composer
diff --git a/‎composer.json‎
Lines changed: 1 addition & 0 deletions b/‎composer.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎composer.lock‎
Lines changed: 89 additions & 9 deletions b/‎composer.lock‎
Lines changed: 89 additions & 9 deletions
diff --git a/‎src/Composer/Advisory/Auditor.php‎
Lines changed: 42 additions & 8 deletions b/‎src/Composer/Advisory/Auditor.php‎
Lines changed: 42 additions & 8 deletions
diff --git a/‎src/Composer/Compiler.php‎
Lines changed: 2 additions & 0 deletions b/‎src/Composer/Compiler.php‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Composer/DependencyResolver/SecurityAdvisoryPoolFilter.php‎
Lines changed: 5 additions & 1 deletion b/‎src/Composer/DependencyResolver/SecurityAdvisoryPoolFilter.php‎
Lines changed: 5 additions & 1 deletion
@@ -43,6 +43,7 @@
         "symfony/polyfill-php73": "^1.24",
         "symfony/polyfill-php80": "^1.24",
         "symfony/polyfill-php81": "^1.24",
+        "symfony/polyfill-php84": "^1.30",
         "seld/signal-handler": "^2.0"
     },
     "require-dev": {
 
@@ -80,7 +80,7 @@ public function audit(IOInterface $io, RepositorySet $repoSet, array $packages,
 
         // we need the CVE & remote IDs set to filter ignores correctly so if we have any matches using the optimized codepath above
         // and ignores are set then we need to query again the full data to make sure it can be filtered
-        if (count($allAdvisories) > 0 && $ignoreList !== [] && $format === self::FORMAT_SUMMARY) {
+        if ($format === self::FORMAT_SUMMARY && $this->needsCompleteAdvisoryLoad($allAdvisories, $ignoreList)) {
             $result = $repoSet->getMatchingSecurityAdvisories($packages, false, $ignoreUnreachable);
             $allAdvisories = $result['advisories'];
             $unreachableRepos = array_merge($unreachableRepos, $result['unreachableRepos']);
@@ -157,6 +157,35 @@ public function audit(IOInterface $io, RepositorySet $repoSet, array $packages,
         return $auditBitmask;
     }
 
+    /**
+     * @param array<string, array<SecurityAdvisory|PartialSecurityAdvisory>> $advisories
+     * @param array<string, string>|array<string> $ignoreList
+     * @return bool
+     */
+    public function needsCompleteAdvisoryLoad(array $advisories, array $ignoreList): bool
+    {
+        if (\count($advisories) === 0) {
+            return false;
+        }
+
+        // no partial advisories present
+        if (array_all($advisories, static function (array $pkgAdvisories) {
+            return array_all($pkgAdvisories, static function ($advisory) { return $advisory instanceof SecurityAdvisory; });
+        })) {
+            return false;
+        }
+
+        if (\count($ignoreList) > 0 && !\array_is_list($ignoreList)) {
+            $ignoredIds = array_keys($ignoreList);
+        } else {
+            $ignoredIds = $ignoreList;
+        }
+
+        return array_any($ignoredIds, static function ($id) {
+            return !str_starts_with($id, 'PKSA-');
+        });
+    }
+
     /**
      * @param array<PackageInterface> $packages
      * @param string[]|array<string, string> $ignoreAbandoned
@@ -304,6 +333,7 @@ private function outputAdvisoriesTable(ConsoleIO $io, array $advisories): void
                 $headers = [
                     'Package',
                     'Severity',
+                    'Advisory ID',
                     'CVE',
                     'Title',
                     'URL',
@@ -313,16 +343,13 @@ private function outputAdvisoriesTable(ConsoleIO $io, array $advisories): void
                 $row = [
                     $advisory->packageName,
                     $this->getSeverity($advisory),
+                    $this->getAdvisoryId($advisory),
                     $this->getCVE($advisory),
                     $advisory->title,
                     $this->getURL($advisory),
                     $advisory->affectedVersions->getPrettyString(),
                     $advisory->reportedAt->format(DATE_ATOM),
                 ];
-                if ($advisory->cve === null) {
-                    $headers[] = 'Advisory ID';
-                    $row[] = $advisory->advisoryId;
-                }
                 if ($advisory instanceof IgnoredSecurityAdvisory) {
                     $headers[] = 'Ignore reason';
                     $row[] = $advisory->ignoreReason ?? 'None specified';
@@ -352,10 +379,8 @@ private function outputAdvisoriesPlain(IOInterface $io, array $advisories): void
                 }
                 $error[] = "Package: ".$advisory->packageName;
                 $error[] = "Severity: ".$this->getSeverity($advisory);
+                $error[] = "Advisory ID: ".$this->getAdvisoryId($advisory);
                 $error[] = "CVE: ".$this->getCVE($advisory);
-                if ($advisory->cve === null) {
-                    $error[] = "Advisory ID: ".$advisory->advisoryId;
-                }
                 $error[] = "Title: ".OutputFormatter::escape($advisory->title);
                 $error[] = "URL: ".$this->getURL($advisory);
                 $error[] = "Affected versions: ".OutputFormatter::escape($advisory->affectedVersions->getPrettyString());
@@ -425,6 +450,15 @@ private function getSeverity(SecurityAdvisory $advisory): string
         return $advisory->severity;
     }
 
+    private function getAdvisoryId(SecurityAdvisory $advisory): string
+    {
+        if (str_starts_with($advisory->advisoryId, 'PKSA-')) {
+            return '<href=https://packagist.org/security-advisories/'.$advisory->advisoryId.'>'.$advisory->advisoryId.'</>';
+        }
+
+        return $advisory->advisoryId;
+    }
+
     private function getCVE(SecurityAdvisory $advisory): string
     {
         if ($advisory->cve === null) {
 
@@ -196,6 +196,8 @@ public function compile(string $pharFile = 'composer.phar'): void
             'vendor/symfony/polyfill-mbstring/bootstrap80.php',
             'vendor/symfony/polyfill-php73/Resources/stubs/JsonException.php',
             'vendor/symfony/service-contracts/Attribute/SubscribedService.php',
+            'vendor/symfony/polyfill-php84/Resources/stubs/Deprecated.php',
+            'vendor/symfony/polyfill-php84/bootstrap82.php',
         ]);
     }
 
 
@@ -62,7 +62,11 @@ public function filter(Pool $pool, array $repositories): Pool
             }
         }
 
-        $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, true);
+        $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, true, true);
+        if ($this->auditor->needsCompleteAdvisoryLoad($allAdvisories['advisories'], $this->auditConfig->ignoreListForBlocking)) {
+            $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, false, true);
+        }
+
         $advisoryMap = $this->auditor->processAdvisories($allAdvisories['advisories'], $this->auditConfig->ignoreListForBlocking, $this->auditConfig->ignoreSeverityForBlocking)['advisories'];
 
         $packages = [];
Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,8 @@ public function compile(string $pharFile = 'composer.phar'): void`
`196`	`196`	`'vendor/symfony/polyfill-mbstring/bootstrap80.php',`
`197`	`197`	`'vendor/symfony/polyfill-php73/Resources/stubs/JsonException.php',`
`198`	`198`	`'vendor/symfony/service-contracts/Attribute/SubscribedService.php',`
	`199`	`+ 'vendor/symfony/polyfill-php84/Resources/stubs/Deprecated.php',`
	`200`	`+ 'vendor/symfony/polyfill-php84/bootstrap82.php',`
`199`	`201`	`]);`
`200`	`202`	`}`
`201`	`203`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,11 @@ public function filter(Pool $pool, array $repositories): Pool`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`		`- $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, true);`
	`65`	`+ $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, true, true);`
	`66`	`+ if ($this->auditor->needsCompleteAdvisoryLoad($allAdvisories['advisories'], $this->auditConfig->ignoreListForBlocking)) {`
	`67`	`+ $allAdvisories = $repoSet->getMatchingSecurityAdvisories($packagesForAdvisories, false, true);`
	`68`	`+ }`
	`69`	`+`
`66`	`70`	`$advisoryMap = $this->auditor->processAdvisories($allAdvisories['advisories'], $this->auditConfig->ignoreListForBlocking, $this->auditConfig->ignoreSeverityForBlocking)['advisories'];`
`67`	`71`
`68`	`72`	`$packages = [];`