Documented the security:check command #4651
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2055,6 +2055,28 @@ to work correctly. Just pass a file name to enable it:: | |
| You can also access a secure random instance directly from the Symfony | ||
| dependency injection container; its name is ``security.secure_random``. | ||
|
|
||
| Checking Dependencies Security | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| .. versionadded:: 2.5 | ||
| The ``security:check`` command was introduced in Symfony 2.5. This command is | ||
| included in ``SensioDistributionBundle``, which has to be registered in your | ||
| application in order to use this command. | ||
|
There was a problem hiding this comment. The reference to the SensioDistributionBundle should probably also be added in the installation chapter. There was a problem hiding this comment. Do you really think is necessary? The installation chapter is for people that know nothing about Symfony. They're going to use the installer and they're going to install the standard edition, so everything works out of the box. My feel is that this note is only for advanced users doing custom installations. There was a problem hiding this comment. Hm, I guess you're right now that I think about it again. |
||
|
|
||
| When using lots of dependencies in your Symfony projects, odds are that some of | ||
| them contain security vulnerabilities. That's why Symfony includes a command | ||
|
There was a problem hiding this comment. "odds are" sounds like it's likely. Is it likely? Or can we soften the wording. And I think it would be nice to actually say Composer or |
||
| called ``security:check`` that checks whether any of your installed dependencies | ||
| contain a known security vulnerability: | ||
|
There was a problem hiding this comment. you should add a note that the command is provided by SensioDistributionBundle, so it will be available only when it is registered |
||
|
|
||
| .. code-block:: bash | ||
|
|
||
| $ php app/console security:check | ||
|
|
||
| A good security practice is to execute this command regularly to be able to | ||
| update or replace compromised dependencies as soon as possible. Internally, | ||
|
There was a problem hiding this comment. we could add a hint, that the command is returning an error code if the security issue is found, so you could use it in a ci process. https://github.com/sensiolabs/security-checker/blob/master/SensioLabs/Security/Command/SecurityCheckerCommand.php#L98 There was a problem hiding this comment. @timglabisch this hint looks to me too specific to be included, but let's see what do other reviewers think about it. There was a problem hiding this comment. Advising to run the command on a regular basis imho calls for integration into build environments. :) We can simply add a tip after this paragraph like this: .. tip::
The ``security:check`` command terminates with a non-zero exit code if
any of your dependencies is affected by a known security vulnerability.
Therefore, you can easily integrate it in your build process. |
||
| this command uses the public `security advisories database`_ published by the | ||
| FriendsOfPHP organization. | ||
|
|
||
| Final Words | ||
| ----------- | ||
|
|
||
|
|
@@ -2088,3 +2110,4 @@ Learn more from the Cookbook | |
| .. _`FOSUserBundle`: https://github.com/FriendsOfSymfony/FOSUserBundle | ||
| .. _`implement the \Serializable interface`: http://php.net/manual/en/class.serializable.php | ||
| .. _`Timing attack`: http://en.wikipedia.org/wiki/Timing_attack | ||
| .. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checking for Known Security Vulnerabilities in Dependencies