I've been running this repo for over three years. One of the coolest things about it (IMO), is that it self-updates, sourcing directly from the PHP changelog twice a day. Over the past three years, I put together some stats and found that PHP Version Audit has discovered CVE announcements on median of 5 hours after the Changelog update. The NVE CVE database gets updated with the CVEs on median of 260 hours - or almost 11 days after the Changelog update. That makes PHP Version Audit 98% faster at notifying of new CVEs than other tools that source from the CVE Database. I think that is pretty cool!
Beyond all that, its designed to be used programmatically. Set it up in your CI/CD to get notified when its time to bump that PHP version in your Dockerfile.
Usage
Using the docker image, you could check a vulnerable docker version (8.1.11):
$ docker run --rm -t lightswitch05/php-version-audit:latest --fail-security --version=8.1.11
{
"auditVersion": "8.1.11",
"hasVulnerabilities": true,
"hasSecuritySupport": true,
"hasActiveSupport": true,
"isLatestPatchVersion": false,
"isLatestMinorVersion": false,
"isLatestVersion": false,
"latestPatchVersion": "8.1.15",
"latestMinorVersion": "8.2.2",
"latestVersion": "8.2.2",
"activeSupportEndDate": "2023-11-25T00:00:00+0000",
"securitySupportEndDate": "2024-11-25T00:00:00+0000",
"rulesLastUpdatedDate": "2023-02-13T02:56:21+0000",
"vulnerabilities": {
"CVE-2022-31630": {
"id": "CVE-2022-31630",
"baseScore": 7.1,
"publishedDate": "2022-11-14T07:15:00+0000",
"lastModifiedDate": "2022-12-23T17:05:00+0000",
"description": "In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information."
},
"CVE-2022-37454": {
"id": "CVE-2022-37454",
"baseScore": 9.8,
"publishedDate": "2022-10-21T06:15:00+0000",
"lastModifiedDate": "2022-12-08T15:41:00+0000",
"description": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface."
},
"CVE-2022-31631": null
}
}
Or, you could pipe in the Host's PHP version directly:
lightswitch05
commented
1 year ago
Intro
PHP Version Audit: A tool to programmatically check a PHP version for known CVEs and support end dates. Great for CI/CD builds.
Why should it be included?
I've been running this repo for over three years. One of the coolest things about it (IMO), is that it self-updates, sourcing directly from the PHP changelog twice a day. Over the past three years, I put together some stats and found that PHP Version Audit has discovered CVE announcements on median of 5 hours after the Changelog update. The NVE CVE database gets updated with the CVEs on median of 260 hours - or almost 11 days after the Changelog update. That makes PHP Version Audit 98% faster at notifying of new CVEs than other tools that source from the CVE Database. I think that is pretty cool!
Beyond all that, its designed to be used programmatically. Set it up in your CI/CD to get notified when its time to bump that PHP version in your Dockerfile.
Usage
Using the docker image, you could check a vulnerable docker version (
8.1.11):Or, you could pipe in the Host's PHP version directly: