PHP Security Vulnerabilities

Now VersionEye has notifications for security vulnerabilities! This new feature currently only works for PHP. Right now we have 118 security vulnerabilities in our database which affects some of the most used PHP frameworks and libraries. The security vulnerabilities are fetched from the SensioLabs security database. VersionEye is displaying the security vulnerabilities directly on the VersionEye detail pages. Here is an example.

VersionEye is displaying at least 1 link to an article where the security vulnerability is documented in great detail. Beside that the affected versions are displayed as well.

But that’s not all. If VersionEye is monitoring your PHP project directly on GitHub/Bitbucket or Stash, you will see a “Security” tab in your project view. Here is an example.

In the “Security” tab we display known vulnerabilities for your project. If there are any security vulnerabilities for your project the dependency badge turns red to “update!”.

This feature is strongly based on locked versions. If VersionEye has access to your composer.lock file it knows exactly which version you are using in production and it can assign security vulnerabilities 100% accurate. If VersionEye has only access to your composer.json file, but not to your composer.lock file it doesn’t know which versions exactly you are using in production. In that case VersionEye assumes that all version expressions are resolved to the newest version. But because we don’t know it for sure, it doesn’t affect the dependency badge. For composer.json files we display that hint in the security tab.

If you want to take full advantage of this feature you should commit your composer.lock file to your git repository and give VersionEye access to it. That is anyway best practice.

This feature is very new and we heavily rely on your feedback. Please try it out and let us know if you find anything odd.