All security checkers you ever needed

composer.json

@@ -55,6 +55,7 @@
         "consolidation/robo": "Lets GrumPHP run your automated PHP tasks.",
         "designsecurity/progpilot": "Lets GrumPHP be sure that there are no vulnerabilities in your code.",
         "doctrine/orm": "Lets GrumPHP validate your Doctrine mapping files.",
+        "enlightn/security-checker": "Lets GrumPHP be sure that there are no known security issues.",
         "ergebnis/composer-normalize": "Lets GrumPHP tidy and normalize your composer.json file.",
         "friendsofphp/php-cs-fixer": "Lets GrumPHP automatically fix your codestyle.",
         "friendsoftwig/twigcs": "Lets GrumPHP check Twig coding standard.",
@@ -74,7 +75,6 @@
         "povils/phpmnd": "Lets GrumPHP help you detect magic numbers in PHP code.",
         "roave/security-advisories": "Lets GrumPHP be sure that there are no known security issues.",
         "sebastian/phpcpd": "Lets GrumPHP find duplicated code.",
-        "sensiolabs/security-checker": "Lets GrumPHP be sure that there are no known security issues.",
         "squizlabs/php_codesniffer": "Lets GrumPHP sniff on your code.",
         "sstalle/php7cc": "Lets GrumPHP check PHP 5.3 - 5.6 code compatibility with PHP 7.",
         "symfony/phpunit-bridge": "Lets GrumPHP run your unit tests with the phpunit-bridge of Symfony.",

doc/tasks.md

@@ -53,7 +53,9 @@ grumphp:
         progpilot: ~
         psalm: ~    
         robo: ~
-        securitychecker: ~
+        securitychecker_enligthn: ~
+        securitychecker_local: ~
+        securitychecker_symfony: ~
         shell: ~
         tester: ~
         twigcs: ~
@@ -112,6 +114,9 @@ Every task has it's own default configuration. It is possible to overwrite the p
 - [Psalm](tasks/psalm.md)
 - [Robo](tasks/robo.md)
 - [Security Checker](tasks/securitychecker.md)
+  - [Enlightn](tasks/securitychecker/enlightn.md)
+  - [Local](tasks/securitychecker/local.md)
+  - [Symfony](tasks/securitychecker/symfony.md)
 - [Shell](tasks/shell.md)
 - [Tester](tasks/tester.md)
 - [TwigCs](tasks/twigcs.md)

doc/tasks/securitychecker.md

@@ -1,55 +1,9 @@
 # Security Checker
 
-The Security Checker will check your `composer.lock` file for known security vulnerabilities.
+The SensioLabs Security Checker API is abandoned
 
-***Composer***
+You can use one of following tasks as a replacement:
 
-```
-composer require --dev sensiolabs/security-checker
-```
-
-***Config***
-
-The task lives under the `securitychecker` namespace and has the following configurable parameters:
-
-```yaml
-# grumphp.yml
-grumphp:
-    tasks:
-        securitychecker:
-            lockfile: ./composer.lock
-            format: ~
-            end_point: ~
-            timeout: ~
-            run_always: false
-```
-
-**lockfile**
-
-*Default: ./composer.lock*
-
-If your `composer.lock` file is located in an exotic location, you can specify the location with this option. By default, the task will try to load a `composer.lock` file in the current directory.
-
-**format**
-
-*Default: null*
-
-You can choose the format of the output. The available options are `text`, `json` and `simple`. By default, grumphp will use the format `text`.
-
-**end_point**
-
-*Default: null*
-
-You can use a different end point for the security checks. Grumphp will use the default end point which is [https://security.symfony.com/check_lock](https://security.symfony.com/check_lock).
-
-**timeout**
-
-*Default: null*
-
-You can change the timeout value for the command. By default this value is `20`.
-
-**run_always**
-
-*Default: false*
-
-When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.
+- [securitychecker_enlightn](securitychecker/enlightn.md)
+- [securitychecker_local](securitychecker/local.md)
+- [securitychecker_symfony](securitychecker/symfony.md)

