PHP security vulnerabilities checker

Local PHP Security Checker

The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with known security vulnerabilities. It uses the Security Advisories Database behind the scenes.

Download a binary from the Releases page on Github, rename it to local-php-security-checker and make it executable.

From a directory containing a PHP project that uses Composer, check for known vulnerabilities by running the binary without arguments or flags:

$ local-php-security-checker

You can also pass a --path to check a specific directory:

$ local-php-security-checker --path=/path/to/php/project
$ local-php-security-checker --path=/path/to/php/project/composer.lock

By default, the output is optimized for terminals, change it via the --format flag (supported formats: ansi, markdown, json, and yaml):

$ local-php-security-checker --format=json

When running the command, it checks for an updated vulnerability database and downloads it from Github if it changed since the last run. If you want to avoid the HTTP round-trip, use --local. To force a database update without checking for a project, use --update-cache.

Comments
  • Gitlab CI docs

    Gitlab CI docs

    This is for the docs.

    I was previously using the Sensiolabs security service in GitLab CI with a script like this:

     script:
        - test -d security-checker || git clone https://github.com/sensiolabs/security-checker.git
        - cd security-checker
        - composer install
        - php security-checker security:check ../composer.lock
    

    Since that service no longer operates, I have changed it to use this new local checker like this:

    script:
        - curl -L -sS --output local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v1.0.0/local-php-security-checker_1.0.0_linux_amd64
        - chmod +x ./local-php-security-checker
        - ./local-php-security-checker
    

    This works fine for now, but I'd really like to see a simple way of abstracting the version and the OS target so that CI systems using it work more easily across platforms and require fewer changes when updates are released, as the old system effectively did.

  • mark the old package as deprecated

    mark the old package as deprecated

    Hi @fabpot

    is it possible to mark the previous old repo https://github.com/sensiolabs/security-checker as deprecated in the composer.json info, and to suggest this new one instead ?

    thanks :)

    Laurent

  • /usr/local/bin/local-php-security-checker: cannot execute binary file: Exec format error

    /usr/local/bin/local-php-security-checker: cannot execute binary file: Exec format error

    Hi,

    I used to use the composer package sensiolabs/security-checker but going to migrate to this version instead. For my projects, I use Bitbucket Pipelines as CI, and a custom Docker container.

    In my Docker file, I added:

    RUN curl -L https://github.com/fabpot/local-php-security-checker/releases/download/v1.0.0/local-php-security-checker_1.0.0_linux_386 --output local-php-security-checker
    RUN mv local-php-security-checker /usr/local/bin/local-php-security-checker && chmod 755 /usr/local/bin/local-php-security-checker
    

    On my local machine (in the same Docker container), this works perfectly:

    $ uname -a
    Linux b0222c2ba17a 4.19.121-linuxkit #1 SMP Tue Dec 1 17:50:32 UTC 2020 x86_64 GNU/Linux
    $ local-php-security-checker --help
    Local PHP Security Checker 1.0.0, built at 2021-01-15T07:03:28Z
    

    but in the CI, I get the following error:

    $ uname -a
    Linux cfa5b71e-b3aa-4362-a8b4-c83549ef393a-7xrjl 5.6.0 #1 SMP Thu Nov 12 07:09:22 UTC 2020 x86_64 GNU/Linux
    $ local-php-security-checker
    bash: /usr/local/bin/local-php-security-checker: cannot execute binary file: Exec format error
    

    I checked and the conainer is still x86_64 so I think I should use the linux_386 build.

    Any suggestion what's going wrong?

  • Direct download link to the latest version

    Direct download link to the latest version

    Since the binaries on the release page have the version number in them, there is currently no direct link that always point to the latest version.

    A direct link would help automate the deployment of this tool and keeping it up-to-date (that or an auto-update mechanism would also help).

    In the mean time, I'll have to resort to something like this:

    curl -s https://api.github.com/repos/fabpot/local-php-security-checker/releases/latest | grep -E "browser_download_url(.+)darwin_amd64" | cut -d : -f 2,3 | tr -d \" | wget -qi -
    

    Note that you to replace darwin_amd64 with the correct architecture for your system.

    EDIT:

    Also, would it be possible to use standard system and architecture name? For instance, I'm using the following to install docker-composer with Ansible:

    https://github.com/docker/compose/releases/download/{{ docker_compose_version }}/docker-compose-{{ ansible_system }}-{{ ansible_architecture }}
    

    Which get translated to:

    https://github.com/docker/compose/releases/download/1.28.0/docker-compose-Linux-x86_64
    

    Notable differences:

    • No version number in the filename itself
    • System name with a capital letter (e.g. Linux)
    • Architecture name (e.g. x86_64)

    Therefore, it would already be a lot better for automated provisioning if the download link for the v1.0.0 was:

    https://github.com/fabpot/local-php-security-checker/releases/download/v1.0.0/local-php-security-checker-Linux-x86_64
    

    Note: variable docker_compose_version is dynamically set by browsing the GitHub API, which we can also do here.

  • execution in Docker container: You are being redirected

    execution in Docker container: You are being redirected

    I have ran command: local-php-security-checker --path="$PROJECTMAPPINGFOLDER" and have got:

    /usr/local/bin/local-php-security-checker: line 1: `<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/329834563/e8f5bc80-56ff-11eb-95af-4f2e26378770?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210117%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20210117T204316Z&amp;X-Amz-Expires=300&amp;X-Amz-Signature=edca856d7204466a127b6c8cbf20a41531d8a89bdd0b65eb883beb16c4f24656&amp;X-Amz-SignedHeaders=host&amp;actor_id=0&amp;key_id=0&amp;repo_id=329834563&amp;response-content-disposition=attachment%3B%20filename%3Dlocal-php-security-checker_1.0.0_linux_amd64&amp;response-content-type=application%2Foctet-stream">redirected</a>.</body></html>'
    

    https://github-production-release-asset-2e65be.s3.amazonaws.com/329834563/e8f5bc80-56ff-11eb-95af-4f2e26378770?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210117%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210117T204316Z&X-Amz-Expires=300&X-Amz-Signature=edca856d7204466a127b6c8cbf20a41531d8a89bdd0b65eb883beb16c4f24656&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=329834563&response-content-disposition=attachment%3B%20filename%3Dlocal-php-security-checker_1.0.0_linux_amd64&response-content-type=application%2Foctet-stream

    my Dockerfile uses image php:8.0-fpm

  • [JUnit] Fix multiple vulns

    [JUnit] Fix multiple vulns

    When a package as multiples vulnerabilities, the junit format only report one which is not the intended use case.

    As reported here: https://github.com/fabpot/local-php-security-checker/pull/23#issuecomment-1167245415

    Sample with the following composer.json

    {
      "require": {
        "guzzlehttp/guzzle": "7.4.2"
      }
    }
    

    Currently the result is the following:

    ./local-php-security-checker --path=test/ --format=junit
      <testsuites name="Symfony Security Check Report">
          <testsuite package="" errors="0" failures="1" tests="1">
              <testcase name="guzzlehttp/guzzle (7.4.2)" classname="packages">
                  <failure>CVE-2022-31091 - Change in port should be considered a change in origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699)</failure>
              </testcase>
          </testsuite>
      </testsuites>
    

    With the modification I did:

    ./local-php-security-checker --path=test/ --format=junit
      <testsuites name="Symfony Security Check Report">
          <testsuite package="" errors="0" failures="1" tests="1">
              <testcase name="guzzlehttp/guzzle (7.4.2)" classname="packages">
                  <failure>CVE-2022-29248 - Cross-domain cookie leakage (https://github.com/guzzle/guzzle/security/advisories/GHSA-cwmx-hcrq-mhc3)</failure>
                  <failure>CVE-2022-31042 - Failure to strip the Cookie header on change in host or HTTP downgrade (https://github.com/guzzle/guzzle/security/advisories/GHSA-f2wf-25xc-69c9)</failure>
                  <failure>CVE-2022-31043 - Fix failure to strip Authorization header on HTTP downgrade (https://github.com/guzzle/guzzle/security/advisories/GHSA-w248-ffj2-4v5q)</failure>
                  <failure>CVE-2022-31090 - CURLOPT_HTTPAUTH option not cleared on change of origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-25mq-v84q-4j7r)</failure>
                  <failure>CVE-2022-31091 - Change in port should be considered a change in origin (https://github.com/guzzle/guzzle/security/advisories/GHSA-q559-8m2m-g699)</failure>
              </testcase>
          </testsuite>
      </testsuites>
    
