Menu
I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and consequentially all other dependencies. We would like to run an analysis on the existing dependencies and look for known vulnerabilities on those.
Are there any tools available for php that run dependency check?
I have done this with ruby projects using bundle audit but I haven't been able to find a similar tool for php.
467
These libraries can contain security issues and vulnerabilities of their own, making it essential to use a vulnerability scanning service to ensure not only your code is secure but that your web application's dependencies are patched with the latest updates and are safe to use in a production environment.
Supply Chain Security Update: How Secure is Composer? When it comes to PHP, composer is without discussion, THE package manager. It's fast, easy to use, actively maintained and very secure — or so most thought.
Roave Security Advisories is a composer package that will ensure your dependencies do not have security vulnerabilities. The checks are only executed when adding a new dependency via composer require or when running composer update: deploying an application with a valid composer.
Well, there's the Composer package from Roave (https://github.com/Roave/SecurityAdvisories) but the reporting on the libraries is completely up to the project. It checks against the database from this repository: https://github.com/FriendsOfPHP/security-advisories
A lot of the major projects have their issues posted there but as it's pretty voluntary it might not be as wide-spread as you're hoping for. Hope this helps.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
