Chapters
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Vamos a instalar un paquete totalmente nuevo dentro de nuestra aplicación llamado "security checker". El verificador de seguridad es una herramienta que revisa las dependencias de tu aplicación y te dice si alguna de estas tiene vulnerabilidades de seguridad conocidas. Pero, confidencialmente, tan genial como lo es..., la razón real por la que quiero instalar esta librería es porque es una gran manera de ver el importantísimo sistema de "recetas" de Symfony.
En tu terminal, ejecuta:
composer require sec-checker
En una aplicación real, probablemente deberías pasar --dev
y agregar esto a tu dependencia dev... pero eso no nos preocupa a nosotros.
Flex Aliases
No obstante, hay algo extraño aquí. Específicamente... sec-checker
no es un nombre de paquete válido! En el mundo de Composer, cada paquete debe ser algo/algo-más
: no puede ser solamente sec-checker
. Entonces que diantres está pasando?
De devuelta en PhpStorm, abre composer.json
. Cuando iniciamos el proyecto, solamente teníamos unas pocas dependencias en este archivo. Una de ellas es symfony/flex
.
{ | |
Show Lines
|
// ... lines 2 - 3 |
"require": { | |
"php": "^7.2.5", | |
"ext-ctype": "*", | |
"ext-iconv": "*", | |
"sensio/framework-extra-bundle": "^5.5", | |
"sensiolabs/security-checker": "^6.0", | |
"symfony/console": "5.0.*", | |
"symfony/dotenv": "5.0.*", | |
"symfony/flex": "^1.3.1", | |
"symfony/framework-bundle": "5.0.*", | |
"symfony/yaml": "5.0.*" | |
}, | |
Show Lines
|
// ... lines 16 - 67 |
} |
Este es un plugin de composer que agrega dos características especiales al mismo Composer. El primero se llama "aliases".
En tu navegador, ve a http://flex.symfony.com para encontrar una larga página llena de paquetes. Busca por security
. Mejor, busca por sec-checker
. Bingo! La misma dice que hay un paquete llamado sensiolabs/security-checker
y tiene los aliases de sec-check
, sec-checker
, security-checker
y algunos más.
El sistema de alias es simple: pues Symfony Flex se encuentra en nuestra aplicación, podemos decir composer require security-checker
, y realmente descargará sensiolabs/security-checker
.
Puedes ver esto en nuestra termina: dijimos sec-checker
, pero al final descargó sensiolabs/security-checker
. Eso es algo que también Composer agregó a nuestro archivo composer.json
Entonces... las aliases son una agradable característica de atajo... pero es realmente genial! Casi que puedes adivinar un alias cuando quieras instalar algo. Necesitas una bitácora? Ejecuta composer require logger
para conseguir la bitácora recomendada. Necesitas enviar algo por correo electrónico? composer require
mailer Necesitas comer un pastel? composer require cake
!
Recetas de Flex
La segunda característica que Flex agrega a Composer es la más importante. Es el sistema de recetas
En la terminal, después de instalar el paquete, nos menciona:
Symfony operations: 1 recipe configuring sensiolabs/security-checker.
Interesante. Ejecuta:
git status
Wow! Esperábamos que composer.json
y composer.lock
fueran modificados... así es como Composer trabaja. Pero algo también modificó al archivo symfony.lock
... y agregó un archivo totalmente nuevo security_checker.yaml
!
Muy bien, primero symfony.lock
es un archivo que es manejado por Flex. Tú no necesitas preocuparte por el, pero deberías asignarlo. Mantiene una gran lista de cuáles recetas se han instalado.
Entonces, ¿Quién creó el otro archivo? Ábrelo con config/packages/security_checker.yaml
.
services: | |
_defaults: | |
autowire: true | |
autoconfigure: true | |
SensioLabs\Security\SecurityChecker: null | |
SensioLabs\Security\Command\SecurityCheckerCommand: null |
Cada paquete que instales puede tener una receta de Flex. La idea es maravillosamente simple. En lugar de decirle a la gente que instale un paquete y después crear este archivo, y actualizar este otro para hacer que las cosas funcionen, Flex ejecuta una receta la cual... lo hace por ti! Este archivo ha sido agregado a la receta sensiolabs/security-checker
!
No necesitas preocuparte por las especificaciones de que está dentro de este archivo por el momento. El punto es, gracias a este archivo, tenemos un nuevo comando bin/console
. Ejecuta:
php bin/console
Ves ese comando security:check
? No estaba hace un segundo. Está ahí ahora gracias al nuevo archivo YAML. Intenta:
php bin/console security:check
Ningún paquete tiene vulnerabilidades conocidas! Genial!
Como funcionan las recetas
Aquí está el panorama en general: gracias al sistema de receta, siempre que instales un paquete, Flex realizará una comprobación si el paquete tiene una receta y, si lo tiene, lo instalará. Una receta puede hacer muchas cosas, como agregar archivos, crear directorios, o incluso modificar archivos nuevos, como agregar líneas a tu archivo .gitignore
El sistema de recetas cambia las reglas del juego. Me encanta, ya que cada vez que necesito una nueva librería, todo lo que tengo que hacer es instalarla. No necesito agregar archivos de configuración o modificar algo, pues la receta automatiza todo ese trabajo aburrido.
Las Recetas pueden Modificar Archivos
De hecho, esta receta hizo algo más que no nos dimos cuenta. En la terminal, ejecuta:
git diff composer.json
Esperábamos que Composer agregara esta nueva línea a la sección require
. Pero también hay una nueva línea bajo la sección de scripts
. Lo cual fue hecho por la receta.
{ | |
Show Lines
|
// ... lines 2 - 3 |
"require": { | |
Show Lines
|
// ... lines 5 - 8 |
"sensiolabs/security-checker": "^6.0", | |
Show Lines
|
// ... lines 10 - 14 |
}, | |
Show Lines
|
// ... lines 16 - 45 |
"scripts": { | |
"auto-scripts": { | |
Show Lines
|
// ... lines 48 - 49 |
"security-checker security:check": "script" | |
}, | |
Show Lines
|
// ... lines 52 - 57 |
}, | |
Show Lines
|
// ... lines 59 - 67 |
} |
Gracias a esto, cada vez ejecutes:
composer install
Después de terminar, automáticamente el comando security checker.
El punto es: para usar el comando security checker, lo único que teníamos que hacer era... instalarlo. Su receta se hizo cargo del resto de la configuración.
Ahora... si te estás preguntando:
Oye! Dónde rayos vive esta receta? Puedo verla?
Esa es una gran pregunta! Vamos a averiguar donde viven las recetas y como se ven a continuación.
40 Comments
Thank you for sharing it. We'll add a note about it
please i have a problem, when i execute php bin\console security:check i get this errors
In ErrorChunk.php line 65:
Could not resolve host: security.symfony.com for "https://security.symfony.co...".
In CurlResponse.php line 335:
Could not resolve host: security.symfony.com for "https://security.symfony.co...".
security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [--] [<lockfile>]
is it something i should worry about ? or can i just move to the other videos ? i'm using symfony 5.4
Hey SouFiane,
Yes, that's OK... because that way is deprecated now. You should use other ways for checking the security of your project, look at this comment for alternative ways: https://symfonycasts.com/sc...
Let us know if you still have any problems with following this tutorial further!
Cheers!
Hi, i have a probleme,when i make php bin/console security:check, sometime the command works and sometime no.
What can i do ?
D:\web_server_dev3\Apache24\htdocs\projet_test (master)
[0;33mSymfony Security Check Report[0m
[0;33m=============================[0m
[0;37;42mNo packages have known vulnerabilities.[0m
D:\web_server_dev3\Apache24\htdocs\projet_test (master)
λ php bin/console security:check
In ErrorChunk.php line 65:
fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
In NativeResponse.php line 115:
fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [-e|--env ENV] [--no-debug] [--] <command> [<lockfile>]
Hey Melanie,
I'd recommend you to use "symfony security:check" command instead of doing it via "bin/console". This way you can drop this security checker from your project dependencies completely and use standalone one from symfony binary.
Though, it probably may not fix the problem for you. The error you showed looks like a network problem... Do you have any proxy configured on your computer? Do you have good internet connection when this error happens? If you don't have any proxy and your internet connection is good - probably my guess is that it might be on Symfony side, hopefully something temporary as it sounds like a randomly failed connection for you.
Anyway, try to use "symfony security:check" and look closer if this failed with the similar error and when it fails.
I hope this helps!
Cheers!
Hey SouFiane,
Awesome! Thanks for letting us know it was useful for you!
Cheers!
How do I download security checker when flex.symfony.com does not exist anymore and the security checker GitHub is read-only?
Hey Titanism,
In short, you can't :) - That library it's fully deprecated, but it's now integrated into the Symfony CLI. You only need to run symfony security:check
Cheers!
hi i installed the sec checker but security_checker.yaml didn't add automatilcy
i'm using symfony 5.4
Hi Mohammadmahdi M.!
Don't worry about it :). A few years ago, that package was deprecated and its recipe was removed - we have a note about it near the top of the script (and in the video): https://symfonycasts.com/sc....
So, you're not doing anything wrong - but this package is no longer a good example of seeing a recipe in action.
Cheers!
the flex server is going to shutdown so you have to install sec-checker it via git if I did understand that right. Maybe you can update it in your video. Cheers
Hey @Morty,
Yes, you're right about the Flex server going to shutdown but you don't have to install the sec-checker library (it's deprecated, actually). You can check for vulnerabilities by using the Symfony CLI or this other tool https://github.com/fabpot/l...
Cheers!
Wow, Symfonycasts website seems to be like Laracasts, but instead we could learn Symfony. That's amazing and I hope there will be more free content.
Hey Beginner,
Yes, SymfonyCasts content is more Symfony-related when Laracasts one is more Laravel related :) Though Laravel uses a lot of Symfony components behind the scene, you can see it in Composer dependencies list, so learning Symfony you will kinda cover both Symfony and Laravel ;)
About the free content - we do have some free courses from time to time, also every few videos on *every* course are typically free! :) So you can start with any tutorial for free to decide if you want to buy access to finish the course or no. We also have some discounted offers for students, so if you're an active student - contact us directly via contact form: https://symfonycasts.com/co... . And it's important to mention that even if some videos are behind of paywall on SymfonyCasts, you still can learn with us for free reading the scripts below the video. Scripts are exactly the text we're talking in the video, and thankfully to our dynamic code blocks you can literally see the actual code we use in the video :)
I hope this helps and happy Symfony learning!
Cheers!
I've got a version problem here (I am using symphony 6.0 right now)
Z:\htdocs\symphony\test_project>composer require sec-checker --no-scripts
Using version ^6.0 for sensiolabs/security-checker
./composer.json has been updated
Running composer update sensiolabs/security-checker
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.0.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- sensiolabs/security-checker[v6.0.0, ..., v6.0.2] require symfony/console ^2.8|^3.4|^4.2 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4
.47, v4.2.0, ..., v4.4.34] but it conflicts with your root composer.json require (6.0.*).
- sensiolabs/security-checker v6.0.3 requires symfony/console ^2.8|^3.4|^4.2|^5.0 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4.47, v4.
2.0, ..., v4.4.34, v5.0.0, ..., v5.4.0] but it conflicts with your root composer.json require (6.0.*).
- Root composer.json requires sensiolabs/security-checker ^6.0 -> satisfiable by sensiolabs/security-checker[v6.0.0, v6.0.1, v6.0.2, v6.0.3].
Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require sensiolabs/security-checker:*" to figure out if any v
ersion is installable, or "composer require sensiolabs/security-checker:^2.1" if you know which you need.
Installation failed, reverting ./composer.json and ./composer.lock to their original content.
Because of https://packagist.org/packa... this module is abandoned it looks like this video should be re new?
I'd like to suggest just ignore this security checker stuff, because you are using Symfony 6... but also I want to warn you about more issues because of Symfony version, because this course is designed for Symfony 5
BTW if you are interested in security checks you will need to use Symfony CLI for it =)
Cheers!
mike@mike:~/dev/symfony/cauldron_overflow$ php bin/console security:check
The web service failed for an unknown reason (HTTP 403).
Hey Mike,
Yeah, that's because the sensiolabs/security-checker is not maintained anymore, you can find more info about this here: https://github.com/sensiola... . As you can see, there're a few other options instead: you can use Symfony CLI for checking security vulnerabilities or use this library https://github.com/fabpot/l... .
Cheers!
Hi guys, i run the command "composer require sec-checker" but the security-checker script didn't execute, the result was this, how can i run that script? Thanks<br /><blockquote>Installing dependencies from lock file (including require-dev)<br />Verifying lock file contents can be installed on current platform.<br />Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run
composer update or
composer update <package name>.<br />Nothing to install, update or remove<br />Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/local-php-security-checker instead.<br />Generating optimized autoload files<br />34 packages you are using are looking for funding.<br />Use the
composer fund` command to find out more!
