PHPackages sensiolabs/security-advisories - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. sensiolabs/security-advisories ActiveLibrary[Security](/categories/security) sensiolabs/security-advisories ============================== Database of known security vulnerabilities in various PHP projects and libraries 2.1k122.1k↓24.4%309[2 PRs](https://github.com/FriendsOfPHP/security-advisories/pulls)PHPCI passing Since Jan 15Pushed 2mo ago138 watchersCompare [ Source](https://github.com/FriendsOfPHP/security-advisories)[ Packagist](https://packagist.org/packages/sensiolabs/security-advisories)[ RSS](/packages/sensiolabs-security-advisories/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependenciesVersions (2)Used By (0) PHP Security Advisories Database ================================ [](#php-security-advisories-database) The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database **must not** serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption. License ------- [](#license) The PHP security advisories database is free and unencumbered software released into the public domain. Checking for Vulnerabilities ---------------------------- [](#checking-for-vulnerabilities) To check for vulnerabilities in your applications beside manual checks, you should use the [Local CLI tool](https://github.com/fabpot/local-php-security-checker): ``` local-php-security-checker --path=/path/to/composer.lock ``` **TIP**: If you are using Github, you can use the PHP Security Checker [Github Action](https://github.com/marketplace/actions/the-php-security-checker) to automatically check for vulnerabilities when pushing code. Contributing ------------ [](#contributing) Contributing security advisories is as easy as it can get: - You can contribute a new entry by sending a pull request or by creating a file directly via the Github interface; - Create a directory based on the Composer name of the software where the security issue exists (use `symfony/http-foundation` for an issue in the Symfony HttpFoundation component for instance); - Each security issue must be saved in a file where the name is the CVE identifier (preferred) or the date when the security issue was announced followed by an increment (`2012-12-12-1` for instance); - The file is in the YAML format and **must** contain the following entries (have a look at existing entries for examples): - `title`: A text that describes the security issue in a few words; - `link`: A link to the official security issue announcement (HTTPS links are preferred over HTTP ones); - `reference`: A unique reference to identify the software (the only supported scheme is `composer://` followed by the Composer identifier); - `branches`: A hash of affected branches, where the name is the branch name (like `2.0.x`), and the value is a hash with the following entries: - `time`: The date and time in UTC when the security issue was fixed or null if the issue is not fixed yet (most of the time, the date of the **merge**commit that fixed the issue in the following format `2012-08-27 19:17:44`) -- this information must be as accurate as possible as it is used to determine if a project is affected or not; - `versions`: An array of constraints describing affected versions for this branch (this is the same format as the one used for Composer -- `['>=2.0.0', '