fancyguy / composer-security-check-plugin Goto Github PK

View Code? Open in Web Editor NEW

7.0 2.0 4.0 45 KB

Security check plugin for composer

License: MIT License

PHP 100.00%

php composer composer-plugin security security-advisories

composer-security-check-plugin's People

Contributors

Stargazers

Watchers

Forkers

sbuzonas-php pombredanne magehost chappy84

composer-security-check-plugin's Issues

Yaml class missing when using --audit-db

jeroen@Laptop:/data/repos/insecure-project$ composer audit --audit-db ../security-advisories

Fatal error: Uncaught Error: Class 'Symfony\Component\Yaml\Parser' not found in /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Checker/OfflineChecker.php:31
Stack trace:
#0 /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Command/AuditCommand.php(45): FancyGuy\Composer\SecurityCheck\Checker\OfflineChecker->__construct('../security-adv...', Object(Symfony\Component\Console\Style\SymfonyStyle))
#1 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Command/Command.php(241): FancyGuy\Composer\SecurityCheck\Command\AuditCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Application.php(843): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Application in /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Checker/OfflineChecker.php on line 31

jeroen@Laptop:/data/repos/insecure-project$ composer info

[CRITICAL] 1 package has known vulnerabilities.
doctrine/annotations                    v1.6.0  Docblock Annotations Parser
doctrine/cache                          v1.8.0  Caching library offering an object-oriented API for many cache backends
doctrine/collections                    v1.5.0  Collections Abstraction library
doctrine/common                         v2.9.0  Common Library for Doctrine projects
doctrine/event-manager                  v1.0.0  Doctrine Event Manager component
doctrine/inflector                      v1.3.0  Common String Manipulations with regard to casing and singular/plural rules.
doctrine/lexer                          v1.0.1  Base library for a lexer that can be used in Top-Down, Recursive Descent Parsers.
doctrine/persistence                    v1.0.1  Doctrine Persistence abstractions.
doctrine/reflection                     v1.0.0  Doctrine Reflection component
fancyguy/composer-security-check-plugin 1.1.0   Checks installed dependencies against SensioLabs security advisory database
psr/log                                 1.0.2   Common interface for logging libraries
symfony/icu                             v1.0.1  Contains an excerpt of the ICU data and classes to load it.
symfony/polyfill-ctype                  v1.9.0  Symfony polyfill for ctype functions
symfony/symfony                         v2.5.2  The Symfony PHP framework
twig/twig                               v1.35.4 Twig, the flexible, fast, and secure template language for PHP

[FancyGuy\...\RuntimeException] The web service did not return alerts count.

When I install into my project and run composer audit I see nothing,
but when I run composer validate I get:

[FancyGuy\Composer\SecurityCheck\Exception\RuntimeException]

The web service did not return alerts count.
composer.json

"fancyguy/composer-security-check-plugin": "^1.2"

composer.lock

"name": "fancyguy/composer-security-check-plugin",
            "version": "1.2.1",

php 7.3 on mac OS Cat

Scan other Composer dir

Hi @sbuzonas,

We are a web hosting company.

Is it possible to install fancyguy/composer-security-check-plugin once on a server, use it to scan one of our customer's dirs? We don't wan't to change anything on the sites we host.

I tried the -d option but that does not work because the customer does not have the audit command defined.

Ignore capability

Add the ability to ignore by package, cve, or advisory link.

I'm not sure how I feel about this. I'd rather not allow for it, but open for it if certain use cases demand it.

Add check after solver

Use the locker to dump a lock post dependencies solver to a temp file and scan it pre install to potentially block updating to an insecure state.

Needs a readme

Needs documentation on how to install, globally and per project.

Also the command options and formatters.

Validate may give incorrect results

Mentioned in #15. The factory method of obtaining a composer file should be replaced with the path argument provided to the validate command.

Support proxy configurations

Get the proxy settings from composer config and leverage them when available.

Project install does not work anymore

Somehow the example commands from README.md below
Run these commands to see some sample behavior don't work anymore.
I have tested on serveral Linux and Mac installs, it keeps telling me Command "audit" is not defined.
Only when I do

composer global require fancyguy/composer-security-check-plugin

The audit command works again.
I have tested on

Composer version 1.8.0 2018-12-03 10:31:16

and

Composer version 1.7.2 2018-08-16 16:57:12