New composer audit Command and security audits in Composer 2.4

Published On26 Jun 2022

New `composer audit` command in Composer 2.4

Composer 2.4 features scanning the installed and new packages for known security vulnerabilities. When a new package is installed, or an existing package is updated, Composer looks up the package version numbers on known security vulnerability announcements, and reports if there are any known vulnerabilities in the list of packages. There is also a new command called audit, that lists reported security vulnerabilities on current package versions.

Automatic warnings when installing/updating packages

Since Composer 2.4, updating or installing a has an option to scan the list of installed packages for any reported security vulnerabilities using the Packagist.org Security Vulnerability API.

composer require and composer update commands support a new --audit flag that scans the list of packages, and if it encounters any vulnerable version, Composer shows warning:

Composer showing a warning on `composer update` command if there are known vulnerabilities in the list of installed packages
Composer showing a warning on `composer update` command if there are known vulnerabilities in the list of installed packages

It is possible to show the list of reported vulnerabilities along the output of composer update and composer install commands with the new --audit-format flag. The supported values are the same as the ones supported by the composer audit command.

This security audit can be disabled with the new --no-audit flag.

composer audit command

Since Composer 2.4, there is a new command called audit, that outputs a list of reported security vulnerabilities for the list of packages versions currently installed.

Composer `audit` command output
`composer audit` command output

The output of the composer audit command includes all reported security vulnerabilities that match the version and package name of the advisory's indicated version constraints.

From each advisory matched, Composer shows the package name, CVE identifier, the title of the advisory, a link to the advisory, range(s) of affected versions, and the date when the advisory was published.

By default, Composer shows the list of advisories as a table, but it also supports plain, json and summary outputs by specifying it in the --format command line flag. By default, the output format is set to --format=table.

Composer `audit` command output as a plain list
`composer audit --format=plain` command output

Composer `audit` command output as a summary
`composer audit --format=summary` command output

Composer `audit` command output as a JSON object
`composer audit --format=json` command output

composer update and composer install commands may use --audit-format flag to specify output format. e.g composer update --audit-format=table.

Enforcing Security Audit in CI/CD Pipelines

composer audit command exits with the number of advisories that match the current list of installed packages.

CI/CD pipelines that wish to ensure there are no known vulnerabilities before proceeding the pipeline (such as deploying the application) may run composer audit command during the pipeline. If composer audit exits with a value other than zero, it means there is at least one reported security vulnerability in the list of installed packages. Unless otherwise configured, any command that exits with a non-zero status triggers a typical CI/CD pipeline to fail.

Security Vulnerability Lookup API on Packagist

packagist.org, the main source of package metadata of Composer, now has a new API that returns a list of reported security vulnerabilities for a given list of package names. Packagist routinely fetches the vulnerability information from Github Security Advisories and FriendsOfPHP/security-advisories repository.

Composer uses this API to retrieve a list of security vulnerabilities, but the API is open, and other applications may make use of this API for its own use cases too.

The JSON API endpoint is https://packagist.org/api/security-advisories/. It supports two parameters:

  • packages: Required. A list of package names to lookup advisories for.
  • updatedSince: Optional. Specify a Unix timestamp to filter advisories. Only advisories updated after this timestamp will be returned.

Here is a working URL that returns security advisories for guzzlehttp/guzzlehttp package:

https://packagist.org/api/security-advisories/?packages[]=guzzlehttp/guzzle

Blocking Installation of Vulnerable Packages

composer audit command only audits the packages after they are installed. Roave/SecurityAdvisories is a Composer meta-package (which means it has no PHP functionality) that blocks any reportedly vulnerable package from being installed in the first place.

Composer Security Hardening
Block packages with known vulnerabilities

Recent Articles on PHP.Watch

All ArticlesFeed 
How to fix PHP Curl HTTPS Certificate Authority issues on Windows

How to fix PHP Curl HTTPS Certificate Authority issues on Windows

On Windows, HTTPS requests made with the Curl extension can fail because Curl has no root certificate list to validate the server certificates. This article discusses the secure and effective solutions, and highlights bad advice that can leave PHP applications insecure.
AEGIS Encryption with PHP Sodium Extension

AEGIS Encryption with PHP Sodium Extension

The Sodium extension in PHP 8.4 now supports AEGIS-128L and AEGIS256 Authenticated Encryption ciphers. They are significantly faster than AES-GCM and CHACHA20-POLY1305. This article benchmarks them and explains how to securely encrypt and decrypt data using AEGIS-128L and AEGIS256 on PHP.
How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

How to Install/Upgrade PHP 8.3 on MacOS with Homebrew

Install PHP 8.3 and PHP extensions on MacOS with Homebrew.
Subscribe to PHP.Watch newsletter for monthly updates

You will receive an email on last Wednesday of every month and on major PHP releases with new articles related to PHP, upcoming changes, new features and what's changing in the language. No marketing emails, no selling of your contacts, no click-tracking, and one-click instant unsubscribe from any email you receive.