fancyguy / composer-security-check-plugin Goto Github PK
View Code? Open in Web Editor NEWSecurity check plugin for composer
License: MIT License
Security check plugin for composer
License: MIT License
This might be tricky. Need to modify the InputDefinition somehow before the command runs.
Mentioned in #15. The factory method of obtaining a composer file should be replaced with the path argument provided to the validate command.
We can probably provide a checker that takes a path on local filesystem to the database.
Needs documentation on how to install, globally and per project.
Also the command options and formatters.
Add the ability to ignore by package, cve, or advisory link.
I'm not sure how I feel about this. I'd rather not allow for it, but open for it if certain use cases demand it.
jeroen@Laptop:/data/repos/insecure-project$ composer audit --audit-db ../security-advisories
Fatal error: Uncaught Error: Class 'Symfony\Component\Yaml\Parser' not found in /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Checker/OfflineChecker.php:31
Stack trace:
#0 /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Command/AuditCommand.php(45): FancyGuy\Composer\SecurityCheck\Checker\OfflineChecker->__construct('../security-adv...', Object(Symfony\Component\Console\Style\SymfonyStyle))
#1 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Command/Command.php(241): FancyGuy\Composer\SecurityCheck\Command\AuditCommand->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Application.php(843): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 phar:///Users/jeroen/bin/composer.phar/vendor/symfony/console/Application in /data/repos/insecure-project/vendor/fancyguy/composer-security-check-plugin/src/Checker/OfflineChecker.php on line 31
jeroen@Laptop:/data/repos/insecure-project$ composer info
[CRITICAL] 1 package has known vulnerabilities.
doctrine/annotations v1.6.0 Docblock Annotations Parser
doctrine/cache v1.8.0 Caching library offering an object-oriented API for many cache backends
doctrine/collections v1.5.0 Collections Abstraction library
doctrine/common v2.9.0 Common Library for Doctrine projects
doctrine/event-manager v1.0.0 Doctrine Event Manager component
doctrine/inflector v1.3.0 Common String Manipulations with regard to casing and singular/plural rules.
doctrine/lexer v1.0.1 Base library for a lexer that can be used in Top-Down, Recursive Descent Parsers.
doctrine/persistence v1.0.1 Doctrine Persistence abstractions.
doctrine/reflection v1.0.0 Doctrine Reflection component
fancyguy/composer-security-check-plugin 1.1.0 Checks installed dependencies against SensioLabs security advisory database
psr/log 1.0.2 Common interface for logging libraries
symfony/icu v1.0.1 Contains an excerpt of the ICU data and classes to load it.
symfony/polyfill-ctype v1.9.0 Symfony polyfill for ctype functions
symfony/symfony v2.5.2 The Symfony PHP framework
twig/twig v1.35.4 Twig, the flexible, fast, and secure template language for PHP
Somehow the example commands from README.md
below
Run these commands to see some sample behavior don't work anymore.
I have tested on serveral Linux and Mac installs, it keeps telling me Command "audit" is not defined.
Only when I do
composer global require fancyguy/composer-security-check-plugin
The audit
command works again.
I have tested on
Composer version 1.8.0 2018-12-03 10:31:16
and
Composer version 1.7.2 2018-08-16 16:57:12
Hi @fancyguy,
Composer 2 is released, and we always auto-update composer on all server.
The current implementation is not Composer 2 compatible.
https://github.com/composer/composer/blob/master/UPGRADE-2.0.md#for-integrators-and-plugin-authors
Use the locker to dump a lock post dependencies solver to a temp file and scan it pre install to potentially block updating to an insecure state.
Get the proxy settings from composer config and leverage them when available.
Hi @sbuzonas,
We are a web hosting company.
Is it possible to install fancyguy/composer-security-check-plugin
once on a server, use it to scan one of our customer's dirs? We don't wan't to change anything on the sites we host.
I tried the -d
option but that does not work because the customer does not have the audit
command defined.
When I install into my project and run composer audit
I see nothing,
but when I run composer validate
I get:
[FancyGuy\Composer\SecurityCheck\Exception\RuntimeException]
The web service did not return alerts count.
composer.json
"fancyguy/composer-security-check-plugin": "^1.2"
composer.lock
"name": "fancyguy/composer-security-check-plugin",
"version": "1.2.1",
php 7.3 on mac OS Cat
This is connected with https://github.com/sensiolabs/security-checker/issues/149
We need to replace https://security.sensiolabs.org/ by https://security.symfony.com/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.