sensiolabs/security-checker is abandoned and replaced by fabpot/local-php-security-checker

[Orteko]

Q	A
Version	0.18.1
Bug?	no
New feature?	no
Question?	no
Documentation?	no
Related tickets	N/A

sensiolabs/security-checker has been marked as abandoned and the free api at security.symfony.com will be stopped at the end of January 2021.

It has apparently been replaced by fabpot/local-php-security-checker so the securitychecker task may need to be updated to move to use this instead.

[ctrl-f5]

As we dont want to mess around with binaries and want to keep everything inside our composer, we are looking into switching to https://github.com/Roave/SecurityAdvisories

It uses the same source repo to check for vulnerabilities as fabpot/local-php-security-checker.

One caveat is that it only runs checks during require and update, but it could be triggered by grumphp with:

composer update --dry-run roave/security-advisories

[veewee]

@ctrl-f5 : Maybe we could make 2 tasks instead? The task takes some configurable options, which won't be possible with the package from roave.

So we could change the existing task and extend it with an option to select the executable: symfony or local-php-security-checker. Besides that, we could add the one from roave as a separate task.

[ctrl-f5]

yup, having both options will be best. I will try and find the time to create a task for the roave package.

[paras-malhotra]

Guys, you can consider the Enlightn Security Checker. No binaries needed, can be pulled in with Composer, no licensing issues (MIT license) and has in-built HTTP caching.

[JeppeKnockaert]

As @paras-malhotra stated, local-php-security-checker doesn't seem a good alternative due to licensing.

If there's still interest in using local-php-security-checker, or if their license were to change, you can always reopen https://github.com/phpro/grumphp/pull/871 (or use it as a starting point).

[Orteko]

Awesome - thanks guys!