  • Unable to download security-advisories zip file

    Unable to download security-advisories zip file

    After learning about this project today and installing it for the first time, I've been having some trouble obtaining the security-advisories database. I can access it via curl without difficulty, but am having no luck via the local-php-security-checker binary. Instead, an "unable to load the advisory DB: unable to fetch advisories" error is reported:

    ᐅ curl https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  554k  100  554k    0     0   962k      0 --:--:-- --:--:-- --:--:--  961k
    
    ᐅ ./local-php-security-checker --help
    Local PHP Security Checker 1.0.0, built at 2021-01-15T07:03:28Z
    
    ᐅ ./local-php-security-checker
    unable to load the advisory DB: unable to fetch advisories: Get "https://codeload.github.com/FriendsOfPHP/security-advisories/zip/master": dial tcp: lookup codeload.github.com on [::1]:53: read udp [::1]:64419->[::1]:53: read: connection refused
    
  • 64-bit Windows binary doesn't work

    64-bit Windows binary doesn't work

    Windows 10 Pro Core i7-7700

    In Git bash, uname -m returns x86_64

    The 64-bit binary should work but doesn't. It gives this error when invoked from the command line.

    Exception 0xc0000005 0x0 0x7ffc49d10fff 0x187f5f80000
    PC=0x187f5f80000
    
    runtime: unknown pc 0x187f5f80000
    stack: frame={sp:0x422bffe820, fp:0x0} stack=[0x0,0x422bffff00)
    

    The 32-bit release works but it's not ideal to run the 32-bit executable on a 64-bit CPU.

  • FR: have a release called

    FR: have a release called "latest"

    When downloading a binary in a CI/CD pipeline it would be ideal to always download the "latest" release. The current latest is for example:

    https://github.com/fabpot/local-php-security-checker/releases/download/v1.0.0/local-php-security-checker_1.0.0_darwin_amd64

    Would be great to have something like:

    https://github.com/fabpot/local-php-security-checker/releases/download/latest/local-php-security-checker_darwin_amd64

    with the later URL always serving the latest release

  • Take input format for github action output

    Take input format for github action output

    The "raw_json" doesn't exist in the formatter file so the github action output was all the time empty.

    I have choosen to put the same output as requested by the user. An other solution can be to add the raw_json format.

    What do you think about this choice ?

  • FR: Option to ignore certain vulnerabilities

    FR: Option to ignore certain vulnerabilities

    suggestion: Hi. It would be cool if this neat tool would offer the possibility to ignore certain vulnerabilities. While it might lead to some people ignoring dangerous things just to make their pipeline work, sometimes there is a legit reason.

    Right now I am facing the issue that the version of a library I am using has a CVE published but I am not using the affected component at all. Now I am facing the decision to allow my pipeline to pass when a vulnerability is detected or jump through a lot of hoops to update to a version I don't need.

    What do you think?

  • Support disabling colors (ANSI escape sequences)

    Support disabling colors (ANSI escape sequences)

    We are running local-php-security-checker as CI job. The output of the tool is shown in the CI system and recorded in a file that is displayed to the user. In both cases, the ANSI escape characters can not be interpreted and the raw escape codes are shown.

    This makes the output a bit unreadable.

    It would be great if it would be possible to disable the usage of ANSI escape sequences in the output. A solution could be:

    • support a -format command-line value auto. auto would use ANSI escape sequences if an interactive terminal is used and the environment variable NO_COLOR^1 is not set. Otherwise the output would use ANSI escape sequences. Optionally also a plain could be added that would always print non-ansi output. To keep the CLI backwards compatible, the ansi option could be kept and use the current format. If you are willing to make a breaking change and want to keep it more simple, we could make auto the default, remove the ansi option and not have a plain option.

    An easy way to realize it could be to use the https://github.com/fatih/color package for coloring. It supports already using colors only on interactive terminals and NO_COLOR. It also has support for windows, this might also fix the issue https://github.com/fabpot/local-php-security-checker/issues/53.

