Add PHP Version Audit #1216
Open
Add PHP Version Audit #1216
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PHP Version Audit: A tool to programmatically check a PHP version for known CVEs and support dates. Great for CI/CD builds.
|
Any thoughts on this PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intro
PHP Version Audit: A tool to programmatically check a PHP version for known CVEs and support end dates. Great for CI/CD builds.
Why should it be included?
I've been running this repo for over three years. One of the coolest things about it (IMO), is that it self-updates, sourcing directly from the PHP changelog twice a day. Over the past three years, I put together some stats and found that PHP Version Audit has discovered CVE announcements on median of 5 hours after the Changelog update. The NVE CVE database gets updated with the CVEs on median of 260 hours - or almost 11 days after the Changelog update. That makes PHP Version Audit 98% faster at notifying of new CVEs than other tools that source from the CVE Database. I think that is pretty cool!
Beyond all that, its designed to be used programmatically. Set it up in your CI/CD to get notified when its time to bump that PHP version in your Dockerfile.
Usage
Using the docker image, you could check a vulnerable docker version (
8.1.11):$ docker run --rm -t lightswitch05/php-version-audit:latest --fail-security --version=8.1.11 { "auditVersion": "8.1.11", "hasVulnerabilities": true, "hasSecuritySupport": true, "hasActiveSupport": true, "isLatestPatchVersion": false, "isLatestMinorVersion": false, "isLatestVersion": false, "latestPatchVersion": "8.1.15", "latestMinorVersion": "8.2.2", "latestVersion": "8.2.2", "activeSupportEndDate": "2023-11-25T00:00:00+0000", "securitySupportEndDate": "2024-11-25T00:00:00+0000", "rulesLastUpdatedDate": "2023-02-13T02:56:21+0000", "vulnerabilities": { "CVE-2022-31630": { "id": "CVE-2022-31630", "baseScore": 7.1, "publishedDate": "2022-11-14T07:15:00+0000", "lastModifiedDate": "2022-12-23T17:05:00+0000", "description": "In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information." }, "CVE-2022-37454": { "id": "CVE-2022-37454", "baseScore": 9.8, "publishedDate": "2022-10-21T06:15:00+0000", "lastModifiedDate": "2022-12-08T15:41:00+0000", "description": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface." }, "CVE-2022-31631": null } }Or, you could pipe in the Host's PHP version directly: