Error())
 		}
+		installedPaths := []string{
+			filepath.Join(dir, "installed.json"),
+			filepath.Join(dir, "vendor", "composer", "installed.json"),
+		}
+		for _, installedPath := range installedPaths {
+			installedPkgs, ie := readComposerInstalledFile(installedPath)
+			if ie != nil {
+				logger.Sugar().Debugf("Read installed.json failed: %s", ie.Error())
+				continue
+			}
+			pkgs = append(pkgs, installedPkgs...)
+		}
 		pkgs = append(pkgs, vendorScan(ctx, filepath.Join(dir, "vendor"))...)
 		for _, it := range pkgs {
 			if it.Version == "" || isVersionConstrain(it.Version) {
@@ -68,8 +102,22 @@ func (Inspector) InspectProject(ctx context.Context) error {
 		}
 	}
 
+	roots := map[string]string{}
 	for _, requiredPkg := range manifest.Require {
-		node := _buildDepTree(lockfilePkgs, map[string]struct{}{}, requiredPkg.Name, requiredPkg.Version)
+		roots[requiredPkg.Name] = requiredPkg.Version
+	}
+	if len(roots) == 0 {
+		for name := range lockfilePkgs {
+			roots[name] = ""
+		}
+	}
+	var rootNames []string
+	for name := range roots {
+		rootNames = append(rootNames, name)
+	}
+	sort.Strings(rootNames)
+	for _, name := range rootNames {
+		node := _buildDepTree(lockfilePkgs, map[string]struct{}{}, name, roots[name])
 		if node != nil {
 			module.Dependencies = append(module.Dependencies, *node)
 		}

module/composer/composer_installed_test.go

@@ -0,0 +1,60 @@
+package composer
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseComposerInstalled_ObjectSchema(t *testing.T) {
+	data := []byte(`{
+  "packages": [
+    {
+      "name": "symfony/polyfill-mbstring",
+      "version": "v1.29.0",
+      "require": {
+        "php": ">=7.1"
+      }
+    },
+    {
+      "name": "guzzlehttp/guzzle",
+      "version": "7.8.1",
+      "require": {
+        "php": "^7.2.5 || ^8.0",
+        "psr/http-client": "^1.0"
+      }
+    }
+  ],
+  "dev": false
+}`)
+
+	pkgs, err := parseComposerInstalled(data)
+	require.NoError(t, err)
+	require.Len(t, pkgs, 2)
+	assert.Equal(t, "symfony/polyfill-mbstring", pkgs[0].Name)
+	assert.Equal(t, "v1.29.0", pkgs[0].Version)
+	assert.Contains(t, pkgs[0].Require, "php")
+	assert.Equal(t, "guzzlehttp/guzzle", pkgs[1].Name)
+}
+
+func TestParseComposerInstalled_ArraySchema(t *testing.T) {
+	data := []byte(`[
+  {
+    "name": "monolog/monolog",
+    "version": "3.5.0",
+    "require": {
+      "php": ">=8.1",
+      "psr/log": "^2.0 || ^3.0"
+    }
+  }
+]`)
+
+	pkgs, err := parseComposerInstalled(data)
+	require.NoError(t, err)
+	require.Len(t, pkgs, 1)
+	assert.Equal(t, "monolog/monolog", pkgs[0].Name)
+	assert.Equal(t, "3.5.0", pkgs[0].Version)
+	assert.Contains(t, pkgs[0].Require, "php")
+	assert.Contains(t, pkgs[0].Require, "psr/log")
+}

module/composer/composer_lockfile.go

@@ -22,6 +22,18 @@ func readComposerLockFile(path string) ([]Package, error) {
 	return pkgs, nil
 }
 
+func readComposerInstalledFile(path string) ([]Package, error) {
+	lockFileData, e := utils.ReadFileLimited(path, _ComposerLockFileSizeLimit)
+	if e != nil {
+		return nil, errors.Wrap(e, "Read installed.json failed")
+	}
+	pkgs, e := parseComposerInstalled(lockFileData)
+	if e != nil {
+		return nil, errors.Wrap(e, "Parse installed.json failed")
+	}
+	return pkgs, nil
+}
+
 func parseComposerLock(data []byte) ([]Package, error) {
 	var j simplejson.JSON
 	if e := json.Unmarshal(data, &j); e != nil {
@@ -43,6 +55,41 @@ func parseComposerLock(data []byte) ([]Package, error) {
 	return pkgList, nil
 }
 
+func parseComposerInstalled(data []byte) ([]Package, error) {
+	var j simplejson.JSON
+	if e := json.Unmarshal(data, &j); e != nil {
+		return nil, errors.Wrap(e, "ParseComposerInstalled")
+	}
+
+	// Composer installed.json has two common schemas:
+	// 1) {"packages":[...], ...}
+	// 2) [{...}, {...}]
+	var packageNodes []*simplejson.JSON
+	if arr := j.Get("packages").JSONArray(); len(arr) > 0 {
+		packageNodes = arr
+	} else if arr := j.JSONArray(); len(arr) > 0 {
+		packageNodes = arr
+	}
+
+	pkgList := make([]Package, 0, len(packageNodes))
+	for _, pkg := range packageNodes {
+		if pkg == nil {
+			continue
+		}
+		p := Package{}
+		p.Name = pkg.Get("name").String()
+		p.Version = pkg.Get("version").String()
+		if p.Name == "" || p.Version == "" {
+			continue
+		}
+		for s := range pkg.Get("require").JSONMap() {
+			p.Require = append(p.Require, s)
+		}
+		pkgList = append(pkgList, p)
+	}
+	return pkgList, nil
+}
+
 func readManifest(ctx context.Context, path string) (*Manifest, error) {
 	logger := logctx.Use(ctx)
 	logger.Debug("readManifest", zap.String("path", path))