Chapters
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
We're going to install a totally new package into our app called the "security checker". The security checker is a tool that looks at your application's dependencies and tell you if any of them have known security vulnerabilities. But, full disclosure, as cool as that is... the real reason I want to install this library is because it's a great way to look at Symfony's all-important "recipe" system.
At your terminal, run:
composer require sec-checker --no-scripts
Tip
You can still download the security checker to see how its recipe works, but the API it uses has been discontinued in favor of other solutions. If you want to know more, see https://github.com/sensiolabs/security-checker
In a real app, you should probably pass --dev
to add this to your dev dependencies... but it won't matter for us.
Flex Aliases
There is, however, something weird here. Specifically... sec-checker
is not a valid package name! In the Composer world, every package must be something/something-else
: it can't just be sec-checker
. So what the heck is going on?
Back in PhpStorm, open up composer.json
. When we started the project, we had just a few dependencies in this file. One of them is symfony/flex
.
{ | |
Show Lines
|
// ... lines 2 - 3 |
"require": { | |
"php": "^7.2.5", | |
"ext-ctype": "*", | |
"ext-iconv": "*", | |
"sensio/framework-extra-bundle": "^5.5", | |
"sensiolabs/security-checker": "^6.0", | |
"symfony/console": "5.0.*", | |
"symfony/dotenv": "5.0.*", | |
"symfony/flex": "^1.3.1", | |
"symfony/framework-bundle": "5.0.*", | |
"symfony/yaml": "5.0.*" | |
}, | |
Show Lines
|
// ... lines 16 - 67 |
} |
This is a composer plugin that adds two special features to Composer itself. The first is called "aliases".
At your browser, go to http://flex.symfony.com to find and big page full of packages.
Tip
The flex.symfony.com server was shut down in favor of a new system. But you can still see a list of all of the available recipes at https://bit.ly/flex-recipes!
Search for security
. Better, search for sec-checker
. Boom! This says that there is a package called sensiolabs/security-checker
and it has aliases of sec-check
, sec-checker
, security-checker
and some more.
The alias system is simple: because Symfony Flex is in our app, we can say composer require security-checker
, and it will really download sensiolabs/security-checker
.
You can see this in our terminal: we said sec-checker
, but ultimately it downloaded sensiolabs/security-checker
. That's also what Composer added to our composer.json
file. So... aliases are just a nice shortcut feature... but it's kinda cool! You can almost guess an alias when you want to install something. Want a logger? Run composer require logger
to get the recommended logger. Need to mail something? composer require mailer
. Need to eat a cake? composer require cake
!
Flex Recipes
The second feature that Flex adds to Composer is the really important one. It's the recipe system.
Back at the terminal, after installing the package, it said:
Symfony operations: 1 recipe configuring sensiolabs/security-checker.
Interesting. Run:
git status
Whoa! We expected composer.json
and composer.lock
to be modified... that's how composer works. But something also modified a symfony.lock
file... and added a totally new security_checker.yaml
file!
Ok, first, symfony.lock
is a file that's managed by Flex. You don't need to worry about it, but you should commit it. It keeps a big list of which recipes have been installed.
So, who created the other file? Open it up: config/packages/security_checker.yaml
.
services: | |
_defaults: | |
autowire: true | |
autoconfigure: true | |
SensioLabs\Security\SecurityChecker: null | |
SensioLabs\Security\Command\SecurityCheckerCommand: null |
Each package you install may have a Flex "recipe". The idea is beautifully simple. Instead of telling people to install a package and then create this file, and update this other file in order to get things working, Flex executes a recipe which... just does that stuff for you! This file was added by the sensiolabs/security-checker
recipe!
You don't need to worry about the specifics of what's inside this file right now. The point is, thanks to this file, we have a new bin/console
command. Run:
php bin/console
See that security:check
command? That wasn't there a second ago. It's there now thanks to the new YAML file. Try it:
php bin/console security:check
No packages have known vulnerabilities! Awesome!
How Recipes Work
Here is the big picture: thanks to the recipe system, whenever you install a package, Flex will check to see if that package has a recipe and, if it does, will install it. A recipe can do many things, like add files, create directories or even modify a few files, like adding new lines to your .gitignore
file.
