Flag of Ukraine
SymfonyCasts stands united with the people of Ukraine
This tutorial has a new version, check it out!

Flex, Recetas & Aliases

Video not working?

It looks like your browser may not support the H264 codec. If you're using Linux, try a different browser or try installing the gstreamer0.10-ffmpeg gstreamer0.10-plugins-good packages.

Thanks! This saves us from needing to use Flash or encode videos in multiple formats. And that let's us get back to making more videos :). But as always, please feel free to message us.

Vamos a instalar un paquete totalmente nuevo dentro de nuestra aplicación llamado "security checker". El verificador de seguridad es una herramienta que revisa las dependencias de tu aplicación y te dice si alguna de estas tiene vulnerabilidades de seguridad conocidas. Pero, confidencialmente, tan genial como lo es..., la razón real por la que quiero instalar esta librería es porque es una gran manera de ver el importantísimo sistema de "recetas" de Symfony.

En tu terminal, ejecuta:

composer require sec-checker

En una aplicación real, probablemente deberías pasar --dev y agregar esto a tu dependencia dev... pero eso no nos preocupa a nosotros.

Flex Aliases

No obstante, hay algo extraño aquí. Específicamente... sec-checker no es un nombre de paquete válido! En el mundo de Composer, cada paquete debe ser algo/algo-más: no puede ser solamente sec-checker. Entonces que diantres está pasando?

De devuelta en PhpStorm, abre composer.json. Cuando iniciamos el proyecto, solamente teníamos unas pocas dependencias en este archivo. Una de ellas es symfony/flex.

69 lines composer.json
{
... lines 2 - 3
"require": {
"php": "^7.2.5",
"ext-ctype": "*",
"ext-iconv": "*",
"sensio/framework-extra-bundle": "^5.5",
"sensiolabs/security-checker": "^6.0",
"symfony/console": "5.0.*",
"symfony/dotenv": "5.0.*",
"symfony/flex": "^1.3.1",
"symfony/framework-bundle": "5.0.*",
"symfony/yaml": "5.0.*"
},
... lines 16 - 67
}

Este es un plugin de composer que agrega dos características especiales al mismo Composer. El primero se llama "aliases".

En tu navegador, ve a http://flex.symfony.com para encontrar una larga página llena de paquetes. Busca por security. Mejor, busca por sec-checker. Bingo! La misma dice que hay un paquete llamado sensiolabs/security-checker y tiene los aliases de sec-check, sec-checker, security-checker y algunos más.

El sistema de alias es simple: pues Symfony Flex se encuentra en nuestra aplicación, podemos decir composer require security-checker, y realmente descargará sensiolabs/security-checker.

Puedes ver esto en nuestra termina: dijimos sec-checker, pero al final descargó sensiolabs/security-checker. Eso es algo que también Composer agregó a nuestro archivo composer.json Entonces... las aliases son una agradable característica de atajo... pero es realmente genial! Casi que puedes adivinar un alias cuando quieras instalar algo. Necesitas una bitácora? Ejecuta composer require logger para conseguir la bitácora recomendada. Necesitas enviar algo por correo electrónico? composer require mailer Necesitas comer un pastel? composer require cake!

Recetas de Flex

La segunda característica que Flex agrega a Composer es la más importante. Es el sistema de recetas

En la terminal, después de instalar el paquete, nos menciona:

Symfony operations: 1 recipe configuring sensiolabs/security-checker.

Interesante. Ejecuta:

git status

Wow! Esperábamos que composer.json y composer.lock fueran modificados... así es como Composer trabaja. Pero algo también modificó al archivo symfony.lock... y agregó un archivo totalmente nuevo security_checker.yaml!

Muy bien, primero symfony.lock es un archivo que es manejado por Flex. Tú no necesitas preocuparte por el, pero deberías asignarlo. Mantiene una gran lista de cuáles recetas se han instalado.

Entonces, ¿Quién creó el otro archivo? Ábrelo con config/packages/security_checker.yaml.

services:
_defaults:
autowire: true
autoconfigure: true
SensioLabs\Security\SecurityChecker: null
SensioLabs\Security\Command\SecurityCheckerCommand: null

Cada paquete que instales puede tener una receta de Flex. La idea es maravillosamente simple. En lugar de decirle a la gente que instale un paquete y después crear este archivo, y actualizar este otro para hacer que las cosas funcionen, Flex ejecuta una receta la cual... lo hace por ti! Este archivo ha sido agregado a la receta sensiolabs/security-checker!

