check-dependency-vulnerabilities
Dependency Vulnerability Check
Analyze PHP project dependencies for security vulnerabilities.
Analysis Process
1. Check composer.json/composer.lock
# Read composer.lock to get exact versions
cat composer.lock | jq '.packages[] | {name, version}'
# Check for outdated packages
composer outdated --direct
# Security audit
composer audit
2. Common Vulnerable Packages
| Package | Vulnerable Versions | Issue | CVE |
|---|---|---|---|
| symfony/http-kernel | < 4.4.50 | Request smuggling | CVE-2022-24894 |
| guzzlehttp/guzzle | < 7.4.5 | Header injection | CVE-2022-31090 |
| doctrine/dbal | < 2.13.9 | SQL injection | CVE-2021-43608 |
| laravel/framework | < 8.83.27 | SQL injection | CVE-2022-44268 |
| phpseclib | < 3.0.14 | RCE | CVE-2023-27560 |
| twig/twig | < 2.15.3 | SSTI | CVE-2022-39261 |
| phpmailer/phpmailer | < 6.5.0 | XSS | CVE-2021-34551 |
| monolog/monolog | < 2.7.0 | RCE via SMTP | CVE-2022-29244 |
3. End-of-Life Versions
// CRITICAL: EOL PHP versions
// PHP 7.4 - EOL November 2022
// PHP 8.0 - EOL November 2023
// Check supported versions:
// PHP 8.1 - Security fixes until December 2025
// PHP 8.2 - Security fixes until December 2026
// PHP 8.3 - Security fixes until December 2027
4. Detection Patterns
// composer.json - Risky version constraints
{
"require": {
"vendor/package": "*", // CRITICAL: Any version
"vendor/package": ">=1.0", // VULNERABLE: Too permissive
"vendor/package": "^1.0", // OK: Semver constraint
"vendor/package": "1.2.3", // Best: Exact version
"vendor/package": "dev-main" // CRITICAL: Unstable
}
}
5. Abandoned Packages
# Check for abandoned packages
composer show --abandoned
# Common abandoned packages to replace:
# phpunit/dbunit → Use fixtures
# zendframework/* → laminas/*
# swiftmailer/swiftmailer → symfony/mailer
# paragonie/random_compat → Use random_bytes() (PHP 7+)
6. Transitive Dependencies
# Check dependency tree
composer depends vendor/package
# Find why a vulnerable package is included
composer why vendor/vulnerable-package
Grep Patterns
# composer.json with wildcard versions
Grep: '"\\*"|"dev-|">=|">' --glob "**/composer.json"
# Known vulnerable package names
Grep: "guzzlehttp/guzzle|symfony/http-kernel|doctrine/dbal" --glob "**/composer.lock"
# EOL PHP version
Grep: '"php":\s*"[^"]*7\.[0-4]|"php":\s*"[^"]*8\.0' --glob "**/composer.json"
Severity Classification
| Pattern | Severity |
|---|---|
| Known CVE with exploit | 🔴 Critical |
| EOL PHP version | 🔴 Critical |
| Abandoned package with issues | 🟠 Major |
| Outdated with security fixes | 🟠 Major |
| Wildcard version constraint | 🟡 Minor |
Vulnerability Resources
- PHP Security Advisories Database: https://github.com/FriendsOfPHP/security-advisories
- Snyk Vulnerability DB: https://snyk.io/vuln
- NVD: https://nvd.nist.gov/
- Packagist Advisories: https://packagist.org/advisories
Remediation
Upgrade Process
# Check what will be upgraded
composer update --dry-run
# Update specific package
composer update vendor/package --with-dependencies
# Update all packages
composer update
# After update, run tests
./vendor/bin/phpunit
Version Constraints
{
"require": {
// Good: Specific minor version
"vendor/package": "^2.5",
// Best: Lock to patch version in production
"vendor/package": "2.5.3"
}
}
Lock File Management
# Always commit composer.lock
git add composer.lock
# Use consistent platform
composer config platform.php 8.2
# Audit before deploy
composer audit --locked
Output Format
### Vulnerable Dependency: [package-name]
**Severity:** 🔴/🟠/🟡
**Current Version:** 1.2.3
**Fixed Version:** 1.2.4
**CVE:** CVE-2024-XXXX
**Issue:**
[Description of the vulnerability]
**Risk:**
[What an attacker can do]
**Location:**
- `composer.lock:line` (direct dependency)
- Required by: `other/package`
**Fix:**
```bash
composer update vendor/package
Workaround (if upgrade not possible): [Temporary mitigation]
## Automated Scanning
### GitHub Dependabot
```yaml
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
CI/CD Integration
# In CI pipeline
- name: Security Audit
run: composer audit --format=json > audit.json
- name: Check for vulnerabilities
run: |
if [ -s audit.json ]; then
cat audit.json
exit 1
fi
Important Notes
- Always check composer.lock — Not just composer.json
- Transitive dependencies matter — Your dependencies have dependencies
- Regular audits — Run
composer auditin CI/CD - Test after updates — Security updates can break things
- Monitor advisories — Subscribe to security mailing lists
More from dykyi-roman/awesome-claude-code
psr-overview-knowledge
PHP Standards Recommendations (PSR) overview knowledge base. Provides comprehensive reference for all accepted PSRs including PSR-1,3,4,6,7,11,12,13,14,15,16,17,18,20. Use for PSR selection decisions and compliance audits.
22detect-code-smells
Detects code smells in PHP codebases. Identifies God Class, Feature Envy, Data Clumps, Long Parameter List, Long Method, Primitive Obsession, Message Chains, Inappropriate Intimacy. Generates actionable reports with refactoring recommendations.
15clean-arch-knowledge
Clean Architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Clean Architecture and Hexagonal Architecture audits.
15ddd-knowledge
DDD architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Domain-Driven Design audits.
14testing-knowledge
Testing knowledge base for PHP 8.4 projects. Provides testing pyramid, AAA pattern, naming conventions, isolation principles, DDD testing guidelines, and PHPUnit patterns.
12bug-root-cause-finder
Root cause analysis methods for PHP bugs. Provides 5 Whys technique, fault tree analysis, git bisect guidance, and stack trace parsing.
12