diff --git a/book/installation.rst b/book/installation.rst index f065473ec3f..62032a3a80a 100644 --- a/book/installation.rst +++ b/book/installation.rst @@ -296,6 +296,18 @@ them all at once: Depending on the complexity of your project, this update process can take up to several minutes to complete. +.. tip:: + + Symfony provides a command to check whether your project's dependencies + contain any know security vulnerability: + + .. code-block:: bash + + $ php app/console security:check + + A good security practice is to execute this command regularly to be able to + update or replace compromised dependencies as soon as possible. + .. _installing-a-symfony2-distribution: Installing a Symfony Distribution diff --git a/book/security.rst b/book/security.rst index 1a5d90bc823..4907a3428a8 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2055,6 +2055,36 @@ to work correctly. Just pass a file name to enable it:: You can also access a secure random instance directly from the Symfony dependency injection container; its name is ``security.secure_random``. +.. _book-security-checking-vulnerabilities: + +Checking for Known Security Vulnerabilities in Dependencies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 2.5 + The ``security:check`` command was introduced in Symfony 2.5. This command is + included in ``SensioDistributionBundle``, which has to be registered in your + application in order to use this command. + +When using lots of dependencies in your Symfony projects, some of them may +contain security vulnerabilities. That's why Symfony includes a command called +``security:check`` that checks your ``composer.lock`` file to find any known +security vulnerability in your installed dependencies: + +.. code-block:: bash + + $ php app/console security:check + +A good security practice is to execute this command regularly to be able to +update or replace compromised dependencies as soon as possible. Internally, +this command uses the public `security advisories database`_ published by the +FriendsOfPHP organization. + +.. tip:: + + The ``security:check`` command terminates with a non-zero exit code if + any of your dependencies is affected by a known security vulnerability. + Therefore, you can easily integrate it in your build process. + Final Words ----------- @@ -2088,3 +2118,4 @@ Learn more from the Cookbook .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle .. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 51acb3f1adf..c3d8e709942 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -38,6 +38,8 @@ confirmed, the core-team works on a solution following these steps: #. Publish the post on the official Symfony `blog`_ (it must also be added to the "`Security Advisories`_" category); #. Update the security advisory list (see below). +#. Update the public `security advisories database`_ maintained by the + FriendsOfPHP organization and which is used by the ``security:check`` command. .. note:: @@ -93,6 +95,11 @@ of the downstream projects included in this process: Security Advisories ------------------- +.. tip:: + + You can check your Symfony application for known security vulnerabilities + using the ``security:check`` command. See :doc:`` + This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: @@ -119,6 +126,7 @@ releases, starting from Symfony 1.0.0: * March 21, 2008: `symfony 1.0.12 is (finally) out ! `_ * June 25, 2007: `symfony 1.0.5 released (security fix) `_ -.. _Git repository: https://github.com/symfony/symfony -.. _blog: http://symfony.com/blog/ +.. _Git repository: https://github.com/symfony/symfony +.. _blog: http://symfony.com/blog/ .. _Security Advisories: http://symfony.com/blog/category/security-advisories +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories