Dependency vulnerability auditor for PHP
Installs: 14
Dependents: 0
Suggesters: 0
Security: 0
Stars: 14
Watchers: 5
Forks: 15
Open Issues: 6
Type:project
Requires
- php: ^7.4.0 || ^8.0
- codedungeon/php-cli-colors: ^1.11.0
- eloquent/composer-config-reader: ^2.1
- guzzlehttp/guzzle: ^6.5.6
- hoa/console: ^3.17
- laminas/laminas-text: ^2.7
- laravel-zero/framework: >=5.8 || <9.0
- nadar/php-composer-reader: ^1.2
- vierbergenlars/php-semver: ^3.0
Requires (Dev)
- mockery/mockery: ^1.0
- phpunit/phpunit: >=7.5 || <10.0
- squizlabs/php_codesniffer: 3.*
This package is auto-updated.
Last update: 2025-03-06 01:04:43 UTC
README
Bach
Dependency vulnerability auditor for PHP
Install
git clone https://github.com/sonatype-nexus-community/bach.git
cd bach
composer install
Help
> php bach
Bach unreleased
USAGE: bach <command> [options] [arguments]
composer Audit Composer dependencies. Enter the path to composer.json after the command.
iq Audit Composer dependencies. Enter the path to composer.json after the command.
pear Audit PEAR dependencies
Example usage
> php bach composer composer.json
____ __
/\ _`\ /\ \
\ \ \L\ \ __ ___ \ \ \___
\ \ _ <' /'__`\ /'___\ \ \ _ `\
\ \ \L\ \/\ \L\.\_ /\ \__/ \ \ \ \ \
\ \____/\ \__/.\_\\ \____\ \ \_\ \_\
\/___/ \/__/\/_/ \/____/ \/_/\/_/
_ _ _ _
/_) /_` _ _ _ _/_ _ _ (/ /_` _ . _ _ _/ _
/_) /_/ ._/ /_// //_|/ /_/ /_//_' (_X / / / /_'/ //_/ _\
_/ _/ /
Vulnerable Packages
Package: pkg:composer/league/flysystem@1.1.3
Description: Filesystem abstraction: Many filesystems, one API.
Scan status: 1 vulnerabilities found.
[Medium Threat] CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
+-------------+------------------------------------------------------------------------------------------------------+
| ID | e28105bf-e92b-4e5b-8598-df88daf5a30c |
| Title | CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition |
| Description | The software checks the state of a resource before using that resource, but the resource's state can |
| | change between the check and the use in a way that invalidates the results of the check. This can ca |
| | use the software to perform invalid actions when the resource is in an unexpected state. |
| CVSS Score | 6.5 - Medium |
| CVSS Vector | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L |
| CWE | CWE-367 |
| Reference | https://ossindex.sonatype.org/vulnerability/e28105bf-e92b-4e5b-8598-df88daf5a30c?component-type=comp |
| | oser&component-name=league%2Fflysystem&utm_source=guzzlehttp&utm_medium=integration&utm_content=6.3. |
| | 3 |
+-------------+------------------------------------------------------------------------------------------------------+
╔═════════════════════════╤═════╗
║ Summary ║
╠═════════════════════════╪═════╣
║ Audited Dependencies │ 71 ║
║ Vulnerable Dependencies │ 1 ║
╚═════════════════════════╧═════╝
Development notes
-
PHP version - 7.4+ required
On macos, while
php
was already installed,$ php --version PHP 7.3.11 (cli) (built: Jun 5 2020 23:50:40) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.11, Copyright (c) 1998-2018 Zend Technologies
we need a newer version of
php
: at least 7.4. To install this, I ran the following commands:brew update brew install php
This installed
php 7.4
into:/usr/local/Cellar/php/7.4.11
. In order to ensure this new version of php would be found before the macos pre-installed version, I prepended the new phpbin
folder to my path via:export PATH=/usr/local/Cellar/php/7.4.11/bin:$PATH
Ensure the intended version will be used by running:
$ php --version PHP 7.4.11 (cli) (built: Oct 1 2020 23:30:54) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies with Zend OPcache v7.4.11, Copyright (c), by Zend Technologies
-
Composer
I also had to do a one time install of composer using brew on macos:
brew install composer
After running
composer install
, I could run unit tests using:vendor/bin/phpunit tests
I'm not sure it is actually needed, but while updating
brew
and things, I ran into a case that needed access to write to my localbin
folders, and had to follow these steps to temporarily disablecsrutil
. see: https://www.imore.com/how-turn-system-integrity-protection-macos. Be sure to undo such changes if you need 'em. -
You can cleanup
composer.lock
(remove stale dependencies from thecomposer.lock
file) using the command:composer update
-
If you need to add new dependencies, I found the following commands would ensure the new dependency was installed and available to unit tests, etc:
composer update composer install vendor/bin/phpunit tests
Releasing bach
Releasing is conducted by simply tagging the repository from the main
branch as per guidlines on packagist.org.
We follow standard semantic versioning.
A GitHub Hook is fired which will cause packagist.org to re-index this Git repository and discover new version/release tags.
The Fine Print
Remember:
It is worth noting that this is NOT SUPPORTED by Sonatype, and is a contribution of ours to the open source community (read: you!)
- Use this contribution at the risk tolerance that you have
- Do NOT file Sonatype support tickets related to
bach
support in regard to this project - DO file issues here on GitHub, so that the community can pitch in
Phew, that was easier than I thought. Last but not least of all - have fun!