The recipe system is a game-changer. I love it because anytime I need a new package, all I need to do is install it. I don't need to add configuration files or modify anything because the recipe automates all that boring work.
Recipes can Modify Files
In fact, this recipe did something else we didn't notice. At the terminal, run:
git diff composer.json
We expected that Composer would add this new line to the require
section. But there is also a new line under the scripts
section. That was done by the recipe.
{ | |
Show Lines
|
// ... lines 2 - 3 |
"require": { | |
Show Lines
|
// ... lines 5 - 8 |
"sensiolabs/security-checker": "^6.0", | |
Show Lines
|
// ... lines 10 - 14 |
}, | |
Show Lines
|
// ... lines 16 - 45 |
"scripts": { | |
"auto-scripts": { | |
Show Lines
|
// ... lines 48 - 49 |
"security-checker security:check": "script" | |
}, | |
Show Lines
|
// ... lines 52 - 57 |
}, | |
Show Lines
|
// ... lines 59 - 67 |
} |
Thanks to this, whenever you run composer install
after it finishes, it automatically runs the security checker.
Tip
Running composer install
will fail with 403 API error. It's ok, we will
remove security checker in the next chapter so it won't be an issue.
If you want to know more, see https://github.com/sensiolabs/security-checker
The point is: to use the security checker, the only thing we needed to do was... install it. Its recipe took care of the rest of the setup.
Now... if you're wondering:
Hey! Where the heck does this recipe live? Can I see it?
That's a great question! Let's find out where these recipes live and what they look like next.
40 Comments
Thank you for sharing it. We'll add a note about it
please i have a problem, when i execute php bin\console security:check i get this errors
In ErrorChunk.php line 65:
Could not resolve host: security.symfony.com for "https://security.symfony.co...".
In CurlResponse.php line 335:
Could not resolve host: security.symfony.com for "https://security.symfony.co...".
security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [--] [<lockfile>]
is it something i should worry about ? or can i just move to the other videos ? i'm using symfony 5.4
Hey SouFiane,
Yes, that's OK... because that way is deprecated now. You should use other ways for checking the security of your project, look at this comment for alternative ways: https://symfonycasts.com/sc...
Let us know if you still have any problems with following this tutorial further!
Cheers!
Hi, i have a probleme,when i make php bin/console security:check, sometime the command works and sometime no.
What can i do ?
D:\web_server_dev3\Apache24\htdocs\projet_test (master)
[0;33mSymfony Security Check Report[0m
[0;33m=============================[0m
[0;37;42mNo packages have known vulnerabilities.[0m
D:\web_server_dev3\Apache24\htdocs\projet_test (master)
λ php bin/console security:check
In ErrorChunk.php line 65:
fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
In NativeResponse.php line 115:
fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [-e|--env ENV] [--no-debug] [--] <command> [<lockfile>]
Hey Melanie,
I'd recommend you to use "symfony security:check" command instead of doing it via "bin/console". This way you can drop this security checker from your project dependencies completely and use standalone one from symfony binary.
Though, it probably may not fix the problem for you. The error you showed looks like a network problem... Do you have any proxy configured on your computer? Do you have good internet connection when this error happens? If you don't have any proxy and your internet connection is good - probably my guess is that it might be on Symfony side, hopefully something temporary as it sounds like a randomly failed connection for you.
Anyway, try to use "symfony security:check" and look closer if this failed with the similar error and when it fails.
I hope this helps!
Cheers!
Hey SouFiane,
Awesome! Thanks for letting us know it was useful for you!
Cheers!
How do I download security checker when flex.symfony.com does not exist anymore and the security checker GitHub is read-only?
Hey Titanism,
In short, you can't :) - That library it's fully deprecated, but it's now integrated into the Symfony CLI. You only need to run symfony security:check
Cheers!
hi i installed the sec checker but security_checker.yaml didn't add automatilcy
i'm using symfony 5.4
Hi Mohammadmahdi M.!
Don't worry about it :). A few years ago, that package was deprecated and its recipe was removed - we have a note about it near the top of the script (and in the video): https://symfonycasts.com/sc....
