composer-audit
composer-audit copied to clipboard
cs278
Audit Composer dependencies for security vulnerabilities without using an external service.
Composer Audit
Audit your Composer dependencies for security vulnerabilities, uses data from FriendsOfPHP/security-advisories. Compatible with Composer 1 and 2.
This Composer plugin allows you to audit your dependencies for security vulnerabilities without sending your lock file to an external service or using closed source software.
Installation
This plugin can either be installed as a dependency in your project or “globally” so that it is always available on your machine.
Install as a development dependency
composer require --dev cs278/composer-audit ^1
Install globally
composer global require cs278/composer-audit ^1
Usage
Audit dependencies
This will audit all locked dependencies from composer.lock.
If your package does not have a composer.lock file (e.g. because it’s a
library) the installed packages, located in vendor/composer/installed.json
will be validated instead.
composer audit
Audit non development dependencies
Only audit your production dependencies from composer.lock, this option only
works when there is a composer.lock file.
composer audit --no-dev
Update security advisories database
You can force an update of the security advisories database using the --update
option, without this option being supplied the database will be downloaded if it
does not exist or it’s more than an hour old. For example:
composer audit --update
Configuration
Composer Audit can be configured using the extra property
in your composer.json file, all configuration should be supplied under the
composer-audit key.
{
...
"extra": {
...
"composer-audit": {
"option1": "super"
},
...
},
...
}
Ignoring an advisory
Currently only filtering advisories by CVE is possible, further options are planned.
Ignoring an advisory by CVE
You are able to ignore warnings about an advisory by filtering based on its CVE reference, this is useful if you decide the risk is acceptable or not applicable and you cannot otherwise upgrade the package to resolve the problem.
{
...
"extra": {
...
"composer-audit": {
"ignore": [
{"type": "cve", "value": "CVE-2000-1234567"},
{"type": "cve", "value": "CVE-2000-7654321"}
]
},
...
},
...
}
Example
# Require a vulnerable package
composer require symfony/http-foundation 2.0.4
# Require Composer Audit
composer require --dev cs278/composer-audit ^1
composer audit
Found 9 advisories affecting 1 package(s).
composer://symfony/http-foundation (2.0.4)
* Request::getClientIp() when the trust proxy mode is enabled
* CVE-2012-6431: Routes behind a firewall are accessible even when not logged in
* CVE-2013-4752: Request::getHost() poisoning
* CVE-2014-5244: Denial of service with a malicious HTTP Host header
* CVE-2014-6061: Security issue when parsing the Authorization header
* CVE-2015-2309: Unsafe methods in the Request class
* CVE-2018-11386: Denial of service when using PDOSessionHandler
* CVE-2018-14773: Remove support for legacy and risky HTTP headers
* CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
Hyperlinks will be rendered to the appropriate CVE and advisory where available.
cs278