Skip to content

VulnerabilitiesBundle for Symfony2

Only two days after I pushed the first version of my VersionEyeBundle for Symfony2 to GitHub, Fabien Potencier announced SensioLab's new Security Advisories Checker. This service work quite similar to VersionEye, but instead of uploading your composer.json file your composer.lock file is required to figure out which dependencies are really installed - and if there are any known security issues.

VulnerabilitiesBundle for Symfony2 in Web Debug Toolbar
This is what it looks like in the toolbar

SensioLabs have an upload form in the browser, but conveniently offer an API, too. And, of course, the code of their security-checker is on GitHub. So what could be more natural than to add the results of the security check to the Web Profiler Toolbar right next to all the other useful information? Right. I wrote a second bundle, called VulnerabilitiesBundle, that displays security advisories in the toolbar and the profiler view.

VulnerabilitiesBundle for Symfony2 in Profiler
And this is the Profiler page.

Please keep in mind that this is an early development version that is only intended for use in DEV environments (even if it will be stable someday). It just doesn't make sense on production servers. Feel free to fork, test, and report any issues you encounter. Of course, contributions in the form of pull requests, are more than welcome :-)

VersionEyeBundle for Symfony2

At last week's Webmontag Frankfurt (?), Robert Reiz talked about continuous updating of dependencies with VersionEye. VersionEye, in its own words, is a

cross-platform search engine and crowdsourcing app for open source software libraries.

Essentially, the service tracks more than 170.000 libraries in languages like Java, Ruby, PHP, Python, and many more, and monitors any updates to those libs. Registered users can keep track of their projects and the libraries used in these projects. If any updates occur upstream, VersionEye sends out a mail. As a developer, you don't have to manually check on all the GitHub repositories anymore, VersionEye does that for you.

VersionEye also allows you to create beautiful graphs like this one here on the right. It also lists all the licenses of all the libraries used in your project, an let's you see which libraries you use most often.

Using it with PHP

Adding a PHP project to the service couldn't be simpler (if you use Composer, which you should!): Just upload your composer.json to VersionEye, and you're all set up. The same goes for project files like package.json (node.js), requirement.txt (Python Package Index), pom.xml (Maven) or Ruby Gemfiles. You can also connect VersionEye to your GitHub account, and it will notify you of outdated dependencies in your repositories.

Robert also said that there already is a VersionEye module for ZF2 and the ZendDeveloperTools that calls the VersionEye JSON API to track dependencies. However, I could not find a Symfony2 bundle with this functionality. So I wrote one.

"VersionEyeBundle for Symfony2" vollständig lesen