No necesitas preocuparte por las especificaciones de que está dentro de este archivo por el momento. El punto es, gracias a este archivo, tenemos un nuevo comando bin/console. Ejecuta:

php bin/console

Ves ese comando security:check? No estaba hace un segundo. Está ahí ahora gracias al nuevo archivo YAML. Intenta:

php bin/console security:check

Ningún paquete tiene vulnerabilidades conocidas! Genial!

Como funcionan las recetas

Aquí está el panorama en general: gracias al sistema de receta, siempre que instales un paquete, Flex realizará una comprobación si el paquete tiene una receta y, si lo tiene, lo instalará. Una receta puede hacer muchas cosas, como agregar archivos, crear directorios, o incluso modificar archivos nuevos, como agregar líneas a tu archivo .gitignore

El sistema de recetas cambia las reglas del juego. Me encanta, ya que cada vez que necesito una nueva librería, todo lo que tengo que hacer es instalarla. No necesito agregar archivos de configuración o modificar algo, pues la receta automatiza todo ese trabajo aburrido.

Las Recetas pueden Modificar Archivos

De hecho, esta receta hizo algo más que no nos dimos cuenta. En la terminal, ejecuta:

git diff composer.json

Esperábamos que Composer agregara esta nueva línea a la sección require. Pero también hay una nueva línea bajo la sección de scripts. Lo cual fue hecho por la receta.

69 lines composer.json
{
... lines 2 - 3
"require": {
... lines 5 - 8
"sensiolabs/security-checker": "^6.0",
... lines 10 - 14
},
... lines 16 - 45
"scripts": {
"auto-scripts": {
... lines 48 - 49
"security-checker security:check": "script"
},
... lines 52 - 57
},
... lines 59 - 67
}

Gracias a esto, cada vez ejecutes:

composer install

Después de terminar, automáticamente el comando security checker.

El punto es: para usar el comando security checker, lo único que teníamos que hacer era... instalarlo. Su receta se hizo cargo del resto de la configuración.

Ahora... si te estás preguntando:

Oye! Dónde rayos vive esta receta? Puedo verla?

Esa es una gran pregunta! Vamos a averiguar donde viven las recetas y como se ven a continuación.

Leave a comment!

38
Login or Register to join the conversation

please i have a problem, when i execute php bin\console security:check i get this errors

In ErrorChunk.php line 65:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

In CurlResponse.php line 335:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [--] [<lockfile>]

1 Reply

is it something i should worry about ? or can i just move to the other videos ? i'm using symfony 5.4

Reply

Hey SouFiane,

Yes, that's OK... because that way is deprecated now. You should use other ways for checking the security of your project, look at this comment for alternative ways: https://symfonycasts.com/sc...

Let us know if you still have any problems with following this tutorial further!

Cheers!

Reply
Default user avatar

Hi, i have a probleme,when i make php bin/console security:check, sometime the command works and sometime no.
What can i do ?


D:\web_server_dev3\Apache24\htdocs\projet_test (master)

[0;33mSymfony Security Check Report[0m
[0;33m=============================[0m

[0;37;42mNo packages have known vulnerabilities.[0m

D:\web_server_dev3\Apache24\htdocs\projet_test (master)

λ php bin/console security:check


In ErrorChunk.php line 65:

fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


In NativeResponse.php line 115:

fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [-e|--env ENV] [--no-debug] [--] <command> [<lockfile>]
1 Reply

Hey Melanie,

I'd recommend you to use "symfony security:check" command instead of doing it via "bin/console". This way you can drop this security checker from your project dependencies completely and use standalone one from symfony binary.

Though, it probably may not fix the problem for you. The error you showed looks like a network problem... Do you have any proxy configured on your computer? Do you have good internet connection when this error happens? If you don't have any proxy and your internet connection is good - probably my guess is that it might be on Symfony side, hopefully something temporary as it sounds like a randomly failed connection for you.

Anyway, try to use "symfony security:check" and look closer if this failed with the similar error and when it fails.

I hope this helps!

Cheers!

2 Reply

Hey SouFiane,

Awesome! Thanks for letting us know it was useful for you!

Cheers!

Reply
Titanism Avatar

How do I download security checker when flex.symfony.com does not exist anymore and the security checker GitHub is read-only?

Reply

Hey Titanism,

In short, you can't :) - That library it's fully deprecated, but it's now integrated into the Symfony CLI. You only need to run symfony security:check

Cheers!

1 Reply
Mohammadmahdi M. Avatar
Mohammadmahdi M. Avatar Mohammadmahdi M. | posted hace 5 meses

hi i installed the sec checker but security_checker.yaml didn't add automatilcy

i'm using symfony 5.4

Reply

Hi Mohammadmahdi M.!

