Sometimes the real world happens, and you want to whitelist a security issue. There are multiple valid reasons for doing this like for example the code path with the vulnerability isn't reachable

i would think something like would work, --whitelist identifier where identifier could be a CVE or GHSA or other ID

Hello,

I am using this package through https://github.com/Jorijn/laravel-security-checker . When using this package on one server with multiple users(user1, user2), user1 is the owner of the file /tmp/php_security_advisories.json. So any attempt to run the security checker with user2 gives me a 'Permission Denied'.

user1 works completely as expected. user2 gets the following error:

file_put_contents(/tmp/php_security_advisories.json): failed to open stream: Permission denied. vendor/enlightn/security-checker/src/AdvisoryFetcher.php:138

Possible solution: Maybe the library on user1 could delete the files when its done with them, so user2 can put the required files there when it needs to.

Best regards, Thomas

Downloaded latest phar file. Attempting to execute with php ./security-checker.phar security:check ./composer.lock --no-dev --temp-dir=/tmp. It fails with message:

PHP Fatal error:  Uncaught Error: Class 'Symfony\Component\Process\ExecutableFinder' not found in phar:///apps/foobar/security-checker.phar/src/ZipExtractor.php:39
Stack trace:
#0 phar:///apps/foobar/security-checker.phar/src/ZipExtractor.php(19): Enlightn\SecurityChecker\ZipExtractor->unzipCommandExists()
#1 phar:///apps/foobar/security-checker.phar/src/AdvisoryFetcher.php(44): Enlightn\SecurityChecker\ZipExtractor->extract()
#2 phar:///apps/foobar/security-checker.phar/src/SecurityChecker.php(25): Enlightn\SecurityChecker\AdvisoryFetcher->fetchAdvisories()
#3 phar:///apps/foobar/security-checker.phar/src/SecurityCheckerCommand.php(64): Enlightn\SecurityChecker\SecurityChecker->check()
#4 phar:///apps/foobar/security-checker.phar/vendor/symfony/console/Command/Command.php(256): Enlightn\SecurityChecker\SecurityCheckerCommand->execute()
#5 phar:///apps/foobar/security-checker.phar/vendor/symfony/console/Application.php(971): Symfony\Component\Console\Command\Command->run()
#6 phar:///apps/foobar/security-checker.phar/vendor/symfony/console/Applicatio in phar:///apps/rti/security-checker.phar/src/ZipExtractor.php on line 39

Source OS is Ubuntu 20.04LTS. Local PHP cli version is:

PHP 7.4.21 (cli) (built: Jul  1 2021 16:09:23) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.21, Copyright (c), by Zend Technologies

Tested with and without Ubuntu unzip package installed. Thoughts?

The problem is that all occurrences of "v" in the version string are replaced by nothing. This leads to the version "dev-master" becoming "de-master": https://github.com/enlightn/security-checker/blob/ba15c4cc33499f2652f788273b7cf73cc174e7dc/src/Composer.php#L38

And therefore the implemented comparison in "isDevPackage" never matches: https://github.com/enlightn/security-checker/blob/ba15c4cc33499f2652f788273b7cf73cc174e7dc/src/AdvisoryAnalyzer.php#L109

Apart from that, the ending delimiter is missing in this regular expression: https://github.com/enlightn/security-checker/blob/ba15c4cc33499f2652f788273b7cf73cc174e7dc/src/AdvisoryAnalyzer.php#L42

First of all: thank you very much for making this available! In lieu of the Sensiolabs deprecation, it is much appriciated. 🙌

Now, to my issue...

The security-checker CLI file contains a line prompting people to run curl -sS https://getcomposer.org/installer | php.

For a security package, I find this in rather poor judgment.

I would strongly suggest that it would be better to just direct users to https://getcomposer.org/download/ and ask them to follow the instructions there.

Security issues aside, it can be confusing for users, as composer might be installed but simply not (yet) have run.

Less experienced users are likely to follow the suggestion ad-verbatim, which could lead to all sorts of trouble (which could easily be avoided by educating the user via the Composer install guide).

