PHP frontend for security.symfony.com

Overview

SensioLabs Security Checker

WARNING: Don't use this piece of software anymore as the underlying web service will stop working at the end of January 2021. Instead, use the Open-Source CLI tool that does the same locally, or use the Symfony CLI tool.

Comments
  • Add the ability to exclude CVEs

    Add the ability to exclude CVEs

    As mentioned in #119, this allows passing an array of CVEs to the crawler which will then be excluded from the report.

    Command line usage would look like this:

    $ php security-checker security:check composer.lock --excluded-cves=CVE-2018-14773,CVE-2018-11407
    

    I am, however, not sure if it should be implemented in this way. Maybe the API should provide an option to pass a list of CVEs to ignore?

    opened by mark-gerarts 13
  • Added Usage for docker image

    Added Usage for docker image

    Hello! We created docker image for security checker. It's must-have for dockerized projects, to run such tools as docker images on CI/CD server

    PS: If you want, I can add security checker maintainers to docker hub repo team, so you will have control on it

    opened by rakshazi 8
  • Include root certificate in certificate chain

    Include root certificate in certificate chain

    Some OS or build of openssl seem to not bundle this root certificate. Adding it make the security checker work and not showing the message An error occurred: SSL certificate problem: unable to get local issuer certificate.

    opened by smaftoul 8
  • Add Dockerfile

    Add Dockerfile

    This PR adds a Dockerfile.

    Building the Dockerfile can be done with:

    • docker build -t sensiolabs/security-checker .

    Running the command:

    • docker run -v /path/to/code/:/opt/mount/ sensiolabs/security-checker:latest
    • docker run -v /path/to/code/:/opt/mount/ sensiolabs/security-checker:latest --format=json
    opened by streichsbaer 5
  • add report by mail support

    add report by mail support

    This adds an extra command to mail reports, you could then schedule the thing as a cron (eg: @daily). I'm not sure how to handle swiftmailer options (like transport options). But it works like this for me.

    opened by tvlooy 5
  • removed dependency on ext-curl

    removed dependency on ext-curl

    Having a hard dependency on cURL is problematic. For instance, this library is a dep of SensioDistributionBundle, which is also a dep of Symfony Standard Edition. So, it means that we are forcing everyone using Symfony SE to have the PHP cURL extension installed, which is not what we want.

    So, this PR falls back to using file_get_contents when cURL is not installed.

    opened by fabpot 4
  • Add support for $_ENV proxy variables

    Add support for $_ENV proxy variables

    It would be great, if we could have support for setting up a proxy through our env. A lot of companies (my work place included) have a proxy server and we cannot go around it.

    opened by ppassmannpriv 3
  • Use interface instead of direct implementation

    Use interface instead of direct implementation

    Hi!

    I needed to perform machine-parseable actions on the result set of a security analysis in order to integrate this library with our CI/CD servers, and the fastest way was to implement my own class around it.

    So in order to do that, I thought it was a good idea to interface the sh*t out of things, so this PR was born.

    I think this will help with #114, #119 and definitively #121 (as our use case is pretty similar to that last one).

    I will be creating some implementation examples in an apart repository soon to enlighten the usage. I did not add a new command line option, but you'll have to provide a Result implementation to the Crawler() object:

    before:

    $console = new Application('SensioLabs Security Checker', SecurityChecker::VERSION);
    $console->add(
        new SecurityCheckerCommand(
            new SecurityChecker(
                new Crawler()
            )
        )
    );
    $console->run();
    

    now:

    $console = new Application('SensioLabs Security Checker', SecurityChecker::VERSION);
    // Optional: if no object is passed on, Result will be used
    $console->add(
        new SecurityCheckerCommand(
            new SecurityChecker(
                new Crawler(
                    // Optional object
                    new JUnitFormattedOutput()
                )
            )
        )
    );
    $console->run();
    

    AFAIK, no BC issues were introduced, only new functionality was added.

    Greetings and thanks for this package!

    opened by unreal4u 2
  • Fix setting certificate locations

    Fix setting certificate locations

    CaBundle::getSystemCaRootBundlePath() can return either the CA path or file.

    CURLOPT_CAINFO expects a file so when passing a path security-checker command fails.