doc/tasks/securitychecker/enlightn.md

@@ -0,0 +1,34 @@
+# Enlightn Security Checker
+
+The Security Checker will check your `composer.lock` file for known security vulnerabilities.
+
+***Composer***
+
+```
+composer require --dev enlightn/security-checker
+```
+
+***Config***
+
+The task lives under the `securitychecker_enlightn` namespace and has the following configurable parameters:
+
+```yaml
+# grumphp.yml
+grumphp:
+    tasks:
+        securitychecker_enlightn:
+            lockfile: ./composer.lock
+            run_always: false
+```
+
+**lockfile**
+
+*Default: ./composer.lock*
+
+If your `composer.lock` file is located in an exotic location, you can specify the location with this option. By default, the task will try to load a `composer.lock` file in the current directory.
+
+**run_always**
+
+*Default: false*
+
+When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.

doc/tasks/securitychecker/local.md

@@ -0,0 +1,39 @@
+# Local Security Checker
+
+The Security Checker will check your `composer.lock` file for known security vulnerabilities.
+
+***Binary***
+
+Download the latest binary from [fabpot/local-php-security-checker ](https://github.com/fabpot/local-php-security-checker/releases) and make sure it is part of your PATH or place it in one of the directories defined by environment.paths in your grumphp.yml file.
+
+***Config***
+
+The task lives under the `securitychecker_local` namespace and has the following configurable parameters:
+
+```yaml
+# grumphp.yml
+grumphp:
+    tasks:
+        securitychecker_local:
+            lockfile: ./composer.lock
+            format: ~
+            run_always: false
+```
+
+**lockfile**
+
+*Default: ./composer.lock*
+
+If your `composer.lock` file is located in an exotic location, you can specify the location with this option. By default, the task will try to load a `composer.lock` file in the current directory.
+
+**format**
+
+*Default: null*
+
+You can choose the format of the output. The available options are `ansi`, `json`, `markdown` and `yaml`. By default, grumphp will use the format `ansi`.
+
+**run_always**
+
+*Default: false*
+
+When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.

doc/tasks/securitychecker/symfony.md

@@ -0,0 +1,39 @@
+# Symfony Security Checker
+
+The Security Checker will check your `composer.lock` file for known security vulnerabilities.
+
+***Binary***
+
+Download the latest binary from [Symfony CLI](https://symfony.com/download) and make sure it is part of your PATH or place it in one of the directories defined by environment.paths in your grumphp.yml file.
+
+***Config***
+
+The task lives under the `securitychecker_symfony` namespace and has the following configurable parameters:
+
+```yaml
+# grumphp.yml
+grumphp:
+    tasks:
+        securitychecker_symfony:
+            lockfile: ./composer.lock
+            format: ~
+            run_always: false
+```
+
+**lockfile**
+
+*Default: ./composer.lock*
+
+If your `composer.lock` file is located in an exotic location, you can specify the location with this option. By default, the task will try to load a `composer.lock` file in the current directory.
+
+**format**
+
+*Default: null*
+
+You can choose the format of the output. The available options are `ansi`, `json`, `markdown` and `yaml`. By default, grumphp will use the format `ansi`.
+
+**run_always**
+
+*Default: false*
+
+When this option is set to `false`, the task will only run when the `composer.lock` file has changed. If it is set to `true`, the `composer.lock` file will be checked on every commit.

resources/config/tasks.yml

@@ -322,6 +322,27 @@ services:
         tags:
             - {name: grumphp.task, task: securitychecker}
 
+    GrumPHP\Task\SecurityCheckerEnlightn:
+        arguments:
+            - '@process_builder'
+            - '@formatter.raw_process'
+        tags:
+            - {name: grumphp.task, task: securitychecker_enlightn}
+
+    GrumPHP\Task\SecurityCheckerLocal:
+        arguments:
+            - '@process_builder'
+            - '@formatter.raw_process'
+        tags:
+            - {name: grumphp.task, task: securitychecker_local}
+
+    GrumPHP\Task\SecurityCheckerSymfony:
+        arguments:
+            - '@process_builder'
+            - '@formatter.raw_process'
+        tags:
+            - {name: grumphp.task, task: securitychecker_symfony}
+
     GrumPHP\Task\Shell:
         arguments:
             - '@process_builder'