So, you're not doing anything wrong - but this package is no longer a good example of seeing a recipe in action.
Cheers!
the flex server is going to shutdown so you have to install sec-checker it via git if I did understand that right. Maybe you can update it in your video. Cheers
Hey @Morty,
Yes, you're right about the Flex server going to shutdown but you don't have to install the sec-checker library (it's deprecated, actually). You can check for vulnerabilities by using the Symfony CLI or this other tool https://github.com/fabpot/l...
Cheers!
Wow, Symfonycasts website seems to be like Laracasts, but instead we could learn Symfony. That's amazing and I hope there will be more free content.
Hey Beginner,
Yes, SymfonyCasts content is more Symfony-related when Laracasts one is more Laravel related :) Though Laravel uses a lot of Symfony components behind the scene, you can see it in Composer dependencies list, so learning Symfony you will kinda cover both Symfony and Laravel ;)
About the free content - we do have some free courses from time to time, also every few videos on *every* course are typically free! :) So you can start with any tutorial for free to decide if you want to buy access to finish the course or no. We also have some discounted offers for students, so if you're an active student - contact us directly via contact form: https://symfonycasts.com/co... . And it's important to mention that even if some videos are behind of paywall on SymfonyCasts, you still can learn with us for free reading the scripts below the video. Scripts are exactly the text we're talking in the video, and thankfully to our dynamic code blocks you can literally see the actual code we use in the video :)
I hope this helps and happy Symfony learning!
Cheers!
I've got a version problem here (I am using symphony 6.0 right now)
Z:\htdocs\symphony\test_project>composer require sec-checker --no-scripts
Using version ^6.0 for sensiolabs/security-checker
./composer.json has been updated
Running composer update sensiolabs/security-checker
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.0.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- sensiolabs/security-checker[v6.0.0, ..., v6.0.2] require symfony/console ^2.8|^3.4|^4.2 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4
.47, v4.2.0, ..., v4.4.34] but it conflicts with your root composer.json require (6.0.*).
- sensiolabs/security-checker v6.0.3 requires symfony/console ^2.8|^3.4|^4.2|^5.0 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4.47, v4.
2.0, ..., v4.4.34, v5.0.0, ..., v5.4.0] but it conflicts with your root composer.json require (6.0.*).
- Root composer.json requires sensiolabs/security-checker ^6.0 -> satisfiable by sensiolabs/security-checker[v6.0.0, v6.0.1, v6.0.2, v6.0.3].
Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require sensiolabs/security-checker:*" to figure out if any v
ersion is installable, or "composer require sensiolabs/security-checker:^2.1" if you know which you need.
Installation failed, reverting ./composer.json and ./composer.lock to their original content.
Because of https://packagist.org/packa... this module is abandoned it looks like this video should be re new?
I'd like to suggest just ignore this security checker stuff, because you are using Symfony 6... but also I want to warn you about more issues because of Symfony version, because this course is designed for Symfony 5
BTW if you are interested in security checks you will need to use Symfony CLI for it =)
Cheers!
mike@mike:~/dev/symfony/cauldron_overflow$ php bin/console security:check
The web service failed for an unknown reason (HTTP 403).
Hey Mike,
Yeah, that's because the sensiolabs/security-checker is not maintained anymore, you can find more info about this here: https://github.com/sensiola... . As you can see, there're a few other options instead: you can use Symfony CLI for checking security vulnerabilities or use this library https://github.com/fabpot/l... .
Cheers!
Hi guys, i run the command "composer require sec-checker" but the security-checker script didn't execute, the result was this, how can i run that script? Thanks<br /><blockquote>Installing dependencies from lock file (including require-dev)<br />Verifying lock file contents can be installed on current platform.<br />Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run
composer update or
composer update <package name>.<br />Nothing to install, update or remove<br />Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/local-php-security-checker instead.<br />Generating optimized autoload files<br />34 packages you are using are looking for funding.<br />Use the
composer fund` command to find out more!
Run composer recipes at any time to see the status of your Symfony recipes.
Executing script cache:clear [OK]
Executing script assets:install public [OK]</blockquote>error after run the "php bin/console security:check" command<br /><blockquote>
The web service failed for an unknown reason (HTTP 403)</blockquote></blockquote>
error after run the "php bin/console security" command
<blockquote>Command "security" is not defined.
</blockquote>
After run "symfony security:check" command
<blockquote>`Symfony Security Check Report
=============================
No packages have known vulnerabilities.`
</blockquote>The composer.json file hasn't in auto-scripts section the line "security-checker security:check" : "script"
Hey Jose,
The "sec-checker" alias is pointing to "sensiolabs/security-checker" package that is already deprecated: https://packagist.org/packa... - and so it may not work as expected because it's not maintained anymore.
Here's the replacement that's recommended to be used instead: https://github.com/fabpot/l...
Or, you can check this with "symfony security:check" that is a valid way of doing this check.
I hope this helps!
Cheers!
Hi. I was trying to get the security checker but I got this instead "Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead." how to do I get local-php-security-checker instead?
Hey Norris M.
You can do what Dutta said, or install Symfony CLI and run this command symfony security:check
Cheers!
MolloKhan Thanks mate!
Download any of the executable files from the git repo (https://github.com/fabpot/l..., save it in your project dir, and run it from the terminal
how to use the files above? what should I copy and where I should paste? and how to run it in the terminal?
Thanks Deeptonabho D. It worked.
Hi guys, I have a problem when trying to install security checker. Can you help me understand what I did wrong ?
`
Symfony operations: 1 recipe (b05abf754e48fa4ce00d852015c44e45)
- Configuring sensiolabs/security-checker (>=4.0): From github.com/symfony/recipes:master
Executing script cache:clear [OK]
Executing script assets:install public [OK]
Executing script security-checker security:check [KO]
[KO]
Script security-checker security:check returned with error code 1
!! Symfony Security Check Report
!! =============================
!!
!! 1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.1.4)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
!!
!! Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
!! Execute this command regularly to check the newly discovered vulnerabilities.
!!
Script @auto-scripts was called via post-update-cmd
Installation failed, reverting ./composer.json to its original content.
`
Hey Tanguy D.
You did nothing wrong, that's the Security checker telling you that a library has a vulnerability. Please read this other comment for a better explanation https://symfonycasts.com/sc...
Cheers!
Thank you
Using composer update
solved the issue but can you try to explain to me what happens exactly ?
Is it possible to create an own recipe and also is there an option to use an private flex recipe server.
Hey Bertin
Yes, you can create your own recipes for your own bundles/projects. And about also is there an option to use an private flex recipe server.
I don't fully understand what you mean with "private flex server"
Cheers!
With private flex server i mean something like private packagist so its only vissbily for me
Yes, you can have your own "private" bundles but I'm not sure if you can add private recipes to Flex. I think you should ask that question directly to them because in theory, recipes works with public packages. Here is the link to the Flex recipes project https://github.com/symfony/...
Cheers!
"Houston: no signs of life"
Start the conversation!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.3.0 || ^8.0.0",
"ext-ctype": "*",
"ext-iconv": "*",
"easycorp/easy-log-handler": "^1.0.7", // v1.0.9
"sensio/framework-extra-bundle": "^6.0", // v6.2.1
"symfony/asset": "5.0.*", // v5.0.11
"symfony/console": "5.0.*", // v5.0.11
"symfony/debug-bundle": "5.0.*", // v5.0.11
"symfony/dotenv": "5.0.*", // v5.0.11
"symfony/flex": "^1.3.1", // v1.21.6
"symfony/framework-bundle": "5.0.*", // v5.0.11
"symfony/monolog-bundle": "^3.0", // v3.5.0
"symfony/profiler-pack": "*", // v1.0.5
"symfony/routing": "5.1.*", // v5.1.11
"symfony/twig-pack": "^1.0", // v1.0.1
"symfony/var-dumper": "5.0.*", // v5.0.11
"symfony/webpack-encore-bundle": "^1.7", // v1.8.0
"symfony/yaml": "5.0.*" // v5.0.11
},
"require-dev": {
"symfony/profiler-pack": "^1.0" // v1.0.5
}
}
You can find recipe aliases now under https://bit.ly/flex-recipes