Run composer recipes at any time to see the status of your Symfony recipes.
Executing script cache:clear [OK]
Executing script assets:install public [OK]</blockquote>error after run the "php bin/console security:check" command<br /><blockquote>
The web service failed for an unknown reason (HTTP 403)</blockquote></blockquote>
error after run the "php bin/console security" command
<blockquote>Command "security" is not defined.
</blockquote>
After run "symfony security:check" command
<blockquote>`Symfony Security Check Report
=============================
No packages have known vulnerabilities.`
</blockquote>The composer.json file hasn't in auto-scripts section the line "security-checker security:check" : "script"
Hey Jose,
The "sec-checker" alias is pointing to "sensiolabs/security-checker" package that is already deprecated: https://packagist.org/packa... - and so it may not work as expected because it's not maintained anymore.
Here's the replacement that's recommended to be used instead: https://github.com/fabpot/l...
Or, you can check this with "symfony security:check" that is a valid way of doing this check.
I hope this helps!
Cheers!
Hi. I was trying to get the security checker but I got this instead "Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead." how to do I get local-php-security-checker instead?
Hey Norris M.
You can do what Dutta said, or install Symfony CLI and run this command symfony security:check
Cheers!
MolloKhan Thanks mate!
Download any of the executable files from the git repo (https://github.com/fabpot/l..., save it in your project dir, and run it from the terminal
how to use the files above? what should I copy and where I should paste? and how to run it in the terminal?
Thanks Deeptonabho D. It worked.
Hi guys, I have a problem when trying to install security checker. Can you help me understand what I did wrong ?
`
Symfony operations: 1 recipe (b05abf754e48fa4ce00d852015c44e45)
- Configuring sensiolabs/security-checker (>=4.0): From github.com/symfony/recipes:master
Executing script cache:clear [OK]
Executing script assets:install public [OK]
Executing script security-checker security:check [KO]
[KO]
Script security-checker security:check returned with error code 1
!! Symfony Security Check Report
!! =============================
!!
!! 1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.1.4)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
!!
!! Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
!! Execute this command regularly to check the newly discovered vulnerabilities.
!!
Script @auto-scripts was called via post-update-cmd
Installation failed, reverting ./composer.json to its original content.
`
Hey Tanguy D.
You did nothing wrong, that's the Security checker telling you that a library has a vulnerability. Please read this other comment for a better explanation https://symfonycasts.com/sc...
Cheers!
Thank you
Using composer update
solved the issue but can you try to explain to me what happens exactly ?
Is it possible to create an own recipe and also is there an option to use an private flex recipe server.
Hey Bertin
Yes, you can create your own recipes for your own bundles/projects. And about also is there an option to use an private flex recipe server.
I don't fully understand what you mean with "private flex server"
Cheers!
With private flex server i mean something like private packagist so its only vissbily for me
Yes, you can have your own "private" bundles but I'm not sure if you can add private recipes to Flex. I think you should ask that question directly to them because in theory, recipes works with public packages. Here is the link to the Flex recipes project https://github.com/symfony/...
Cheers!
"Houston: no signs of life"
Start the conversation!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.3.0 || ^8.0.0",
"ext-ctype": "*",
"ext-iconv": "*",
"easycorp/easy-log-handler": "^1.0.7", // v1.0.9
"sensio/framework-extra-bundle": "^6.0", // v6.2.1
"symfony/asset": "5.0.*", // v5.0.11
"symfony/console": "5.0.*", // v5.0.11
"symfony/debug-bundle": "5.0.*", // v5.0.11
"symfony/dotenv": "5.0.*", // v5.0.11
"symfony/flex": "^1.3.1", // v1.21.6
"symfony/framework-bundle": "5.0.*", // v5.0.11
"symfony/monolog-bundle": "^3.0", // v3.5.0
"symfony/profiler-pack": "*", // v1.0.5
"symfony/routing": "5.1.*", // v5.1.11
"symfony/twig-pack": "^1.0", // v1.0.1
"symfony/var-dumper": "5.0.*", // v5.0.11
"symfony/webpack-encore-bundle": "^1.7", // v1.8.0
"symfony/yaml": "5.0.*" // v5.0.11
},
"require-dev": {
"symfony/profiler-pack": "^1.0" // v1.0.5
}
}
You can find recipe aliases now under https://bit.ly/flex-recipes