Download the PHP package mrm-commerce/phpcs-security-audit without Composer

On this page you can find all versions of the php package mrm-commerce/phpcs-security-audit. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package phpcs-security-audit

phpcs-security-audit v3

Disclaimer

This ruleset is based on a fork of the https://github.com/FloeDesignTechnologies/phpcs-security-audit repository created and maintained by Jonathan Marcil. Includes customizations of the parent project because at the time of creating this repository the parent project didn't seem to be actively maintained anymore. See the source code history to see what's the original code and what's an addition after the fork.

About

phpcs-security-audit is a set of PHP_CodeSniffer rules that finds vulnerabilities and weaknesses related to security in PHP code.

It currently has core PHP rules as well as Drupal 7 specific rules.

The tool also checks for CVE issues and security advisories related to the CMS/framework. This enables you to follow the versioning of components during static code analysis.

The main reason for this project being an extension of PHP_CodeSniffer is to have easy integration into continuous integration systems. It also allows for finding security bugs that are not detected with some object oriented analysis (such as PHPMD).

phpcs-security-audit in its beginning was backed by Pheromone (later on named Floe Design + Technologies) and written by Jonathan Marcil.

Install

Requires PHP CodeSniffer version 3.1.0 or higher with PHP 5.4 or higher.

The easiest way to install is using Composer:

This will also install the DealerDirect Composer PHPCS plugin which will register the Security standard with PHP_CodeSniffer.

Now run:

If all went right, you should see Security listed in the list of installed coding standards.

If you want to integrate it all with Jenkins, go see http://jenkins-php.org/ for extensive help.

Usage

Simply set the standard to Security or point to any XML ruleset file and to a folder to scan:

Specifying extensions is important since, for example, PHP code is within .module files in Drupal.

To have a quick example of output you can use the provided tests.php file:

Drupal note

For the Drupal AdvisoriesContrib you need to change your /etc/php5/cli/php.ini to have:

in order to get rid of "No PHP code was found in this file" warnings.

Please note that only Drupal modules downloaded from drupal.org are supported. If you are using contrib module but from another source, the version checking probably won't work and will generate a warning.

Customize

As with the normal PHP CodeSniffer rules, customization is provided in the XML files that are in the top folder of the project.

These global parameters are used in many rules:

They can be set in a custom ruleset XML file (such as example_drupal7_ruleset.xml), from the command line for permanent config with --config-set or at runtime with --runtime-set. Note that the XML overrides all CLI options so remove it if you want to use it. The CLI usage is as follows:

For some rules, you can force the paranoia mode on or off with the parameter forceParanoia inside the XML file.

Contribute

It is possible to install with a git clone and play with it in the same folder.

By default it should set PHPCS to look in the current folder:

If for any reason you need to change this (should work out of the box) you will need to phpcs --config-set installed_paths as explained in PHP_CodeSniffer docs.

Master can contain breaking changes, so people are better off relying on releases for stable versions.

Those release packages are available Packagist.

Some guidelines if you want to create new rules::

Specialize

If you want to support a specific code base or framework beyond XML configuration, you can use the utilities provided by phpcs-security-audit to facilitate the process.

Let's say you have a custom CMS function that is taking user input from $_GET when a function call to get_param() is done.

You have to create a new Folder in Sniffs/ that will be the name of your framework. Then you'll need to create a file named Utils.php that will actually be the function that will specialise the generic sniffs. To guide you, just copy the file from another folder such as Drupal7/.

The main function you'll want to change is is_direct_user_input where you'll want to return TRUE when get_param() is seen:

Don't forget to set the occurrence of param "CmsFramework" in your XML base configuration in order to select your newly added utilities.

You are not required to do your own sniffs for the modification to be useful, since you are specifying what is a user input for other rules, but you could use the newly created directory to do so.

In the same fashion, you can also reduce the number of false positive by adding mitigation functions. Those are functions that serve as security controls (either explicitly in the function or by a side effect) that lower the risks. A good example is htmlentities for XSS. See is_XSS_mitigation function in Drupal7/Utils.php.

If you implement any public CMS/Framework customization please make a pull request to help the project grows.

Test

The tool now support unit testing with composer test.

To test for a specific sniff, use composer test -- --filter RULENAME (without the Sniff part).

To create a test, create a folder with RULENAME. Inside, have a RULENAMEUnitTest.inc file for the code to be scanned and RULENAMEUnitTest.php file for the PHPCS validation of findings. For the rule to support a given CMS/Framework, it needs to have a inc file with the following: RULENAMEUnitTest.CMSFRAMEWORK.inc. See Security/Tests/BadFunctions for a complete example.

Annoyances

As with any security tool, this one comes with it's share of annoyance. At first a focus on finding vulnerabilities will be done, but later it is planned to have a phase where efforts will be towards reducing annoyances, in particular with the number of false positives.


All versions of phpcs-security-audit with dependencies

PHP Build Version
Package Version
Requires php Version >=5.4
squizlabs/php_codesniffer Version ^3.1.0
dealerdirect/phpcodesniffer-composer-installer Version ^0.4.1 || ^0.5 || ^0.6 || ^0.7
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package mrm-commerce/phpcs-security-audit contains the following files

Loading the files please wait ....