Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Packagist security advisories parser

See original GitHub issue

The Current Behaviour section assumes that https://github.com/DependencyTrack/dependency-track/pull/796 is already merged.

Current Behaviour:

When a BOM is parsed which contains Composer-type packages, there is no check if there is a reported vulnerability for the given package versions in Packagist.

Proposed Behaviour:

As per https://packagist.org/apidoc#list-security-advisories (bottom of the page) Packagist exposes an API endpoint which could be used to check if there are any security advisories for the packages in the BOM. This API could be utilised similarly to the NPM audit advisories which is already implemented. The difference to NPM is that specific package names need to be used with Packagist, so the security advisories would only be pulled when a BOM/dependency is added.

Additional note:

This is already being implemented but a PR will only be opened when https://github.com/DependencyTrack/dependency-track/pull/796 actually gets merged.

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:14 (11 by maintainers)

Top GitHub Comments

4reactions

stevespringettcommented, Oct 14, 2020

Good. Yes, regardless, I think having more analyzers is a good thing as it gives the community choice and reduces the reliance on a single source.

2reactions

stevespringettcommented, Apr 18, 2021

DT supports severity of critical, high, medium, low, info, and unassigned. Since Packagist advisories do not support severity, then for advisories with a CVE the severity can be derived from the CVE. For advisories without a CVE, the severity will be unassigned.

Unassigned severity has the same risk score as high severity.

The UI will not be impacted. It already supports unassigned severity.

Top Results From Across the Web

roave/security-advisories - Packagist

This package extracts information about existing security issues in various composer projects from the FriendsOfPHP/security-advisories repository and the ...

Security Monitoring - Private Packagist Documentation

Private Packagist Security Monitoring searches the dependencies of your projects for known security vulnerabilities. Projects, which are Composer packages ...

Researchers Report Supply Chain Vulnerability in Packagist PHP ...

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been ...

Securing Developer Tools: A New Supply Chain Attack on PHP

Sonar discovered and responsibly disclosed a critical vulnerability in Packagist, a central component of the PHP supply chain, to help secure ...

composer.lock

"roave/security-advisories": "dev-master || Helps prevent installing dependencies with known security issues." }, "type": "phpcodesniffer-standard" ...