Checking for Vulnerabilities with Composer

Composer is a brilliant tool and coupled with the thousands and thousands of packages you can install with it, it reduces how much work we have to do to develop software, considerably.

Naturally, with that, comes risks. From time to time, vulnerabilities are found in packages and consequently, this can leave your applications in danger too. All is not lost, however, for fortunately we have wonderful services such as the SensioLabs Security Checker which collate found security problems and make those lists available for others. I’m going to show you how to install a vulnerability checker in your PHP application and have it run each time you install or update packages using composer.

Let’s start by creating an empty folder and installing something I know has vulnerabilities: PHP Mailer version 5.2.0. You can see where they fixed it here and also some details about the problem there.

> mkdir security-checker
> cd security-checker
> composer require phpmailer/phpmailer 5.2.0

Now, that version is way behind what is available, so don’t be using it in your projects, OK?!

Next, let’s download the PHAR file and place that in the root of the folder. You can grab it from this location.

Let’s now manually check our packages:

> php security-checker.phar security:check --format=simple

[CRITICAL] 1 package has known vulnerabilities phpmailer/phpmailer (v5.2.20) ----------------------------- * CVE-2017-5223: Local File Disclosure https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.22 * CVE-2017-11503: XSS vulnerability in code example https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24

Eek! Pretty scary. I don’t really want to keep doing that each time I add packages though so let’s make a change to our composer.json file and get that check happening automatically. Edit composer.json and add the following:

1
2
3
4
5
6
7
8
"scripts": {
"post-install-cmd": [
"php security-checker.phar security:check --format=simple"
],
"post-update-cmd": [
"php security-checker.phar security:check --format=simple"
]
},

Now run composer update and see the magic:

> composer update

If you want to find out more about which events you can tag commands onto, you can look here.

Keep safe, folks.


Hi! Did you find this useful or interesting? I have an email list coming soon, but in the meantime, if you ready anything you fancy chatting about, I would love to hear from you. You can contact me here or at stephen ‘at’ logicalmoon.com