Documented the security:check command #4651
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2055,6 +2055,36 @@ to work correctly. Just pass a file name to enable it:: | |
| You can also access a secure random instance directly from the Symfony | ||
| dependency injection container; its name is ``security.secure_random``. | ||
|
|
||
| .. _book-security-checking-vulnerabilities: | ||
|
|
||
| Checking for Known Security Vulnerabilities in Dependencies | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| .. versionadded:: 2.5 | ||
| The ``security:check`` command was introduced in Symfony 2.5. This command is | ||
| included in ``SensioDistributionBundle``, which has to be registered in your | ||
| application in order to use this command. | ||
|
|
||
| When using lots of dependencies in your Symfony projects, some of them may | ||
| contain security vulnerabilities. That's why Symfony includes a command called | ||
| ``security:check`` that checks your ``composer.lock`` file to find any known | ||
| security vulnerability in your installed dependencies: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| $ php app/console security:check | ||
|
|
||
| A good security practice is to execute this command regularly to be able to | ||
| update or replace compromised dependencies as soon as possible. Internally, | ||
|
There was a problem hiding this comment. we could add a hint, that the command is returning an error code if the security issue is found, so you could use it in a ci process. https://github.com/sensiolabs/security-checker/blob/master/SensioLabs/Security/Command/SecurityCheckerCommand.php#L98 There was a problem hiding this comment. @timglabisch this hint looks to me too specific to be included, but let's see what do other reviewers think about it. There was a problem hiding this comment. Advising to run the command on a regular basis imho calls for integration into build environments. :) We can simply add a tip after this paragraph like this: .. tip::
The ``security:check`` command terminates with a non-zero exit code if
any of your dependencies is affected by a known security vulnerability.
Therefore, you can easily integrate it in your build process. |
||
| this command uses the public `security advisories database`_ published by the | ||
| FriendsOfPHP organization. | ||
|
|
||
| .. tip:: | ||
|
|
||
| The ``security:check`` command terminates with a non-zero exit code if | ||
| any of your dependencies is affected by a known security vulnerability. | ||
| Therefore, you can easily integrate it in your build process. | ||
|
|
||
| Final Words | ||
| ----------- | ||
|
|
||
|
|
@@ -2088,3 +2118,4 @@ Learn more from the Cookbook | |
| .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle | ||
| .. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php | ||
| .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack | ||
| .. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reference to the SensioDistributionBundle should probably also be added in the installation chapter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really think is necessary? The installation chapter is for people that know nothing about Symfony. They're going to use the installer and they're going to install the standard edition, so everything works out of the box. My feel is that this note is only for advanced users doing custom installations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, I guess you're right now that I think about it again.