GithubHelp home page GithubHelp logo

anthrax3 / security-advisories Goto Github PK

View Code? Open in Web Editor NEW

This project forked from friendsofphp/security-advisories

0.0 0.0 0.0 369 KB

A database of PHP security advisories

Home Page: security.sensiolabs.org

License: The Unlicense

PHP 100.00%

security-advisories's Introduction

PHP Security Advisories Database

The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

License

The PHP security advisories database is free and unencumbered software released into the public domain.

Browsing Vulnerabilities

You can browse the database entries on https://security.sensiolabs.org/database.

Checking for Vulnerabilities

There are several possibilities to check for vulnerabilities in your applications beside manual checks:

  • Upload your composer.lock file on https://security.sensiolabs.org/;

  • Use the CLI tool:

     php checker security:check /path/to/composer.lock

  • Use the web service:

     curl -H "Accept: text/plain" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock

    It will return all vulnerabilities detected in your dependencies in plain text. You can also retrieve the information in the JSON format:

     curl -H "Accept: application/json" https://security.sensiolabs.org/check_lock -F lock=@/path/to/composer.lock

Contributing

Contributing security advisories is as easy as it can get:

  • You can contribute a new entry by sending a pull request or by creating a file directly via the Github interface;

  • Create a directory based on the Composer name of the software where the security issue exists (use symfony/http-foundation for an issue in the Symfony HttpFoundation component for instance);

  • Each security issue must be saved in a file where the name is the CVE identifier (preferred) or the date when the security issue was announced followed by an increment (2012-12-12-1 for instance);

  • The file is in the YAML format and must contain the following entries (have a look at existing entries for examples):

    • title: A text that describes the security issue in a few words;

    • link: A link to the official security issue announcement;

    • reference: A unique reference to identify the software (the only supported scheme is composer:// followed by the Composer identifier);

    • branches: A hash of affected branches, where the name is the branch name (like 2.0.x), and the value is a hash with the following entries:

      • time: The date when the security issue was fixed or null if the issue is not fixed yet (most of the time, the date of the commit that fixed the issue in the following format 2012-08-27 19:17:44) -- this information must be as accurate as possible as it is used to determine if a project is affected or not;

      • versions: An array of constraints describing affected versions for this branch (this is the same format as the one used for Composer -- ['>=2.0.0', '<2.0.17']).

  • If you have a CVE identifier, add it under the cve key.

  • Make sure your file validates by running php validator.php from the root of this project. This script needs some dependencies to be installed via composer, so you need to run composer install before.

If some affected code is available through different Composer entries (like when you have read-only subtree splits of a main repository), duplicate the information in several files.

security-advisories's People

Contributors

andrewcarteruk avatar bcremer avatar cebe avatar chartjes avatar danielss89 avatar davidprevot avatar derhansen avatar fabpot avatar glye avatar grahamcampbell avatar halfer avatar jdreesen avatar kdambekalns avatar kelunik avatar kenjis avatar klausi avatar leofeyer avatar lunika avatar markstory avatar minkbear avatar ocramius avatar ocramleznem avatar paragonie-scott avatar paulofreitas avatar pixelbrackets avatar robertmarsal avatar ruian avatar stof avatar thewilkybarkid avatar xabbuh avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.