    Let me know if I should provide a Pull-Request to make that change and if you would prefer using https://github.com/fatih/color or reimplementing the logic to disable colors.

  • Windows: the ANSI output is wrongly displayed

    Windows: the ANSI output is wrongly displayed

    I'm using Windows/10 latest version and cmd.exe as console. I downloaded https://github.com/fabpot/local-php-security-checker/releases/download/v2.0.4/local-php-security-checker_2.0.4_windows_amd64.exe

    Running this locally gives no ANSI output. But the window does support ANSI, as you can see by the Composer output and Laravel artisan output above.

    I expect to see correct interpreted ansi escape sequences or, if that is not possible, a fallback to plain text. The output produced now is unreadable. I had to use --format=json to understand the output.

    image

  • Invalid parsing of commits constraints

    Invalid parsing of commits constraints

    Hi there,

    It seems like checker do not parse constraints like this one "robrichards/xmlseclibs": "2.0.x-dev#1369dd1" properly. It should be covered by https://github.com/FriendsOfPHP/security-advisories/blob/master/robrichards/xmlseclibs/CVE-2019-3465.yaml this rule but checker ignores it and tells that everything is fine.

    Could you please advice?

  • Feature Idea: /vendor/composer/installed.json Check

    Feature Idea: /vendor/composer/installed.json Check

    Hi,

    first, thank you for delivering such great software again and again.

    A little background: I work as a Pentester and I found a website that was exposing the file /vendor/composer/installed.json but not composer.lock. I wanted to check for advisories for the used packages but that is not possible with your tool out of the box. I had to change the json slightly.

    I have thought about adding the ability to read this file for this tool. However, I am not sure if this is useful. Maybe it is not the domain that this tool has.

    What do you think?

    I'm happy to contribute myself if you think it's useful!

  • feat: support `-version` flag

    feat: support `-version` flag

    While -help includes the version as the first line of it's output, it also includes the usage help text which is sizable vs just the version line.

    Having -version makes it easier to grab the version of the tool reliably - specifically for my case I'm building an auditor system that I'd like to grab the tool version to store in it's database but would prefer to not have the whole help text :)

mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022
gosec - Golang Security Checker
 gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

Jan 2, 2023
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Feb 23, 2022
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Dec 8, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022
A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

Dent More Information If you want to learn more about the techniques utlized in this framework please take a look at this article. Description This fr

Dec 2, 2022
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

FAV/E FAV/E (Find A Vulnerability/Exposure) utilizes the NIST CVE database search API to search for vulnerabilities and exposures while filtering base

Dec 31, 2022
A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are n

Jan 6, 2022
Git watchdog will scan your public repository and find out the vulnerabilities

Dependencies Docker Go 1.17 MySQL 8.0.25 Bootstrap Run chmod +x start.sh if start.sh script does not have privileged to run Run ./start.sh --bootstrap

Dec 30, 2021
🍷 Find exploits and vulnerabilities in the most important databases.
🍷 Find exploits and vulnerabilities in the most important databases.

?? Dionisio Dionisio is a tool that can automate the search for exploits and vulnerabilities. Written in Go and open source, Dionisio has an advanced

Mar 14, 2022
Scan systems and docker images for potential spring4shell vulnerabilities.
Scan systems and docker images for potential spring4shell vulnerabilities.

Scan systems and docker images for potential spring4shell vulnerabilities. Will detect in-depth (layered archives jar/zip/tar/war and scans for vulnerable Spring4shell versions. Binaries for Windows, Linux and OsX, but can be build on each platform supported by supported Golang.

Nov 9, 2022
A fast and easy to use URL health checker ⛑️ Keep your links healthy during tough times
A fast and easy to use URL health checker ⛑️ Keep your links healthy during tough times

AreYouOK? A minimal, fast & easy to use URL health checker Who is AreYouOk made for ? OSS Package Maintainers ??️

Oct 7, 2022
log4jshell vulnerability checker tool

Description log4j-checker tool helps identify whether a certain system is running a vulnerable version of the log4j library. Download and run the tool

Dec 20, 2021
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Nov 11, 2022
Dec 28, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Jan 3, 2023
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Dec 27, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Jan 7, 2023