1. SOFTWARE
COMPOSITION
ANALYSIS
IN PHP
PIOTR HORZYCKI

2. WHAT DOES YOUR PROJECT DEPEND ON?
people :)
framework, libraries
PHP, Composer
Docker + operating system
hosting
network
electricity

4. RISK
THE MAGIC WORD TO USE WHEN TALKING TO BUSINESS

5. HOW MUCH 3RD-PARTY CODE YOU HAVE?
Original LOC Vendor LOC Original LOC %
Project A 156,436 2,465,907 6%
Project B 24,355 1,017,297 2%
Project C 3,622 850,605 0.4%
Lines of code in src and tests vs vendor. Source: own

6. DEPENDENCY TREE

7. WHY THERE'S A DEPENDENCY X?
$ composer why namshi/jose
lexik/jwt-authentication-bundle v2.11.3 requires namshi/jose (^7.2)
roave/security-advisories 9999999-dev conflicts namshi/jose (<2.2)

8. https://www.theregister.com/2016/03/23/npm_left_pad_chaos/

9. PROJECT HEALTH
Quality Controls and Metrics
Community Engagement
Vulnerability Analysis
Source: Component Analysis by OWASP

10. PRODUCT LIFECYCLE

11. PRODUCT LIFECYCLE
1. active support with bugfixes
2. critical security fixes
3. end of life
4. museum

12. PHP RELEASE ROADMAP

13. SYMFONY RELEASE ROADMAP

14. LARAVEL RELEASE ROADMAP
Version Release Bug Fixes Until Security Fixes Until
6 (LTS) September 3rd, 2019 January 25th, 2022 September 6th, 2022
7 March 3rd, 2020 October 6th, 2020 March 3rd, 2021
8 September 8th, 2020 July 26th, 2022 January 24th, 2023
9 (LTS) January 25th, 2022 January 30th, 2024 January 28th, 2025
10 January 24th, 2023 July 30th, 2024 January 28th, 2025
https://laravel.com/docs/8.x/releases

15. DOCTRINE RELEASE ROADMAP?
Ocramius,
No roadmap: the roadmap is "we do what we can, when we can", sorry.
(...)
We cannot commit to any schedule, since we're not a company
and we do not profit from the tool.
https://github.com/doctrine/orm/issues/6211#issuecomment-270134038

17. CODE QUALITY

18. PHPMETRICS: OUR CODE QUALITY

19. PHPMETRICS FOR DOCTRINE

20. PHPMETRICS FOR SOME PDF LIBRARY...
The main class has over 20,000 LOC and 1 MB

21. SECURITY

22. LIST OF COMPONENTS WITH VULNERABILITIES
Source: screenshot of the Veracode Platform

23. UPDATING TO A SECURE VERSION
Source: screenshot of the Veracode Platform

24. GITHUB DEPENDABOT

25. ROAVE SECURITY ADVISORIES
simple Composer exclusion list
prevents from installing packages with vulnerabilities
updated daily
composer require --dev roave/security-advisories:dev-latest

26. LOCAL PHP SECURITY CHECK
https://github.com/fabpot/local-php-security-checker
Symfony Security Check Report
=============================
6 packages have known vulnerabilities.
codeception/codeception (4.1.17)
--------------------------------
* [CVE-2021-23420][]: Deserialization of Untrusted Data
lexik/jwt-authentication-bundle (v2.10.6)
-----------------------------------------
* [CVE-2021-21424][]: Prevent user enumeration via response content in ...

27. SUPPLY CHAIN ATTACKS
https://blog.sonarsource.com/php-supply-chain-attack-on-composer
typosquatting
Private Packagist

28. LICENSES
I DON'T WANT TO GO TO JAIL EITHER

29. https://choosealicense.com/ |
https://opensource.guide/legal/

30. WHAT LICENSES DO THE DEPENDENCIES HAVE?
$ composer licenses
mcustiel/phiremock-server v1.1.2 GPL-3.0-or-later
mhujer/jms-serializer-uuid 3.2.0 MIT
mikey179/vfsstream v1.6.8 BSD-3-Clause
moneyphp/money v3.3.1 MIT
monolog/monolog 2.1.1 MIT

31. A LICENSE MAY CHANGE
iText (2009 switch to AGPL)
ElasticSearch (January 2021 AWS case)
Docker (August 2021)
...

32. TIME TO UPDATE
BUT DON'T BREAK ANYTHING

33. OUTDATED PACKAGES

34. MAJOR.MINOR.PATCH
~1.2.3: <1.3.0
^1.2.3: <2.0.0
https://getcomposer.org/doc/articles/versions.md

35. COMPOSER UPDATE HAS OPTIONS
--dry-run
--no-dev
--root-reqs
https://getcomposer.org/doc/03-cli.md#update-u

36. OWASP RECOMMENDATIONS
Limit the age of acceptable components
Prohibit the use of end-of-life components
Prohibit the use of components with known vulnerabilities
Update components that are exploitable with high to moderate risk first
Reduce the attack surface by excluding unnecessary dependencies
Reduce the number of suppliers
Standardize on a single component for each function
Utilize private repositories in lieu of untrusted ones
Provide time-boxed allowances every sprint to maintain component hygiene
Establish a allowed list of acceptable licenses
Automate the analysis of all third-party components during Continuous Integration
Full list: https://owasp.org/www-community/Component_Analysis