    This is my system cert locations:

    $ php -r 'print_r(openssl_get_cert_locations());'
    Array
    (
        [default_cert_file] => /usr/lib/ssl/cert.pem
        [default_cert_file_env] => SSL_CERT_FILE
        [default_cert_dir] => /usr/lib/ssl/certs
        [default_cert_dir_env] => SSL_CERT_DIR
        [default_private_dir] => /usr/lib/ssl/private
        [default_default_cert_area] => /usr/lib/ssl
        [ini_cafile] =>
        [ini_capath] => /usr/lib/ssl/certs
    )
    

    If I run vendor/bin/security-checker -vvv security:check composer.lock

    When using CurlCrawler I get the following error:

    An error occurred: error setting certificate verify locations: CAfile: /usr/lib/ssl/certs CApath: /etc/ssl/certs.

    When using FileGetContentsCrawler I get the following error:

    An error occurred: file_get_contents(https://security.sensiolabs.org/check_lock): failed to open stream: operation failed.

    Usage section of composer/ca-bundle recommends checking with is_dir:

    https://github.com/composer/ca-bundle

    opened by darenas31415 2
  • added ability to create phar file with box

    added ability to create phar file with box

    added the ability compile security-checker into a phar archive with box.

    for that it was necessary to add a little bit of code to extract the certificate to the tmp directory, because curl is not able to read from a phar stream wrapper. code part taken from guzzle http client but changed the hash algorithm from md5 to sha1

    opened by c33s 2
  • Add documentation to the stdin PR

    Add documentation to the stdin PR

    Adds documentation to Hannob's old PR

    This PR just expands on the lovely PR that @hannob submitted earlier. #116

    Basically, users can issue this command as well

    $ cat /path-to-composer.lock | php security-checker security:check  -
    $   # or
    $ cat /path-to-composer.lock | php security-checker security:check -- -
    

    and get the same wonderful results.

    Impact

    Changes shouldn't affect existing users or library's behavior.

    Tests

    Ran local tests with it manually by issuing the command above; and works as expected.

    Thanks for reviewing.

    opened by ashon-ikon 1
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campbell/security-core

Laravel Security Laravel Security was created by, and is maintained by Graham Campbell, and is a voku/anti-xss wrapper for Laravel, using graham-campb

Graham Campbell 170 Nov 20, 2022
The Security component provides a complete security system for your web application.

Security Component The Security component provides a complete security system for your web application. It ships with facilities for authenticating us

Symfony 1.2k Nov 25, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 751 Nov 17, 2022
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.9k Nov 29, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Nov 29, 2022
Php Security Class

Security Advanced Security Class for Php Features Secure From XSS, CSRF, SQL Injection, BASE64, RFI, LFI, Command Injection, Block Suspicious Request

Ömer Faruk Demirel 4 Sep 27, 2022
Web page performance/seo/security/accessibility analysis, browser-less for PHP

Web page performance/seo/security/accessibility analysis, browser-less for PHP

Lightship 5 Jun 12, 2022
Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. It is inspired by the Java Spring framework.

Symfony 1.5k Nov 27, 2022
FunboxEasy - Proving Grounds - Offensive Security

FunboxEasy - Proving Grounds - Offensive Security

Hafiizh Ghulam 1 Oct 28, 2021
Windows and macOS Hardening Interface to make security more accessible.

Welcome to the Hardening Interface Introduction To use HardeningKitty service more easily, we have created an interface which permits better understan

ataumo 23 Nov 2, 2022
Security advisories as a simple composer exclusion list, updated daily

Roave Security Advisories This package ensures that your application doesn't have installed dependencies with known security vulnerabilities. Installa

Roave, LLC 2.5k Nov 30, 2022
Security issues for Magento have left a big question mark in the community of online stores

Magento 2 Security extension FREE. Security extension gives store owners the ability to detect the IP addresses that are intentionally attacking their store at any given time. Therefore, they have timely measures to prevent this issue such as blocking those IP addresses or sending warning emails to store owners.

Mageplaza 40 Apr 1, 2022
Security Component - Guard

The Guard component brings many layers of authentication together, making it much easier to create complex authentication systems where you have total control.

Symfony 1.4k Nov 28, 2022
Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSRF tokens.

Security Component - CSRF The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSR

Symfony 1.5k Nov 29, 2022
Github Action which checks Security issues scanning package manager files

security-checker-action This action checks your composer.lock for known vulnerabilities in your package dependencies. Inputs lock optional The path to

Druid 0 May 5, 2022
[OUTDATED] Two-factor authentication for Symfony applications 🔐 (bunde version ≤ 4). Please use version 5 from https://github.com/scheb/2fa.

scheb/two-factor-bundle ⚠ Outdated version. Please use versions ≥ 5 from scheb/2fa. This bundle provides two-factor authentication for your Symfony ap

Christian Scheb 389 Nov 15, 2022