Security Advisories: store composer repository

* also provide fixes for code review

src/Packagist/WebBundle/Entity/SecurityAdvisory.php

@@ -18,6 +18,8 @@ use Packagist\WebBundle\SecurityAdvisory\RemoteSecurityAdvisory;
  */
 class SecurityAdvisory
 {
+    public const PACKAGIST_ORG = 'https://packagist.org';
+
     /**
      * @ORM\Id
      * @ORM\Column(type="integer")
@@ -70,6 +72,11 @@ class SecurityAdvisory
      */
     private $updatedAt;
 
+    /**
+     * @ORM\Column(type="string", nullable=true)
+     */
+    private $composerRepository;
+
     public function __construct(RemoteSecurityAdvisory $advisory, string $source)
     {
         $this->source = $source;
@@ -85,7 +92,8 @@ class SecurityAdvisory
             $this->link !== $advisory->getLink() ||
             $this->cve !== $advisory->getCve() ||
             $this->affectedVersions !== $advisory->getAffectedVersions() ||
-            $this->reportedAt !== $advisory->getDate()
+            $this->reportedAt != $advisory->getDate() ||
+            $this->composerRepository !== $advisory->getComposerRepository()
         ) {
             $this->updatedAt = new \DateTime();
             $this->reportedAt = $advisory->getDate();
@@ -97,6 +105,7 @@ class SecurityAdvisory
         $this->link = $advisory->getLink();
         $this->cve = $advisory->getCve();
         $this->affectedVersions = $advisory->getAffectedVersions();
+        $this->composerRepository = $advisory->getComposerRepository();
     }
 
     public function getRemoteId(): string

src/Packagist/WebBundle/Entity/SecurityAdvisoryRepository.php

@@ -18,7 +18,7 @@ class SecurityAdvisoryRepository extends ServiceEntityRepository
         $sql = 'SELECT s.*
             FROM security_advisory s
             WHERE s.packageName = :name
-            ORDER BY s.reportedAt DESC';
+            ORDER BY s.reportedAt DESC, s.id DESC';
 
         return $this->getEntityManager()->getConnection()
             ->fetchAll($sql, ['name' => $name]);
@@ -26,7 +26,7 @@ class SecurityAdvisoryRepository extends ServiceEntityRepository
 
     public function searchSecurityAdvisories(array $packageNames, int $updatedSince): array
     {
-        $sql = 'SELECT s.packageName, s.remoteId, s.title, s.link, s.cve, s.affectedVersions, s.source, s.reportedAt
+        $sql = 'SELECT s.packageName, s.remoteId, s.title, s.link, s.cve, s.affectedVersions, s.source, s.reportedAt, s.composerRepository
             FROM security_advisory s
             WHERE s.updatedAt >= :updatedSince ' .
             (count($packageNames) > 0 ? ' AND s.packageName IN (:packageNames)' : '')

src/Packagist/WebBundle/SecurityAdvisory/RemoteSecurityAdvisory.php

@@ -2,6 +2,8 @@
 
 namespace Packagist\WebBundle\SecurityAdvisory;
 
+use Packagist\WebBundle\Entity\SecurityAdvisory;
+
 class RemoteSecurityAdvisory
 {
     /** @var string */
@@ -18,8 +20,10 @@ class RemoteSecurityAdvisory
     private $cve;
     /** @var \DateTime */
     private $date;
+    /** @var string|null */
+    private $composerRepository;
 
-    public function __construct(string $id, string $title, string $packageName, string $affectedVersions, string $link, $cve, \DateTime $date)
+    public function __construct(string $id, string $title, string $packageName, string $affectedVersions, string $link, $cve, \DateTime $date, ?string $composerRepository)
     {
         $this->id = $id;
         $this->title = $title;
@@ -28,6 +32,7 @@ class RemoteSecurityAdvisory
         $this->link = $link;
         $this->cve = $cve;
         $this->date = $date;
+        $this->composerRepository = $composerRepository;
     }
 
     public function getId(): string
@@ -65,6 +70,11 @@ class RemoteSecurityAdvisory
         return $this->date;
     }
 
+    public function getComposerRepository(): ?string
+    {
+        return $this->composerRepository;
+    }
+
     public static function createFromFriendsOfPhp(string $fileNameWithPath, array $info): RemoteSecurityAdvisory
     {
         $date = null;
@@ -92,6 +102,16 @@ class RemoteSecurityAdvisory
             }
         }
 
+        // If the value is not set then the default value is https://packagist.org
+        $composerRepository = SecurityAdvisory::PACKAGIST_ORG;
+        if (isset($info['composer-repository'])) {
+            if ($info['composer-repository'] === false) {
+                $composerRepository = null;
+            } else {
+                $composerRepository = $info['composer-repository'];
+            }
+        }
+
         return new RemoteSecurityAdvisory(
             $fileNameWithPath,
             $info['title'],
@@ -99,7 +119,8 @@ class RemoteSecurityAdvisory
             implode('|', $affectedVersions),
             $info['link'],
             $info['cve'] ?? null,
-            $date
+            $date,
+            $composerRepository
         );
     }
 }

src/Packagist/WebBundle/Tests/SecurityAdvisory/RemoteSecurityAdvisoryTest.php

@@ -2,6 +2,7 @@
 
 namespace Packagist\WebBundle\Tests\SecurityAdvisory;
 
+use Packagist\WebBundle\Entity\SecurityAdvisory;
 use Packagist\WebBundle\SecurityAdvisory\RemoteSecurityAdvisory;
 use PHPUnit\Framework\TestCase;
 
@@ -29,5 +30,6 @@ class RemoteSecurityAdvisoryTest extends TestCase
         $this->assertSame('<1.2', $advisory->getAffectedVersions());
         $this->assertSame('3f/pygmentize', $advisory->getPackageName());
         $this->assertSame('2017-05-15 00:00:00', $advisory->getDate()->format('Y-m-d H:i:s'));
+        $this->assertSame(SecurityAdvisory::PACKAGIST_ORG, $advisory->getComposerRepository());
     }
 }