Friday, 21 February 2014

[dcphp-dev] Re: Composer vulnerability

Hi Oscar,

Thanks for pointing this out.

I think that composer is great, and I use it a lot in PHP projects.

I recently heard a talk at the Java Users' Group (NOVA JUG) on a similar problem with maven.  The focus of the talk was using frameworks and libraries with known vulnerabilities.  Some frameworks and libraries are not regularly updated, and some use old versions of libraries with known vulnerabilities.  This is a big problem, especially if you run your code with super user privileges (see #9 in the top 10 vulnerabilities in https://www.owasp.org/index.php/Top_10_2013-Top_10).  The solution proposed was to manage your own maven repo so that you have a golden repo at a point in time.  Sonatype (http://www.sonatype.com/) has such a solution for maven.

By the way, Maven Central has 260,000 artifacts and serves 70 millions downloads every week (http://blog.sonatype.com/2010/12/now-available-central-download-statistics-for-oss-projects/).  Packagist.org has 142 million packages (24,492 packages with 87,349 versions) and about 160 million downloads a month (https://packagist.org/statistics).

David



On Thursday, February 20, 2014 4:31:34 PM UTC-5, Oscar Merida wrote:
Hey folks,

If you use composer to install dependencies, you should be aware that
you should be checking what its actually downloading when you run
composer install. See this post here:
http://blog.astrumfutura.com/2014/02/composer-downloading-random-code-is-not-a-security-vulnerability/

-Oscar

--
You received this message because you are subscribed to the Google
Group: "Washington, DC PHP Developers Group" - http://www.dcphp.net
To post, send email to washington-dcphp-group@googlegroups.com
To unsubscribe, send email to washington-dcphp-group+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/washington-dcphp-group?hl=en
---
You received this message because you are subscribed to the Google Groups "Washington, DC PHP Developers Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to washington-dcphp-group+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

0 comments:

Post a Comment