Don't worry about it :). A few years ago, that package was deprecated and its recipe was removed - we have a note about it near the top of the script (and in the video): https://symfonycasts.com/sc....

So, you're not doing anything wrong - but this package is no longer a good example of seeing a recipe in action.

Cheers!

Reply

nice course, now let's go to the next one <3 greate teaching skills as well very talented persone

Reply
Default user avatar

the flex server is going to shutdown so you have to install sec-checker it via git if I did understand that right. Maybe you can update it in your video. Cheers

Reply

Hey @Morty,

Yes, you're right about the Flex server going to shutdown but you don't have to install the sec-checker library (it's deprecated, actually). You can check for vulnerabilities by using the Symfony CLI or this other tool https://github.com/fabpot/l...

Cheers!

Reply
Default user avatar
Default user avatar Beginner | posted hace 1 año

Wow, Symfonycasts website seems to be like Laracasts, but instead we could learn Symfony. That's amazing and I hope there will be more free content.

Reply

Hey Beginner,

Yes, SymfonyCasts content is more Symfony-related when Laracasts one is more Laravel related :) Though Laravel uses a lot of Symfony components behind the scene, you can see it in Composer dependencies list, so learning Symfony you will kinda cover both Symfony and Laravel ;)

About the free content - we do have some free courses from time to time, also every few videos on *every* course are typically free! :) So you can start with any tutorial for free to decide if you want to buy access to finish the course or no. We also have some discounted offers for students, so if you're an active student - contact us directly via contact form: https://symfonycasts.com/co... . And it's important to mention that even if some videos are behind of paywall on SymfonyCasts, you still can learn with us for free reading the scripts below the video. Scripts are exactly the text we're talking in the video, and thankfully to our dynamic code blocks you can literally see the actual code we use in the video :)

I hope this helps and happy Symfony learning!

Cheers!

1 Reply
Игорь П. Avatar
Игорь П. Avatar Игорь П. | posted hace 1 año

I've got a version problem here (I am using symphony 6.0 right now)

Z:\htdocs\symphony\test_project>composer require sec-checker --no-scripts
Using version ^6.0 for sensiolabs/security-checker
./composer.json has been updated
Running composer update sensiolabs/security-checker
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.0.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1
- sensiolabs/security-checker[v6.0.0, ..., v6.0.2] require symfony/console ^2.8|^3.4|^4.2 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4
.47, v4.2.0, ..., v4.4.34] but it conflicts with your root composer.json require (6.0.*).
- sensiolabs/security-checker v6.0.3 requires symfony/console ^2.8|^3.4|^4.2|^5.0 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4.47, v4.
2.0, ..., v4.4.34, v5.0.0, ..., v5.4.0] but it conflicts with your root composer.json require (6.0.*).
- Root composer.json requires sensiolabs/security-checker ^6.0 -> satisfiable by sensiolabs/security-checker[v6.0.0, v6.0.1, v6.0.2, v6.0.3].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require sensiolabs/security-checker:*" to figure out if any v
ersion is installable, or "composer require sensiolabs/security-checker:^2.1" if you know which you need.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

Reply
Игорь П. Avatar

Because of https://packagist.org/packa... this module is abandoned it looks like this video should be re new?

Reply

I'd like to suggest just ignore this security checker stuff, because you are using Symfony 6... but also I want to warn you about more issues because of Symfony version, because this course is designed for Symfony 5

BTW if you are interested in security checks you will need to use Symfony CLI for it =)

Cheers!

1 Reply
Leon Avatar

mike@mike:~/dev/symfony/cauldron_overflow$ php bin/console security:check

The web service failed for an unknown reason (HTTP 403).

Reply

Hey Mike,

Yeah, that's because the sensiolabs/security-checker is not maintained anymore, you can find more info about this here: https://github.com/sensiola... . As you can see, there're a few other options instead: you can use Symfony CLI for checking security vulnerabilities or use this library https://github.com/fabpot/l... .

Cheers!

2 Reply
Jose C. Avatar
Jose C. Avatar Jose C. | posted hace 1 año

Hi guys, i run the command "composer require sec-checker" but the security-checker script didn't execute, the result was this, how can i run that script? Thanks

Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run `composer update` or `composer update <package name="">`.
Nothing to install, update or remove
Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead.
Generating optimized autoload files
34 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]
error after run the "php bin/console security:check" command

The web service failed for an unknown reason (HTTP 403)

error after run the "php bin/console security" command

Command "security" is not defined.

After run "symfony security:check" command

Symfony Security Check Report
=============================

No packages have known vulnerabilities.

The composer.json file hasn't in auto-scripts section the line "security-checker security:check" : "script"

Reply

Hey Jose,

The "sec-checker" alias is pointing to "sensiolabs/security-checker" package that is already deprecated: https://packagist.org/packa... - and so it may not work as expected because it's not maintained anymore.

Here's the replacement that's recommended to be used instead: https://github.com/fabpot/l...

Or, you can check this with "symfony security:check" that is a valid way of doing this check.

I hope this helps!

Cheers!

Reply
Norris M. Avatar
Norris M. Avatar Norris M. | posted hace 1 año

Hi. I was trying to get the security checker but I got this instead "Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead." how to do I get local-php-security-checker instead?

Reply

Hey Norris M.

You can do what Dutta said, or install Symfony CLI and run this command symfony security:check

Cheers!

3 Reply
Norris M. Avatar
Norris M. Avatar Norris M. | MolloKhan | posted hace 1 año | edited

MolloKhan Thanks mate!

1 Reply
Deeptonabho D. Avatar
Deeptonabho D. Avatar Deeptonabho D. | Norris M. | posted hace 1 año

Download any of the executable files from the git repo (https://github.com/fabpot/l..., save it in your project dir, and run it from the terminal

2 Reply
Hawraa A. Avatar

how to use the files above? what should I copy and where I should paste? and how to run it in the terminal?

Reply

Hey Hawraa A.

You can find all exact instructions here https://github.com/fabpot/l...

Cheers!

Reply
Norris M. Avatar
Norris M. Avatar Norris M. | Deeptonabho D. | posted hace 1 año | edited

Thanks Deeptonabho D. It worked.

Reply
Tanguy D. Avatar
Tanguy D. Avatar Tanguy D. | posted hace 2 años

Hi guys, I have a problem when trying to install security checker. Can you help me understand what I did wrong ?




Symfony operations: 1 recipe (b05abf754e48fa4ce00d852015c44e45)
- Configuring sensiolabs/security-checker (>=4.0): From github.com/symfony/recipes:master
Executing script cache:clear [OK]
Executing script assets:install public [OK]
Executing script security-checker security:check [KO]
[KO]
Script security-checker security:check returned with error code 1
!! Symfony Security Check Report
!! =============================
!!
!! 1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.1.4)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
!!
!! Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
!! Execute this command regularly to check the newly discovered vulnerabilities.
!!
Script @auto-scripts was called via post-update-cmd


Installation failed, reverting ./composer.json to its original content.


Reply

Hey Tanguy D.

You did nothing wrong, that's the Security checker telling you that a library has a vulnerability. Please read this other comment for a better explanation https://symfonycasts.com/sc...

Cheers!

1 Reply
Tanguy D. Avatar

Thank you

Reply
Tanguy D. Avatar

Using composer update solved the issue but can you try to explain to me what happens exactly ?

Reply
Bertin Avatar

Is it possible to create an own recipe and also is there an option to use an private flex recipe server.

Reply

Hey Bertin

Yes, you can create your own recipes for your own bundles/projects. And about also is there an option to use an private flex recipe server. I don't fully understand what you mean with "private flex server"

Cheers!

Reply
Bertin Avatar

With private flex server i mean something like private packagist so its only vissbily for me

Reply

Yes, you can have your own "private" bundles but I'm not sure if you can add private recipes to Flex. I think you should ask that question directly to them because in theory, recipes works with public packages. Here is the link to the Flex recipes project https://github.com/symfony/...

Cheers!

Reply
Cat in space

"Houston: no signs of life"
Start the conversation!

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.3.0 || ^8.0.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "easycorp/easy-log-handler": "^1.0.7", // v1.0.9
        "sensio/framework-extra-bundle": "^6.0", // v6.2.1
        "symfony/asset": "5.0.*", // v5.0.11
        "symfony/console": "5.0.*", // v5.0.11
        "symfony/debug-bundle": "5.0.*", // v5.0.11
        "symfony/dotenv": "5.0.*", // v5.0.11
        "symfony/flex": "^1.3.1", // v1.17.5
        "symfony/framework-bundle": "5.0.*", // v5.0.11
        "symfony/monolog-bundle": "^3.0", // v3.5.0
        "symfony/profiler-pack": "*", // v1.0.5
        "symfony/routing": "5.1.*", // v5.1.11
        "symfony/twig-pack": "^1.0", // v1.0.1
        "symfony/var-dumper": "5.0.*", // v5.0.11
        "symfony/webpack-encore-bundle": "^1.7", // v1.8.0
        "symfony/yaml": "5.0.*" // v5.0.11
    },
    "require-dev": {
        "symfony/profiler-pack": "^1.0" // v1.0.5
    }
}