src/Task/SecurityChecker.php

@@ -40,29 +40,17 @@ public function canRunInContext(ContextInterface $context): bool
 
     public function run(ContextInterface $context): TaskResultInterface
     {
-        $config = $this->getConfig()->getOptions();
-
-        $files = $context->getFiles()
-            ->path(pathinfo($config['lockfile'], PATHINFO_DIRNAME))
-            ->name(pathinfo($config['lockfile'], PATHINFO_BASENAME));
-        if (0 === \count($files) && !$config['run_always']) {
-            return TaskResult::createSkipped($this, $context);
-        }
-
-        $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
-        $arguments->add('security:check');
-        $arguments->addOptionalArgument('%s', $config['lockfile']);
-        $arguments->addOptionalArgument('--format=%s', $config['format']);
-        $arguments->addOptionalArgument('--end-point=%s', $config['end_point']);
-        $arguments->addOptionalArgument('--timeout=%s', $config['timeout']);
-
-        $process = $this->processBuilder->buildProcess($arguments);
-        $process->run();
-
-        if (!$process->isSuccessful()) {
-            return TaskResult::createFailed($this, $context, $this->formatter->format($process));
-        }
-
-        return TaskResult::createPassed($this, $context);
+        return TaskResult::createFailed(
+            $this,
+            $context,
+            'The securitychecker task is discontinued by SensioLabs.'.PHP_EOL
+            . 'Please consider switching to one of the following tasks instead:'.PHP_EOL.PHP_EOL
+            . '- securitychecker_enlightn '
+            . '(https://github.com/phpro/grumphp/blob/master/doc/tasks/securitychecker/enlightn.md)'.PHP_EOL
+            . '- securitychecker_local '
+            . '(https://github.com/phpro/grumphp/blob/master/doc/tasks/securitychecker/local.md)'.PHP_EOL
+            . '- securitychecker_symfony '
+            . '(https://github.com/phpro/grumphp/blob/master/doc/tasks/securitychecker/symfony.md)'.PHP_EOL
+        );
     }
 }

src/Task/SecurityCheckerEnlightn.php

@@ -0,0 +1,58 @@
+<?php
+
+declare(strict_types=1);
+
+namespace GrumPHP\Task;
+
+use GrumPHP\Runner\TaskResult;
+use GrumPHP\Runner\TaskResultInterface;
+use GrumPHP\Task\Context\ContextInterface;
+use GrumPHP\Task\Context\GitPreCommitContext;
+use GrumPHP\Task\Context\RunContext;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+class SecurityCheckerEnlightn extends AbstractExternalTask
+{
+    public static function getConfigurableOptions(): OptionsResolver
+    {
+        $resolver = new OptionsResolver();
+        $resolver->setDefaults([
+            'lockfile' => './composer.lock',
+            'run_always' => false,
+        ]);
+
+        $resolver->addAllowedTypes('lockfile', ['string']);
+        $resolver->addAllowedTypes('run_always', ['bool']);
+
+        return $resolver;
+    }
+
+    public function canRunInContext(ContextInterface $context): bool
+    {
+        return $context instanceof GitPreCommitContext || $context instanceof RunContext;
+    }
+
+    public function run(ContextInterface $context): TaskResultInterface
+    {
+        $config = $this->getConfig()->getOptions();
+        $files = $context->getFiles()
+            ->path(pathinfo($config['lockfile'], PATHINFO_DIRNAME))
+            ->name(pathinfo($config['lockfile'], PATHINFO_BASENAME));
+        if (0 === \count($files) && !$config['run_always']) {
+            return TaskResult::createSkipped($this, $context);
+        }
+
+        $arguments = $this->processBuilder->createArgumentsForCommand('security-checker');
+        $arguments->add('security:check');
+        $arguments->addOptionalArgument('%s', $config['lockfile']);
+
+        $process = $this->processBuilder->buildProcess($arguments);
+        $process->run();
+
+        if (!$process->isSuccessful()) {
+            return TaskResult::createFailed($this, $context, $this->formatter->format($process));
+        }
+
+        return TaskResult::createPassed($this, $context);
+    }
+}