Tool to check known vulnerabilities in php project using composer

Question

I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and consequentially all other dependencies. We would like to run an analysis on the existing dependencies and look for known vulnerabilities on those.

Are there any tools available for php that run dependency check?

I have done this with ruby projects using bundle audit but I haven't been able to find a similar tool for php.

score 9 · Accepted Answer · answered Aug 23 '16 at 13:33

9

Well, there's the Composer package from Roave (https://github.com/Roave/SecurityAdvisories) but the reporting on the libraries is completely up to the project. It checks against the database from this repository: https://github.com/FriendsOfPHP/security-advisories

A lot of the major projects have their issues posted there but as it's pretty voluntary it might not be as wide-spread as you're hoping for. Hope this helps.

answered Aug 23 '16 at 13:33

enygma

684
4
6

This is currently the best answer possible. – Scott Arciszewski Aug 23 '16 at 18:34

score 5 · Answer 2 · answered Aug 17 '22 at 07:15

5

As the question is pretty old - probably answer not on time. But in any case - composer (version 2.4) provides a command for automatically checking vulnerabilities - composer audit

More information - on Composer site

answered Aug 17 '22 at 07:15

yAnTar

4,269
9
47
73

Tool to check known vulnerabilities in php project using composer

2 Answers2

Linked