This will help you check your PHP project dependencies against the CVE compiled by FriendsOfPHP.
It will analyze your composer.lock file and show if some versions are
affected by a vulnerability.
You can install phpsecscan using:
- binenv (https://github.com/devops-works/binenv)
- using binaries in the releases page
- using the docker image (https://hub.docker.com/r/devopsworks/phpsecscan)
makeexport VERSION=$(git describe --tags --always --dirty)
docker build . -t name/phpsecscan:${VERSION} --build-arg version=${VERSION} --build-arg builddate=$(date -u '+%Y%m%d.%H%M%S')
docker tag name/phpsecscan:${VERSION} name/phpsecscan:latestCan be run standalone of as a server.
Usage:
phpsecscan
[-port 8000]
[-repo https://github.com/FriendsOfPHP/security-advisories.git]
[-gitdir /tmp/XYZ]
[-interval 600]
[file]Options:
gitdir(defaults to some random temp dir): path to store CVE git checkouthorhelp: help usageport(default "8080"): server portrepo(default "https://github.com/FriendsOfPHP/security-advisories.git"): CVE repository URLserver(default false): start as a web serverinterval(default 600): refresh interval to sync CVEs
docker run -v /path/to/composer.lock:/composer.lock devopsworks/phpsecscan /composer.lock./phpsecscan composer.lock./phpsecscan -gitdir ./cvecurl localhost:8080/check --data @/path/to/project/composer.lock- github app
- gitlab app
- Vue.js front end
- prometheus exporter
https://github.com/sensiolabs/security-checker https://snyk.io/docs/snyk-for-php https://github.com/marketplace/sonatype-depshield https://ossindex.sonatype.org/