cs278 / composer-audit
Audit your Composer dependencies for security vulnerabilities.
Installs: 66 136
Dependents: 0
Suggesters: 0
Security: 0
Stars: 7
Watchers: 3
Forks: 1
Open Issues: 3
Type:composer-plugin
Requires
- php: >= 7.1
- composer-plugin-api: ^1.1 || ^2
- symfony/yaml: ^4.4 || ^5 || ^6
Requires (Dev)
- composer/composer: ^1 || ^2@RC
- composer/semver: *
- cs278/mktemp: ^1
- symfony/filesystem: ^4.4 || ^5 || ^6
- symfony/phpunit-bridge: ^5.2
- symfony/process: ^4.4 || ^5 || ^6
Conflicts
- symfony/yaml: =4.4.27 || =4.4.28 || =5.2.12 || =5.2.13 || =5.3.4 || =5.3.5
This package is auto-updated.
Last update: 2024-11-07 16:42:54 UTC
README
Audit your Composer dependencies for security vulnerabilities, uses data from FriendsOfPHP/security-advisories. Compatible with Composer 1 and 2.
This Composer plugin allows you to audit your dependencies for security vulnerabilities without sending your lock file to an external service or using closed source software.
Note this command is distinct from the audit
command built into Composer ≥ 2.4.
Installation
This plugin can either be installed as a dependency in your project or “globally” so that it is always available on your machine.
Install as a development dependency
composer require --dev cs278/composer-audit ^1
Install globally
composer global require cs278/composer-audit ^1
Usage
Audit dependencies
This will audit all locked dependencies from composer.lock
.
If your package does not have a composer.lock
file (e.g. because it’s a
library) the installed packages, located in vendor/composer/installed.json
will be validated instead.
composer security-audit
Audit non development dependencies
Only audit your production dependencies from composer.lock
, this option only
works when there is a composer.lock
file.
composer security-audit --no-dev
Update security advisories database
You can force an update of the security advisories database using the --update
option, without this option being supplied the database will be downloaded if it
does not exist or it’s more than an hour old. For example:
composer security-audit --update
Configuration
Composer Audit can be configured using the extra
property
in your composer.json
file, all configuration should be supplied under the
composer-audit
key.
{ ... "extra": { ... "composer-audit": { "option1": "super" }, ... }, ... }
Ignoring an advisory
Currently only filtering advisories by CVE is possible, further options are planned.
Ignoring an advisory by CVE
You are able to ignore warnings about an advisory by filtering based on its CVE reference, this is useful if you decide the risk is acceptable or not applicable and you cannot otherwise upgrade the package to resolve the problem.
{ ... "extra": { ... "composer-audit": { "ignore": [ {"type": "cve", "value": "CVE-2000-1234567"}, {"type": "cve", "value": "CVE-2000-7654321"} ] }, ... }, ... }
Example
# Require a vulnerable package composer require symfony/http-foundation 2.0.4 # Require Composer Audit composer require --dev cs278/composer-audit ^1 composer security-audit Found 9 advisories affecting 1 package(s). composer://symfony/http-foundation (2.0.4) * Request::getClientIp() when the trust proxy mode is enabled * CVE-2012-6431: Routes behind a firewall are accessible even when not logged in * CVE-2013-4752: Request::getHost() poisoning * CVE-2014-5244: Denial of service with a malicious HTTP Host header * CVE-2014-6061: Security issue when parsing the Authorization header * CVE-2015-2309: Unsafe methods in the Request class * CVE-2018-11386: Denial of service when using PDOSessionHandler * CVE-2018-14773: Remove support for legacy and risky HTTP headers * CVE-2019-18888: Prevent argument injection in a MimeTypeGuesser
Hyperlinks will be rendered to the appropriate CVE and advisory where available.