CLI to Check For PHP Security Vulnerabilities

Packages

February 2nd, 2021

enlightn-security-checker-featured.png

Enlightn Security Checker (from the folks behind Enlightn) is a command-line tool that checks if your application uses dependencies with known security vulnerabilities.

You can install it globally via composer to start checking projects:

1composer global require enlightn/security-checker

Using the security-checker CLI, you provide a path to your project’s composer.lock file to get a report of any vulnerabilities:

1 security-checker security:check /path/to/composer.lock
2{
3 "laravel\/framework": {
4 "version": "5.7.29",
5 "time": "2020-04-14T14:16:19+00:00",
6 "advisories": [
7 {
8 "title": "RCE vulnerability in \"cookie\" session driver",
9 "link": "https:\/\/blog.laravel.com\/laravel-cookie-security-releases",
10 "cve": null
11 }
12 ]
13 },
14 "robrichards\/xmlseclibs": {
15 "version": "2.1.1",
16 "time": "2019-11-05T11:51:00+00:00",
17 "advisories": [
18 {
19 "title": "Filter input to avoid XPath injection",
20 "link": "https:\/\/github.com\/robrichards\/xmlseclibs\/commit\/649032643f7aac493e91ca318da0339aec72aa4a",
21 "cve": null
22 }
23 ]
24 }
25}

You can programmatically get a report with the following PHP code:

1use Enlightn\SecurityChecker\SecurityChecker;
2 
3$result = (new SecurityChecker)->check('/path/to/composer.lock');
4 
5/*
6{
7 "laravel/framework": {
8 "version": "8.22.0",
9 "time": "2021-01-13T13:37:56+00:00",
10 "advisories": [{
11 "title": "Unexpected bindings in QueryBuilder",
12 "link": "https://blog.laravel.com/security-laravel-62011-7302-8221-released",
13 "cve": null
14 }]
15 }
16}
17*/

The Enlightn Security Checker uses the security advisories database to reference known security vulnerabilities in PHP projects and libraries. You can learn more about this package and view the source code on GitHub.

Filed in:

Paul Redmond

Full stack web developer. Author of Lumen Programming Guide and Docker for PHP Developers.