From 7f3fb719fbc1f2082efffba4d89ab8faed903d75 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 16:56:49 +0100 Subject: [PATCH 1/7] Documented the security:check command --- book/installation.rst | 12 ++++++++++++ book/security.rst | 21 +++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/book/installation.rst b/book/installation.rst index f065473ec3f..62032a3a80a 100644 --- a/book/installation.rst +++ b/book/installation.rst @@ -296,6 +296,18 @@ them all at once: Depending on the complexity of your project, this update process can take up to several minutes to complete. +.. tip:: + + Symfony provides a command to check whether your project's dependencies + contain any know security vulnerability: + + .. code-block:: bash + + $ php app/console security:check + + A good security practice is to execute this command regularly to be able to + update or replace compromised dependencies as soon as possible. + .. _installing-a-symfony2-distribution: Installing a Symfony Distribution diff --git a/book/security.rst b/book/security.rst index 1a5d90bc823..84c631e6d0a 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2055,6 +2055,26 @@ to work correctly. Just pass a file name to enable it:: You can also access a secure random instance directly from the Symfony dependency injection container; its name is ``security.secure_random``. +Checking Dependencies Security +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 2.6 + The ``security:check`` command was introduced in Symfony 2.6. + +When using lots of dependencies in your Symfony projects, odds are that some of +them contain security vulnerabilities. That's why Symfony includes a command +called ``security:check`` that checks whether any of your installed dependencies +contain a known security vulnerability: + +.. code-block:: bash + + $ php app/console security:check + +A good security practice is to execute this command regularly to be able to +update or replace compromised dependencies as soon as possible. Internally, +this command uses the public `security advisories database`_ published by the +FriendsOfPHP organization. + Final Words ----------- @@ -2088,3 +2108,4 @@ Learn more from the Cookbook .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle .. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories From 36d3f2bdb12c618e7951129416042c27ce506c57 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:01:31 +0100 Subject: [PATCH 2/7] This command is available sin Symfony 2.5 --- book/security.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/book/security.rst b/book/security.rst index 84c631e6d0a..eae81117008 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2058,8 +2058,8 @@ to work correctly. Just pass a file name to enable it:: Checking Dependencies Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. versionadded:: 2.6 - The ``security:check`` command was introduced in Symfony 2.6. +.. versionadded:: 2.5 + The ``security:check`` command was introduced in Symfony 2.5. When using lots of dependencies in your Symfony projects, odds are that some of them contain security vulnerabilities. That's why Symfony includes a command From 0e7d0cd0558c669ffee7d377edd23597ea48dd86 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:05:44 +0100 Subject: [PATCH 3/7] Added a note about the security advisories database --- contributing/code/security.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 51acb3f1adf..30e59ef3f23 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -38,6 +38,8 @@ confirmed, the core-team works on a solution following these steps: #. Publish the post on the official Symfony `blog`_ (it must also be added to the "`Security Advisories`_" category); #. Update the security advisory list (see below). +#. Update the public `security advisories database`_ maintained by the + FriendsOfPHP organization and which is used by the ``security:check`` command. .. note:: From e552369a792bcfef8ef8d828d77e7fc412ac93fe Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 14 Dec 2014 20:29:51 +0100 Subject: [PATCH 4/7] Added a missing link reference --- contributing/code/security.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 30e59ef3f23..8649586a3bf 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -121,6 +121,7 @@ releases, starting from Symfony 1.0.0: * March 21, 2008: `symfony 1.0.12 is (finally) out ! `_ * June 25, 2007: `symfony 1.0.5 released (security fix) `_ -.. _Git repository: https://github.com/symfony/symfony -.. _blog: http://symfony.com/blog/ +.. _Git repository: https://github.com/symfony/symfony +.. _blog: http://symfony.com/blog/ .. _Security Advisories: http://symfony.com/blog/category/security-advisories +.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories From 3c9a962377347931fa0697577e26c6a0b2313611 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 14:30:05 +0100 Subject: [PATCH 5/7] Added a note about the security:check command --- contributing/code/security.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 8649586a3bf..6e183b3d1e5 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -95,6 +95,11 @@ of the downstream projects included in this process: Security Advisories ------------------- +.. tip:: + + You can check your Symfony application for known security vulnerabilities + using the ``security:check`` command. + This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: From fdfb1a066205244beab848852cf0dcdab25b687e Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 16 Dec 2014 14:34:32 +0100 Subject: [PATCH 6/7] Added a note about the SensioDistributionBundle necessary for security:check --- book/security.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/book/security.rst b/book/security.rst index eae81117008..a2fd662a603 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2059,7 +2059,9 @@ Checking Dependencies Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. versionadded:: 2.5 - The ``security:check`` command was introduced in Symfony 2.5. + The ``security:check`` command was introduced in Symfony 2.5. This command is + included in ``SensioDistributionBundle``, which has to be registered in your + application in order to use this command. When using lots of dependencies in your Symfony projects, odds are that some of them contain security vulnerabilities. That's why Symfony includes a command From 897dc705b5bbd2866b9aa7c04d438d17d51869be Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Tue, 30 Dec 2014 08:55:23 +0100 Subject: [PATCH 7/7] Added a lot of changes suggested by reviewers --- book/security.rst | 20 ++++++++++++++------ contributing/code/security.rst | 2 +- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/book/security.rst b/book/security.rst index a2fd662a603..4907a3428a8 100644 --- a/book/security.rst +++ b/book/security.rst @@ -2055,18 +2055,20 @@ to work correctly. Just pass a file name to enable it:: You can also access a secure random instance directly from the Symfony dependency injection container; its name is ``security.secure_random``. -Checking Dependencies Security -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. _book-security-checking-vulnerabilities: + +Checking for Known Security Vulnerabilities in Dependencies +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. versionadded:: 2.5 The ``security:check`` command was introduced in Symfony 2.5. This command is included in ``SensioDistributionBundle``, which has to be registered in your application in order to use this command. -When using lots of dependencies in your Symfony projects, odds are that some of -them contain security vulnerabilities. That's why Symfony includes a command -called ``security:check`` that checks whether any of your installed dependencies -contain a known security vulnerability: +When using lots of dependencies in your Symfony projects, some of them may +contain security vulnerabilities. That's why Symfony includes a command called +``security:check`` that checks your ``composer.lock`` file to find any known +security vulnerability in your installed dependencies: .. code-block:: bash @@ -2077,6 +2079,12 @@ update or replace compromised dependencies as soon as possible. Internally, this command uses the public `security advisories database`_ published by the FriendsOfPHP organization. +.. tip:: + + The ``security:check`` command terminates with a non-zero exit code if + any of your dependencies is affected by a known security vulnerability. + Therefore, you can easily integrate it in your build process. + Final Words ----------- diff --git a/contributing/code/security.rst b/contributing/code/security.rst index 6e183b3d1e5..c3d8e709942 100644 --- a/contributing/code/security.rst +++ b/contributing/code/security.rst @@ -98,7 +98,7 @@ Security Advisories .. tip:: You can check your Symfony application for known security vulnerabilities - using the ``security:check`` command. + using the ``security:check`` command. See :doc:`` This section indexes security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0: