Open-source vulnerabilities checker

Last updated: October 24, 2023

Edit on GitHub

Open-source vulnerabilities checker is a tool that checks if your PHP application depends on PHP packages with known security vulnerabilities.

Problem description

A project can sometimes use dependencies that contain known vulnerabilities. To minimize the security risk for the project, such dependencies should be updated to the version that has the vulnerability fixed.

Example of an evaluator error message

===================================
OPEN SOURCE VULNERABILITIES CHECKER
===================================

Message: Improper header validation (CVE-2023-29197): https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
Target:  guzzlehttp/psr7:2.4.1

Example of code that causes an evaluator error

Your composer.lock file contains package versions that have security issues:

...
    {
    "name": "guzzlehttp/psr7",
    "version": "2.4.1",
    "source": {
        "type": "git",
        "url": "https://github.com/guzzle/psr7.git",
        ...
    },
...

Resolve the error

To resolve the error:

Upgrade the package to a version where the vulnerability issue is fixed.

Run only this checker

To run only this checker, include OPEN_SOURCE_VULNERABILITIES_CHECKER into the checkers list. Example:

vendor/bin/evaluator evaluate --checkers=OPEN_SOURCE_VULNERABILITIES_CHECKER

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.