Open-source vulnerabilities checker
Edit on GitHubThe Open-source vulnerabilities checker is a tool that uses the composer audit
command to check if your PHP application depends on packages with known security vulnerabilities.
Problem description
A project can sometimes use dependencies that contain known vulnerabilities. To minimize security risks, such dependencies should be updated to a version where the vulnerability is fixed.
Prerequisites
This checker requires Composer version 2.7.0 or later. To check your Composer version, execute the command:
composer --version
If your version is lower than 2.7.0, upgrade Composer:
composer self-update
Example of an evaluator error message
When a vulnerability is detected, the evaluator displays an error message similar to the following:
===================================
OPEN SOURCE VULNERABILITIES CHECKER
===================================
Message: Improper header validation (CVE-2023-29197): https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
Subject: guzzlehttp/psr7 (1 advisories)
This message indicates that the guzzlehttp/psr7
package has a known security issue.
Example of code that causes an evaluator error
The error is caused by a package version with a known vulnerability defined in your composer.lock
file:
...
{
"name": "guzzlehttp/psr7",
"version": "2.4.1",
"source": {
"type": "git",
"url": "https://github.com/guzzle/psr7.git",
...
},
...
Resolve the error
To resolve the error, upgrade the package to a version where the vulnerability is fixed:
-
Identify the package with the vulnerability from the error message (for example,
guzzlehttp/psr7
). -
Update the package to a secure version:
composer update guzzlehttp/psr7
-
After updating, you can run
composer audit
to confirm that the vulnerability has been resolved.
Run only this checker
To run only this checker, include OPEN_SOURCE_VULNERABILITIES_CHECKER
in the checkers list:
vendor/bin/evaluator evaluate --checkers=OPEN_SOURCE_VULNERABILITIES_CHECKER
Thank you!
For submitting the form