From 7f3fb719fbc1f2082efffba4d89ab8faed903d75 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 16:56:49 +0100 Subject: [PATCH 1/7] Documented the security:check command --- book/installation.rst | 12 ++++++++++++ book/security.rst | 21 +++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/book/installation.rst b/book/installation.rst index f065473ec3f..62032a3a80a 100644 --- a/book/installation.rst +++ b/book/installation.rst @@ -296,6 +296,18 @@ them all at once: Depending on the complexity of your project, this update process can take up to several minutes to complete. +.. tip:: + + Symfony provides a command to check whether your project's dependencies + contain any know security vulnerability: + + .. code-block:: bash + + $ php app/console security:check + + A good security practice is to execute this command regularly to be able to + update or replace compromised dependencies as soon as possible. + .. _installing-a-symfony2-distribution: Installing a Symfony Distribution diff --git a/book/security.rst b/book/security.rst index 1a5d90bc823..84c631e6d0a 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2055,6 +2055,26 @@ to work correctly. Just pass a file name to enable it:: You can also access a secure random instance directly from the Symfony dependency injection container; its name is ``security.secure_random``. +Checking Dependencies Security +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 2.6 + The ``security:check`` command was introduced in Symfony 2.6. + +When using lots of dependencies in your Symfony projects, odds are that some of +them contain security vulnerabilities. That's why Symfony includes a command +called ``security:check`` that checks whether any of your installed dependencies +contain a known security vulnerability: + +.. code-block:: bash + + $ php app/console security:check + +A good security practice is to execute this command regularly to be able to +update or replace compromised dependencies as soon as possible. Internally, +this command uses the public `security advisories database`_ published by the +FriendsOfPHP organization. + Final Words ----------- @@ -2088,3 +2108,4 @@ Learn more from the Cookbook .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle .. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories From 36d3f2bdb12c618e7951129416042c27ce506c57 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:01:31 +0100 Subject: [PATCH 2/7] This command is available sin Symfony 2.5 --- book/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/security.rst b/book/security.rst index 84c631e6d0a..eae81117008 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2058,8 +2058,8 @@ to work correctly. Just pass a file name to enable it:: Checking Dependencies Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. versionadded:: 2.6 - The ``security:check`` command was introduced in Symfony 2.6. +.. versionadded:: 2.5 + The ``security:check`` command was introduced in Symfony 2.5. When using lots of dependencies in your Symfony projects, odds are that some of them contain security vulnerabilities. That's why Symfony includes a command From 0e7d0cd0558c669ffee7d377edd23597ea48dd86 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:05:44 +0100 Subject: [PATCH 3/7] Added a note about the security advisories database --- contributing/code/security.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 51acb3f1adf..30e59ef3f23 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -38,6 +38,8 @@ confirmed, the core-team works on a solution following these steps: #. Publish the post on the official Symfony `blog`_ (it must also be added to the "`Security Advisories`_" category); #. Update the security advisory list (see below). +#. Update the public `security advisories database`_ maintained by the + FriendsOfPHP organization and which is used by the ``security:check`` command. .. note:: From e552369a792bcfef8ef8d828d77e7fc412ac93fe Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:29:51 +0100 Subject: [PATCH 4/7] Added a missing link reference --- contributing/code/security.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 30e59ef3f23..8649586a3bf 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -121,6 +121,7 @@ releases, starting from Symfony 1.0.0: * March 21, 2008: `symfony 1.0.12 is (finally) out ! `_ * June 25, 2007: `symfony 1.0.5 released (security fix) `_ -.. _Git repository: https://github.com/symfony/symfony -.. _blog: http://symfony.com/blog/ +.. _Git repository: https://github.com/symfony/symfony +.. _blog: http://symfony.com/blog/ .. _Security Advisories: http://symfony.com/blog/category/security-advisories +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories From 3c9a962377347931fa0697577e26c6a0b2313611 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 14:30:05 +0100 Subject: [PATCH 5/7] Added a note about the security:check command --- contributing/code/security.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 8649586a3bf..6e183b3d1e5 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -95,6 +95,11 @@ of the downstream projects included in this process: Security Advisories ------------------- +.. tip:: + + You can check your Symfony application for known security vulnerabilities + using the ``security:check`` command. + This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: From fdfb1a066205244beab848852cf0dcdab25b687e Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 14:34:32 +0100 Subject: [PATCH 6/7] Added a note about the SensioDistributionBundle necessary for security:check --- book/security.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/security.rst b/book/security.rst index eae81117008..a2fd662a603 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2059,7 +2059,9 @@ Checking Dependencies Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. versionadded:: 2.5 - The ``security:check`` command was introduced in Symfony 2.5. + The ``security:check`` command was introduced in Symfony 2.5. This command is + included in ``SensioDistributionBundle``, which has to be registered in your + application in order to use this command. When using lots of dependencies in your Symfony projects, odds are that some of them contain security vulnerabilities. That's why Symfony includes a command From 897dc705b5bbd2866b9aa7c04d438d17d51869be Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 30 Dec 2014 08:55:23 +0100 Subject: [PATCH 7/7] Added a lot of changes suggested by reviewers --- book/security.rst | 20 ++++++++++++++------ contributing/code/security.rst | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/book/security.rst b/book/security.rst index a2fd662a603..4907a3428a8 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2055,18 +2055,20 @@ to work correctly. Just pass a file name to enable it:: You can also access a secure random instance directly from the Symfony dependency injection container; its name is ``security.secure_random``. -Checking Dependencies Security -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. _book-security-checking-vulnerabilities: + +Checking for Known Security Vulnerabilities in Dependencies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. versionadded:: 2.5 The ``security:check`` command was introduced in Symfony 2.5. This command is included in ``SensioDistributionBundle``, which has to be registered in your application in order to use this command. -When using lots of dependencies in your Symfony projects, odds are that some of -them contain security vulnerabilities. That's why Symfony includes a command -called ``security:check`` that checks whether any of your installed dependencies -contain a known security vulnerability: +When using lots of dependencies in your Symfony projects, some of them may +contain security vulnerabilities. That's why Symfony includes a command called +``security:check`` that checks your ``composer.lock`` file to find any known +security vulnerability in your installed dependencies: .. code-block:: bash @@ -2077,6 +2079,12 @@ update or replace compromised dependencies as soon as possible. Internally, this command uses the public `security advisories database`_ published by the FriendsOfPHP organization. +.. tip:: + + The ``security:check`` command terminates with a non-zero exit code if + any of your dependencies is affected by a known security vulnerability. + Therefore, you can easily integrate it in your build process. + Final Words ----------- diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 6e183b3d1e5..c3d8e709942 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -98,7 +98,7 @@ Security Advisories .. tip:: You can check your Symfony application for known security vulnerabilities - using the ``security:check`` command. + using the ``security:check`` command. See :doc:`` This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy