Flag of Ukraine
SymfonyCasts stands united with the people of Ukraine
This tutorial has a new version, check it out!

Flex, Recipes & Aliases

Video not working?

It looks like your browser may not support the H264 codec. If you're using Linux, try a different browser or try installing the gstreamer0.10-ffmpeg gstreamer0.10-plugins-good packages.

Thanks! This saves us from needing to use Flash or encode videos in multiple formats. And that let's us get back to making more videos :). But as always, please feel free to message us.

We're going to install a totally new package into our app called the "security checker". The security checker is a tool that looks at your application's dependencies and tell you if any of them have known security vulnerabilities. But, full disclosure, as cool as that is... the real reason I want to install this library is because it's a great way to look at Symfony's all-important "recipe" system.

At your terminal, run:

composer require sec-checker --no-scripts

Tip

You can still download the security checker to see how its recipe works, but the API it uses has been discontinued in favor of other solutions. If you want to know more, see https://github.com/sensiolabs/security-checker

In a real app, you should probably pass --dev to add this to your dev dependencies... but it won't matter for us.

Flex Aliases

There is, however, something weird here. Specifically... sec-checker is not a valid package name! In the Composer world, every package must be something/something-else: it can't just be sec-checker. So what the heck is going on?

Back in PhpStorm, open up composer.json. When we started the project, we had just a few dependencies in this file. One of them is symfony/flex.

69 lines composer.json
{
... lines 2 - 3
"require": {
"php": "^7.2.5",
"ext-ctype": "*",
"ext-iconv": "*",
"sensio/framework-extra-bundle": "^5.5",
"sensiolabs/security-checker": "^6.0",
"symfony/console": "5.0.*",
"symfony/dotenv": "5.0.*",
"symfony/flex": "^1.3.1",
"symfony/framework-bundle": "5.0.*",
"symfony/yaml": "5.0.*"
},
... lines 16 - 67
}

This is a composer plugin that adds two special features to Composer itself. The first is called "aliases".

At your browser, go to http://flex.symfony.com to find and big page full of packages. Search for security. Better, search for sec-checker. Boom! This says that there is a package called sensiolabs/security-checker and it has aliases of sec-check, sec-checker, security-checker and some more.

The alias system is simple: because Symfony Flex is in our app, we can say composer require security-checker, and it will really download sensiolabs/security-checker.

You can see this in our terminal: we said sec-checker, but ultimately it downloaded sensiolabs/security-checker. That's also what Composer added to our composer.json file. So... aliases are just a nice shortcut feature... but it's kinda cool! You can almost guess an alias when you want to install something. Want a logger? Run composer require logger to get the recommended logger. Need to mail something? composer require mailer. Need to eat a cake? composer require cake!

Flex Recipes

The second feature that Flex adds to Composer is the really important one. It's the recipe system.

Back at the terminal, after installing the package, it said:

Symfony operations: 1 recipe configuring sensiolabs/security-checker.

Interesting. Run:

git status

Whoa! We expected composer.json and composer.lock to be modified... that's how composer works. But something also modified a symfony.lock file... and added a totally new security_checker.yaml file!

Ok, first, symfony.lock is a file that's managed by Flex. You don't need to worry about it, but you should commit it. It keeps a big list of which recipes have been installed.

So, who created the other file? Open it up: config/packages/security_checker.yaml.

services:
_defaults:
autowire: true
autoconfigure: true
SensioLabs\Security\SecurityChecker: null
SensioLabs\Security\Command\SecurityCheckerCommand: null

Each package you install may have a Flex "recipe". The idea is beautifully simple. Instead of telling people to install a package and then create this file, and update this other file in order to get things working, Flex executes a recipe which... just does that stuff for you! This file was added by the sensiolabs/security-checker recipe!

You don't need to worry about the specifics of what's inside this file right now. The point is, thanks to this file, we have a new bin/console command. Run:

php bin/console

See that security:check command? That wasn't there a second ago. It's there now thanks to the new YAML file. Try it:

php bin/console security:check

No packages have known vulnerabilities! Awesome!

How Recipes Work

Here is the big picture: thanks to the recipe system, whenever you install a package, Flex will check to see if that package has a recipe and, if it does, will install it. A recipe can do many things, like add files, create directories or even modify a few files, like adding new lines to your .gitignore file.

The recipe system is a game-changer. I love it because anytime I need a new package, all I need to do is install it. I don't need to add configuration files or modify anything because the recipe automates all that boring work.

Recipes can Modify Files

In fact, this recipe did something else we didn't notice. At the terminal, run:

git diff composer.json

We expected that Composer would add this new line to the require section. But there is also a new line under the scripts section. That was done by the recipe.

69 lines composer.json
{
... lines 2 - 3
"require": {
... lines 5 - 8
"sensiolabs/security-checker": "^6.0",
... lines 10 - 14
},
... lines 16 - 45
"scripts": {
"auto-scripts": {
... lines 48 - 49
"security-checker security:check": "script"
},
... lines 52 - 57
},
... lines 59 - 67
}

Thanks to this, whenever you run composer install after it finishes, it automatically runs the security checker.

Tip

Running composer install will fail with 403 API error. It's ok, we will remove security checker in the next chapter so it won't be an issue. If you want to know more, see https://github.com/sensiolabs/security-checker

The point is: to use the security checker, the only thing we needed to do was... install it. Its recipe took care of the rest of the setup.

Now... if you're wondering:

Hey! Where the heck does this recipe live? Can I see it?

That's a great question! Let's find out where these recipes live and what they look like next.

Leave a comment!

36
Login or Register to join the conversation

please i have a problem, when i execute php bin\console security:check i get this errors

In ErrorChunk.php line 65:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

In CurlResponse.php line 335:

Could not resolve host: security.symfony.com for "https://security.symfony.co...".

security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [--] [<lockfile>]

1 Reply

is it something i should worry about ? or can i just move to the other videos ? i'm using symfony 5.4

Reply

Hey SouFiane,

Yes, that's OK... because that way is deprecated now. You should use other ways for checking the security of your project, look at this comment for alternative ways: https://symfonycasts.com/sc...

Let us know if you still have any problems with following this tutorial further!

Cheers!

Reply
Default user avatar
Default user avatar Melanie | posted 1 year ago

Hi, i have a probleme,when i make php bin/console security:check, sometime the command works and sometime no.
What can i do ?


D:\web_server_dev3\Apache24\htdocs\projet_test (master)

[0;33mSymfony Security Check Report[0m
[0;33m=============================[0m

[0;37;42mNo packages have known vulnerabilities.[0m

D:\web_server_dev3\Apache24\htdocs\projet_test (master)

λ php bin/console security:check


In ErrorChunk.php line 65:

fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


In NativeResponse.php line 115:

fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


security:check [--format FORMAT] [--end-point END-POINT] [--timeout TIMEOUT] [--token TOKEN] [-h|--help] [-q|--quiet] [-v|vv|vvv|--verbose] [-V|--version] [--ansi] [--no-ansi] [-n|--no-interaction] [-e|--env ENV] [--no-debug] [--] <command> [<lockfile>]
1 Reply

Hey Melanie,

I'd recommend you to use "symfony security:check" command instead of doing it via "bin/console". This way you can drop this security checker from your project dependencies completely and use standalone one from symfony binary.

Though, it probably may not fix the problem for you. The error you showed looks like a network problem... Do you have any proxy configured on your computer? Do you have good internet connection when this error happens? If you don't have any proxy and your internet connection is good - probably my guess is that it might be on Symfony side, hopefully something temporary as it sounds like a randomly failed connection for you.

Anyway, try to use "symfony security:check" and look closer if this failed with the similar error and when it fails.

I hope this helps!

Cheers!

2 Reply

Hey SouFiane,

Awesome! Thanks for letting us know it was useful for you!

Cheers!

Reply
Mohammadmahdi M. Avatar
Mohammadmahdi M. Avatar Mohammadmahdi M. | posted 2 months ago

hi i installed the sec checker but security_checker.yaml didn't add automatilcy

i'm using symfony 5.4

Reply

Hi Mohammadmahdi M.!

Don't worry about it :). A few years ago, that package was deprecated and its recipe was removed - we have a note about it near the top of the script (and in the video): https://symfonycasts.com/sc....

So, you're not doing anything wrong - but this package is no longer a good example of seeing a recipe in action.

Cheers!

Reply

nice course, now let's go to the next one <3 greate teaching skills as well very talented persone

Reply
Default user avatar

the flex server is going to shutdown so you have to install sec-checker it via git if I did understand that right. Maybe you can update it in your video. Cheers

Reply

Hey @Morty,

Yes, you're right about the Flex server going to shutdown but you don't have to install the sec-checker library (it's deprecated, actually). You can check for vulnerabilities by using the Symfony CLI or this other tool https://github.com/fabpot/l...

Cheers!

Reply
Default user avatar
Default user avatar Beginner | posted 9 months ago

Wow, Symfonycasts website seems to be like Laracasts, but instead we could learn Symfony. That's amazing and I hope there will be more free content.

Reply

Hey Beginner,

Yes, SymfonyCasts content is more Symfony-related when Laracasts one is more Laravel related :) Though Laravel uses a lot of Symfony components behind the scene, you can see it in Composer dependencies list, so learning Symfony you will kinda cover both Symfony and Laravel ;)

About the free content - we do have some free courses from time to time, also every few videos on *every* course are typically free! :) So you can start with any tutorial for free to decide if you want to buy access to finish the course or no. We also have some discounted offers for students, so if you're an active student - contact us directly via contact form: https://symfonycasts.com/co... . And it's important to mention that even if some videos are behind of paywall on SymfonyCasts, you still can learn with us for free reading the scripts below the video. Scripts are exactly the text we're talking in the video, and thankfully to our dynamic code blocks you can literally see the actual code we use in the video :)

I hope this helps and happy Symfony learning!

Cheers!

Reply
Игорь П. Avatar
Игорь П. Avatar Игорь П. | posted 10 months ago

I've got a version problem here (I am using symphony 6.0 right now)

Z:\htdocs\symphony\test_project>composer require sec-checker --no-scripts
Using version ^6.0 for sensiolabs/security-checker
./composer.json has been updated
Running composer update sensiolabs/security-checker
Loading composer repositories with package information
Restricting packages listed in "symfony/symfony" to "6.0.*"
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

Problem 1
- sensiolabs/security-checker[v6.0.0, ..., v6.0.2] require symfony/console ^2.8|^3.4|^4.2 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4
.47, v4.2.0, ..., v4.4.34] but it conflicts with your root composer.json require (6.0.*).
- sensiolabs/security-checker v6.0.3 requires symfony/console ^2.8|^3.4|^4.2|^5.0 -> found symfony/console[v2.8.0, ..., v2.8.52, v3.4.0, ..., v3.4.47, v4.
2.0, ..., v4.4.34, v5.0.0, ..., v5.4.0] but it conflicts with your root composer.json require (6.0.*).
- Root composer.json requires sensiolabs/security-checker ^6.0 -> satisfiable by sensiolabs/security-checker[v6.0.0, v6.0.1, v6.0.2, v6.0.3].

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require sensiolabs/security-checker:*" to figure out if any v
ersion is installable, or "composer require sensiolabs/security-checker:^2.1" if you know which you need.

Installation failed, reverting ./composer.json and ./composer.lock to their original content.

Reply
Игорь П. Avatar

Because of https://packagist.org/packa... this module is abandoned it looks like this video should be re new?

Reply

I'd like to suggest just ignore this security checker stuff, because you are using Symfony 6... but also I want to warn you about more issues because of Symfony version, because this course is designed for Symfony 5

BTW if you are interested in security checks you will need to use Symfony CLI for it =)

Cheers!

1 Reply
Leon Avatar

mike@mike:~/dev/symfony/cauldron_overflow$ php bin/console security:check

The web service failed for an unknown reason (HTTP 403).

Reply

Hey Mike,

Yeah, that's because the sensiolabs/security-checker is not maintained anymore, you can find more info about this here: https://github.com/sensiola... . As you can see, there're a few other options instead: you can use Symfony CLI for checking security vulnerabilities or use this library https://github.com/fabpot/l... .

Cheers!

2 Reply
Jose C. Avatar
Jose C. Avatar Jose C. | posted 1 year ago

Hi guys, i run the command "composer require sec-checker" but the security-checker script didn't execute, the result was this, how can i run that script? Thanks

Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run `composer update` or `composer update <package name="">`.
Nothing to install, update or remove
Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead.
Generating optimized autoload files
34 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

Run composer recipes at any time to see the status of your Symfony recipes.

Executing script cache:clear [OK]
Executing script assets:install public [OK]
error after run the "php bin/console security:check" command

The web service failed for an unknown reason (HTTP 403)

error after run the "php bin/console security" command

Command "security" is not defined.

After run "symfony security:check" command

Symfony Security Check Report
=============================

No packages have known vulnerabilities.

The composer.json file hasn't in auto-scripts section the line "security-checker security:check" : "script"

Reply

Hey Jose,

The "sec-checker" alias is pointing to "sensiolabs/security-checker" package that is already deprecated: https://packagist.org/packa... - and so it may not work as expected because it's not maintained anymore.

Here's the replacement that's recommended to be used instead: https://github.com/fabpot/l...

Or, you can check this with "symfony security:check" that is a valid way of doing this check.

I hope this helps!

Cheers!

Reply
Norris M. Avatar
Norris M. Avatar Norris M. | posted 1 year ago

Hi. I was trying to get the security checker but I got this instead "Package sensiolabs/security-checker is abandoned, you should avoid using it. Use https://github.com/fabpot/l... instead." how to do I get local-php-security-checker instead?

Reply

Hey Norris M.

You can do what Dutta said, or install Symfony CLI and run this command symfony security:check

Cheers!

3 Reply
Norris M. Avatar
Norris M. Avatar Norris M. | MolloKhan | posted 1 year ago | edited

MolloKhan Thanks mate!

1 Reply
Deeptonabho D. Avatar
Deeptonabho D. Avatar Deeptonabho D. | Norris M. | posted 1 year ago

Download any of the executable files from the git repo (https://github.com/fabpot/l..., save it in your project dir, and run it from the terminal

2 Reply
Hawraa A. Avatar

how to use the files above? what should I copy and where I should paste? and how to run it in the terminal?

Reply

Hey Hawraa A.

You can find all exact instructions here https://github.com/fabpot/l...

Cheers!

Reply
Norris M. Avatar
Norris M. Avatar Norris M. | Deeptonabho D. | posted 1 year ago | edited

Thanks Deeptonabho D. It worked.

Reply
Tanguy D. Avatar
Tanguy D. Avatar Tanguy D. | posted 2 years ago

Hi guys, I have a problem when trying to install security checker. Can you help me understand what I did wrong ?




Symfony operations: 1 recipe (b05abf754e48fa4ce00d852015c44e45)
- Configuring sensiolabs/security-checker (>=4.0): From github.com/symfony/recipes:master
Executing script cache:clear [OK]
Executing script assets:install public [OK]
Executing script security-checker security:check [KO]
[KO]
Script security-checker security:check returned with error code 1
!! Symfony Security Check Report
!! =============================
!!
!! 1 packages have known vulnerabilities.
!!
!! symfony/http-kernel (v5.1.4)
!! ----------------------------
!!
!! * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!
!! [CVE-2020-15094]: https://symfony.com/cve-2020-15094
!!
!! Note that this checker can only detect vulnerabilities that are referenced in the SensioLabs security advisories database.
!! Execute this command regularly to check the newly discovered vulnerabilities.
!!
Script @auto-scripts was called via post-update-cmd


Installation failed, reverting ./composer.json to its original content.


Reply

Hey Tanguy D.

You did nothing wrong, that's the Security checker telling you that a library has a vulnerability. Please read this other comment for a better explanation https://symfonycasts.com/sc...

Cheers!

1 Reply
Tanguy D. Avatar

Thank you

Reply
Tanguy D. Avatar

Using composer update solved the issue but can you try to explain to me what happens exactly ?

Reply
Bertin Avatar

Is it possible to create an own recipe and also is there an option to use an private flex recipe server.

Reply

Hey Bertin

Yes, you can create your own recipes for your own bundles/projects. And about also is there an option to use an private flex recipe server. I don't fully understand what you mean with "private flex server"

Cheers!

Reply
Bertin Avatar

With private flex server i mean something like private packagist so its only vissbily for me

Reply

Yes, you can have your own "private" bundles but I'm not sure if you can add private recipes to Flex. I think you should ask that question directly to them because in theory, recipes works with public packages. Here is the link to the Flex recipes project https://github.com/symfony/...

Cheers!

Reply
Cat in space

"Houston: no signs of life"
Start the conversation!

This tutorial also works great for Symfony 6!

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.3.0 || ^8.0.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "easycorp/easy-log-handler": "^1.0.7", // v1.0.9
        "sensio/framework-extra-bundle": "^6.0", // v6.2.1
        "symfony/asset": "5.0.*", // v5.0.11
        "symfony/console": "5.0.*", // v5.0.11
        "symfony/debug-bundle": "5.0.*", // v5.0.11
        "symfony/dotenv": "5.0.*", // v5.0.11
        "symfony/flex": "^1.3.1", // v1.17.5
        "symfony/framework-bundle": "5.0.*", // v5.0.11
        "symfony/monolog-bundle": "^3.0", // v3.5.0
        "symfony/profiler-pack": "*", // v1.0.5
        "symfony/routing": "5.1.*", // v5.1.11
        "symfony/twig-pack": "^1.0", // v1.0.1
        "symfony/var-dumper": "5.0.*", // v5.0.11
        "symfony/webpack-encore-bundle": "^1.7", // v1.8.0
        "symfony/yaml": "5.0.*" // v5.0.11
    },
    "require-dev": {
        "symfony/profiler-pack": "^1.0" // v1.0.5
    }
}