SensioLabs Security Checker
WARNING: Don't use this piece of software anymore as the underlying web service will stop working at the end of January 2021. Instead, use the Open-Source CLI tool that does the same locally, or use the Symfony CLI tool.
As mentioned in #119, this allows passing an array of CVEs to the crawler which will then be excluded from the report.
Command line usage would look like this:
$ php security-checker security:check composer.lock --excluded-cves=CVE-2018-14773,CVE-2018-11407
I am, however, not sure if it should be implemented in this way. Maybe the API should provide an option to pass a list of CVEs to ignore?
Hello! We created docker image for security checker. It's must-have for dockerized projects, to run such tools as docker images on CI/CD server
PS: If you want, I can add security checker maintainers to docker hub repo team, so you will have control on it
Some OS or build of openssl seem to not bundle this root certificate.
Adding it make the security checker work and not showing the message
An error occurred: SSL certificate problem: unable to get local issuer certificate.
This PR adds a Dockerfile.
Building the Dockerfile can be done with:
docker build -t sensiolabs/security-checker .
Running the command:
docker run -v /path/to/code/:/opt/mount/ sensiolabs/security-checker:latest
docker run -v /path/to/code/:/opt/mount/ sensiolabs/security-checker:latest --format=json
This adds an extra command to mail reports, you could then schedule the thing as a cron (eg: @daily). I'm not sure how to handle swiftmailer options (like transport options). But it works like this for me.
Having a hard dependency on cURL is problematic. For instance, this library is a dep of SensioDistributionBundle, which is also a dep of Symfony Standard Edition. So, it means that we are forcing everyone using Symfony SE to have the PHP cURL extension installed, which is not what we want.
So, this PR falls back to using file_get_contents when cURL is not installed.
It would be great, if we could have support for setting up a proxy through our env. A lot of companies (my work place included) have a proxy server and we cannot go around it.
I needed to perform machine-parseable actions on the result set of a security analysis in order to integrate this library with our CI/CD servers, and the fastest way was to implement my own class around it.
So in order to do that, I thought it was a good idea to interface the sh*t out of things, so this PR was born.
I think this will help with #114, #119 and definitively #121 (as our use case is pretty similar to that last one).
I will be creating some implementation examples in an apart repository soon to enlighten the usage. I did not add a new command line option, but you'll have to provide a
Result implementation to the
$console = new Application('SensioLabs Security Checker', SecurityChecker::VERSION); $console->add( new SecurityCheckerCommand( new SecurityChecker( new Crawler() ) ) ); $console->run();
$console = new Application('SensioLabs Security Checker', SecurityChecker::VERSION); // Optional: if no object is passed on, Result will be used $console->add( new SecurityCheckerCommand( new SecurityChecker( new Crawler( // Optional object new JUnitFormattedOutput() ) ) ) ); $console->run();
AFAIK, no BC issues were introduced, only new functionality was added.
Greetings and thanks for this package!
CaBundle::getSystemCaRootBundlePath() can return either the CA path or file.
CURLOPT_CAINFO expects a file so when passing a path security-checker command fails.
This is my system cert locations:
$ php -r 'print_r(openssl_get_cert_locations());' Array ( [default_cert_file] => /usr/lib/ssl/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /usr/lib/ssl/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /usr/lib/ssl/private [default_default_cert_area] => /usr/lib/ssl [ini_cafile] => [ini_capath] => /usr/lib/ssl/certs )
If I run
vendor/bin/security-checker -vvv security:check composer.lock
CurlCrawler I get the following error:
An error occurred: error setting certificate verify locations: CAfile: /usr/lib/ssl/certs CApath: /etc/ssl/certs.
FileGetContentsCrawler I get the following error:
An error occurred: file_get_contents(https://security.sensiolabs.org/check_lock): failed to open stream: operation failed.
Usage section of composer/ca-bundle recommends checking with is_dir:
added the ability compile security-checker into a phar archive with box.
for that it was necessary to add a little bit of code to extract the certificate to the tmp directory, because curl is not able to read from a phar stream wrapper. code part taken from guzzle http client but changed the hash algorithm from md5 to sha1
This PR just expands on the lovely PR that @hannob submitted earlier. #116
Basically, users can issue this command as well
$ cat /path-to-composer.lock | php security-checker security:check - $ # or $ cat /path-to-composer.lock | php security-checker security:check -- -
and get the same wonderful results.
Changes shouldn't affect existing users or library's behavior.
Ran local tests with it manually by issuing the command above; and works as expected.
Thanks for reviewing.