The document discusses software composition and dependency management in PHP projects. It provides information on project dependencies, managing third-party code and licenses, monitoring code quality and vulnerabilities, and maintaining a product lifecycle for updates and security fixes. Key aspects covered include dependency trees, release roadmaps, vulnerability analysis tools, outdated packages, license checks, and OWASP recommendations for component analysis.
5. HOW MUCH 3RD-PARTY CODE YOU HAVE?
Original LOC Vendor LOC Original LOC %
Project A 156,436 2,465,907 6%
Project B 24,355 1,017,297 2%
Project C 3,622 850,605 0.4%
Lines of code in src and tests vs vendor. Source: own
14. LARAVEL RELEASE ROADMAP
Version Release Bug Fixes Until Security Fixes Until
6 (LTS) September 3rd, 2019 January 25th, 2022 September 6th, 2022
7 March 3rd, 2020 October 6th, 2020 March 3rd, 2021
8 September 8th, 2020 July 26th, 2022 January 24th, 2023
9 (LTS) January 25th, 2022 January 30th, 2024 January 28th, 2025
10 January 24th, 2023 July 30th, 2024 January 28th, 2025
https://laravel.com/docs/8.x/releases
15. DOCTRINE RELEASE ROADMAP?
Ocramius,
No roadmap: the roadmap is "we do what we can, when we can", sorry.
(...)
We cannot commit to any schedule, since we're not a company
and we do not profit from the tool.
https://github.com/doctrine/orm/issues/6211#issuecomment-270134038
25. ROAVE SECURITY ADVISORIES
simple Composer exclusion list
prevents from installing packages with vulnerabilities
updated daily
composer require --dev roave/security-advisories:dev-latest
26. LOCAL PHP SECURITY CHECK
https://github.com/fabpot/local-php-security-checker
Symfony Security Check Report
=============================
6 packages have known vulnerabilities.
codeception/codeception (4.1.17)
--------------------------------
* [CVE-2021-23420][]: Deserialization of Untrusted Data
lexik/jwt-authentication-bundle (v2.10.6)
-----------------------------------------
* [CVE-2021-21424][]: Prevent user enumeration via response content in ...
30. WHAT LICENSES DO THE DEPENDENCIES HAVE?
$ composer licenses
mcustiel/phiremock-server v1.1.2 GPL-3.0-or-later
mhujer/jms-serializer-uuid 3.2.0 MIT
mikey179/vfsstream v1.6.8 BSD-3-Clause
moneyphp/money v3.3.1 MIT
monolog/monolog 2.1.1 MIT
31. A LICENSE MAY CHANGE
iText (2009 switch to AGPL)
ElasticSearch (January 2021 AWS case)
Docker (August 2021)
...
35. COMPOSER UPDATE HAS OPTIONS
--dry-run
--no-dev
--root-reqs
https://getcomposer.org/doc/03-cli.md#update-u
36. OWASP RECOMMENDATIONS
Limit the age of acceptable components
Prohibit the use of end-of-life components
Prohibit the use of components with known vulnerabilities
Update components that are exploitable with high to moderate risk first
Reduce the attack surface by excluding unnecessary dependencies
Reduce the number of suppliers
Standardize on a single component for each function
Utilize private repositories in lieu of untrusted ones
Provide time-boxed allowances every sprint to maintain component hygiene
Establish a allowed list of acceptable licenses
Automate the analysis of all third-party components during Continuous Integration
Full list: https://owasp.org/www-community/Component_Analysis