If you concur, I don't mind following up with an MR to make this happen.

Has the phar version at https://www.laravel-enlightn.com/security-checker.phar been updated to the latest version?

I'm running it on PHP 8.1.2 and getting:

Fatal error: Uncaught Error: Class "Symfony\Component\Process\ExecutableFinder" not found in phar:///Users/myuser/myapp/php-security-checker/src/ZipExtractor.php:39

Just realized that the --no-dev option added today in https://github.com/enlightn/security-checker/pull/14 needs to be VALUE_NONE for it to work. This PR fixes the bug.

Like "No known security vulnerabilities found.✓"

At least with one of the verbosity options.

Otherwise you don't knot if the command did something at all.

Closes #20.

This feature allow a list of vulnerabilities to be ignored when checking.

Use:

php security-checker security:check /path/to/composer.lock --allow-list CVE-2018-15133 --allow-list "untrusted X-XSRF-TOKEN value"

Some vulnerabilities does not have the CVE code, for these we can pass the title as shown in the example

There where no breaking changes since i just added a option to the command and all tests are passing

Hey there,

Thanks very much for this tool firstly.

Secondly, I've made a small change (+ tests) to add an optional flag on the CLI, to wire up the existing excludeDev flag that existed under the hood.

I used --no-dev to match the composer flag for install.

I've tried to make sure it makes sense, let me know what you think.

This PR drops the ext-zip requirement by introducing a ZipExtractor class. This class extracts the zip using the unzip command (if it exists) and deferring to the ZipArchive (requiring ext-zip) if it doesn't.

If both the unzip command and ext-zip don't exist, it throws a RuntimeException. It is unlikely that both don't exist as Composer itself needs either of them to work properly.

The security checker now has a hard dependency on guzzlehttp/guzzle, which unfortunately had a few security issues in the last weeks. So even when not using guzzlehttp in your application, this would generate a security warning.

By following https://docs.php-http.org/en/latest/httplug/library-developers.html we implemented ClientDiscovery so an existing PSR-18 compatible HTTP client (i.e. symfony/http-client) could be reused.

Unfortunately this is not possible while keeping PHP 5.6 support because psr/http-factory requires >= 7.0.

Is this acceptable for a 1.11 release or should it target a 2.0 release? composer.json must be updated according to this choice..

See https://github.com/enlightn/security-checker/pull/29

The security checker now has a hard dependency on guzzlehttp/guzzle, which unfortunately had a few security issues in the last weeks. So even when not using guzzlehttp in your application, this would generate a security warning.

By following https://docs.php-http.org/en/latest/httplug/library-developers.html we implemented ClientDiscovery so an existing PSR-18 compatible HTTP client (i.e. symfony/http-client) could be reused.

Unfortunately this is not possible while keeping PHP 5.6 support because psr/http-factory requires >= 7.0.

Is this acceptable for a 1.11 release or should it target a 2.0 release? composer.json must be updated according to this choice..

Closes #22

Add an --use-ext option in order to provide a way to force a specific zip tool as the follow:

php security-checker security:check /path/to/composer.lock --use-ext system-unzip

We can use system-unzip force system unzip command and zip-extension to force PHP Zip Extension and any other option will be silently ignored.

Some considerations:

1. If we chose for zip-extension explicitly and the zip extension is not installed than an exception will be thrown, should it be handled?
2. If we chose for system-unzip explicitly and the unzip command does not exists than an error will happen, should it be handled?
3. Because the classes are very coupled with the new operator i was not able to test very well without very clumsy mock strategies, i just wrote a test to ensure that ti code is running fine and nothing is broken.

Hi,

This change has broken this tool for me.

I am using the php:7.1-fpm-alpine Docker image and trying to run the security-checker fails with the following error:

v1.7.0 works fine:

I presume the problem is that the version of unzip within BusyBox cannot handle the zip file:

Because it works fine on the unzip command in my host OS (Ubuntu 20.04

Cheers!

Dan