PHPackages shone/scanner - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. shone/scanner AbandonedArchivedTool[Security](/categories/security) shone/scanner ============= A scanner to determine if the version of the popular open source software you are running is vulnerable. v1.1.4(11y ago)4161MITPHPPHP >=5.3.2 Since Nov 20Pushed 10y ago1 watchersCompare [ Source](https://github.com/xsist10/shone-phar)[ Packagist](https://packagist.org/packages/shone/scanner)[ Docs](https://www.shone.co.za/)[ RSS](/packages/shone-scanner/feed)WikiDiscussions master Synced 3d ago READMEChangelog (8)Dependencies (5)Versions (10)Used By (0) shone-phar ========== [](#shone-phar) [![Build Status](https://camo.githubusercontent.com/fc951065e67e2385aa63670a44a7add9dbf62f5d5bd0a51575b972a6a2d0091b/68747470733a2f2f7472617669732d63692e6f72672f787369737431302f73686f6e652d706861722e706e673f6272616e63683d6d6173746572)](https://travis-ci.org/xsist10/shone-phar)[![SensioLabsInsight](https://camo.githubusercontent.com/2191ca7016372e382864cbc1b068d2b67770df247c8917c76f7cd4c8f2ba3acb/68747470733a2f2f696e73696768742e73656e73696f6c6162732e636f6d2f70726f6a656374732f38633562303264652d336434362d343839652d623961612d6431383164303131363335632f6d696e692e706e67)](https://insight.sensiolabs.com/projects/8c5b02de-3d46-489e-b9aa-d181d011635c)[![Coverage Status](https://camo.githubusercontent.com/35e4e1ff87b0ec574b73a9248a311d43827847c4397056f654500960ebc92bf7/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f787369737431302f73686f6e652d706861722f62616467652e706e67)](https://coveralls.io/r/xsist10/shone-phar)[![Latest Stable Version](https://camo.githubusercontent.com/bf8ae71c3d72cfbdbed21e2c464a046f657907f2241e89766655fbd012f95024/68747470733a2f2f706f7365722e707567782e6f72672f73686f6e652f7363616e6e65722f76657273696f6e2e706e67)](https://packagist.org/packages/shone/scanner)[![License](https://camo.githubusercontent.com/3fd93dd4d310eee6385ddc153e291884a31bea46d20edd0539c034a549466edf/68747470733a2f2f706f7365722e707567782e6f72672f73686f6e652f7363616e6e65722f6c6963656e73652e706e67)](https://packagist.org/packages/shone/scanner) A command-line tool for interacting with the Shone Web Scanner API. Getting started --------------- [](#getting-started) **To perform scans you will need to create a free account on ** ***To get an API Key, log into your account and go to the API tab ()*** The easiest way is to just download the phar file and get started ``` $ wget raw.github.com/xsist10/shone-phar/master/shone.phar && chmod +x shone.phar ``` Alternatively you can use [composer](http://www.getcomposer.org) ``` { "require": { "shone/scanner": "1.0.*@dev" } } ``` To install the phar globally, do the following: ``` $ mv shone.phar /usr/local/bin/shone ``` Updating the phar ----------------- [](#updating-the-phar) If you are using the `shone.phar` file, you can update it to the latest version by running the following command: ``` $ ./shone.phar self-update ``` Setting up your configuration ----------------------------- [](#setting-up-your-configuration) There are some basic settings that make it easier to use the tool. It's recommended to set your API key at the start (the configuration file will be stored in your home folder ~/shone.json or similar location). ``` # Set the API key so you don't need to declare it everywhere $ ./shone.phar set-config --key "[API KEY]" # This is not recommended $ ./shone.phar set-config --common-checksum=0 --no-cert-check=1 ``` Using the scanner ----------------- [](#using-the-scanner) **Local file system** You can scan a web directory like this ``` $ ./shone.phar scan --key "[API KEY]" --label "Website Label" /path/to/web/folder ``` or if you prefer to use the code directly (remember to run `composer update` first) ``` $ ./bin/shone scan --key "[API KEY]" --label "Website Label" /path/to/web/folder ``` If everything went ok you should be provided with a URL to find the result of your scan **Finger a local file** You can find out what software package a file belongs to by running the fingerprint command: ``` $ ./shone.phar fingerprint --key "[API KEY]" /path/to/file ``` Expected result: ``` Result: 11 matches found +----------+-----------+------------+ | Software | Version | Status | +----------+-----------+------------+ | Joomla! | 2.5.9 | Vulnerable | | Joomla! | 2.5.9 | Vulnerable | | Joomla! | 2.5.11 | Vulnerable | | Joomla! | 2.5.10 | Vulnerable | | Joomla! | 2.5.12 | Vulnerable | | Joomla! | 2.5.14 | Vulnerable | | Joomla! | 2.5.13 | Vulnerable | | Joomla! | 2.5.16 | Secure | | Joomla! | 2.5.15 | Secure | | Joomla! | 2.5.17.rc | Secure | | Joomla! | 2.5.17 | Secure | +----------+-----------+------------+ ``` **Remote file system** You can scan a remote web directory via FTP like this: ``` $ ./shone.phar ftpscan --username [USERNAME] --password --key="[API KEY]" --label "Website Label" [FTP HOST] /path/to/web/folder ``` There are a number of additional FTP options which will be listed if you run: ``` $ ./shone.phar ftpscan --help ``` Getting results --------------- [](#getting-results) **Get one job result** When you submit a job to the API, you will get a URL that will link directly to your scan result. You can also use the hash value to pull the result via the API like this: ``` $ ./shone.phar job --hash="[HASH]" ``` Expected result: ``` Found 2 results. Path: / +----------+---------+------------+-------+--------+ | Software | Version | Status | Risk | Match | +----------+---------+------------+-------+--------+ | Joomla! | 2.5.10 | vulnerable | 10/10 | 97.00% | | Joomla! | 2.5.11 | vulnerable | 10/10 | 96.00% | | Joomla! | 2.5.12 | vulnerable | 10/10 | 94.00% | | Joomla! | 2.5.13 | vulnerable | 10/10 | 94.00% | | Joomla! | 2.5.14 | vulnerable | 7/10 | 94.00% | +----------+---------+------------+-------+--------+ Path: media/editors/tinymce/jscripts/tiny_mce +----------+---------+--------+------+--------+ | Software | Version | Status | Risk | Match | +----------+---------+--------+------+--------+ | tinymce | 3.5.2 | secure | N/A | 10.00% | | tinymce | 3.5.3 | secure | N/A | 10.00% | | tinymce | 3.5.4 | secure | N/A | 10.00% | | tinymce | 3.5.4.1 | secure | N/A | 10.00% | | tinymce | 3.5.3.1 | secure | N/A | 10.00% | +----------+---------+--------+------+--------+ ``` **Get recent jobs** You can pull the jobs for the month by calling this: ``` $ ./shone.phar job --key="[API KEY]" ``` Expected result: ``` Found 1 job(s). +------------+----------------------------------+------------+----------+------------------------------------------------------+ | Date | Job | Status | Severity | Details | +------------+----------------------------------+------------+----------+------------------------------------------------------+ | 2014-04-13 | 14dd8544av1f6f2ea1d55319625f7744 | vulnerable | 10/10 | 2 bundle(s) found in 4444 file(s) on xxx.xxx.xxx.xxx | +------------+----------------------------------+------------+----------+------------------------------------------------------+ ``` You can search for the latest scan for a particular label by using the label flag ``` $ ./shone.phar job --key="[API KEY]" --label="Website Label" ``` Compiling the phar ------------------ [](#compiling-the-phar) You'll can recompile the phar by calling: ``` $ ./bin/compile && chmod +x shone.phar ``` You can then copy the phar to any server or directory you wish and use it as a stand-alone executable. More information ---------------- [](#more-information) For more information run: ``` $ ./shone.phar ``` Using the library directly -------------------------- [](#using-the-library-directly) If you wish to write your own code to use the Shone API, you can use the library directly like this: ``` use Shone\Scanner\Scanner; use League\Flysystem\Filesystem; use League\Flysystem\Adapter\Local; $scanner = new Scanner(); // Set your API key $scanner->setKey([API KEY]); // Enable SSL certificate checking $scanner->setCertCheck(true); // Set the label of the job you want to submit or search for $scanner->setLabel("Website Label"); // You can build a list of files anyway you want like: // $files = array('/path/to/file1', '/path/to/file2'); // I find the easiest way is like this: $filesystem = new Filesystem(new Local("path/to/scan")); $files = $scanner->buildFileList($filesystem); // Build our packet to send to the API $packet = $scanner->buildJobPacket($filesystem, $files); // Send the packet to the framework $result = $scanner->submitJob($packet); if ($result['Status'] != 'Success') { // Something went wrong throw new \Exception($result['Detail']); } else { $hash = $result['Hash']; } // Wait a little while and attempt to get the result (might take a few seconds to process) $max_retry = 5; $attempt = 1; while ($attempt < $max_retry) { sleep(2); $job = $scanner->getJob($hash); if (empty($job['status']) || $job['status'] != 'In progress') { break; } $attempt++; } // The job result: print_r($job); ``` Contributing ------------ [](#contributing) Please see [CONTRIBUTING](https://github.com/xsist10/shone-phar/blob/master/CONTRIBUTING.md) for details. [![Bitdeli Badge](https://camo.githubusercontent.com/ecb601cab412148ecbdc802973130c2f6ff4972ffeb10f735bc4b79c6470b81a/68747470733a2f2f64327765637a68766c38323376302e636c6f756466726f6e742e6e65742f787369737431302f73686f6e652d706861722f7472656e642e706e67)](https://bitdeli.com/free "Bitdeli Badge") ### Health Score 29 — LowBetter than 59% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity11 Limited adoption so far Community8 Small or concentrated contributor base Maturity64 Established project with proven stability Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~40 days Recently: every ~50 days Total 8 Last Release 4278d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/415488?v=4)[Thomas Shone](/maintainers/xsist10)[@xsist10](https://github.com/xsist10) --- Top Contributors [![xsist10](https://avatars.githubusercontent.com/u/415488?v=4)](https://github.com/xsist10 "xsist10 (67 commits)") --- Tags securityversionscannervulnerability ### Embed Badge ![Health badge](/badges/shone-scanner/health.svg) ``` [![Health](https://phpackages.com/badges/shone-scanner/health.svg)](https://phpackages.com/packages/shone-scanner) ``` ### Alternatives [laravel/framework The Laravel Framework. 34.6k509.9M17.0k](/packages/laravel-framework)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker)[shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[psecio/versionscan A PHP version scanner for reporting possible vulnerabilities 25156.4k1](/packages/psecio-versionscan)[sulu/sulu Core framework that implements the functionality of the Sulu content management system 1.3k1.3M152](/packages/sulu-sulu)[laravel-zero/framework The Laravel Zero Framework. 3371.4M369](/packages/laravel-zero-framework) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)