profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/CyberJack/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Peter Bottenberg CyberJack @isaaceindhoven Boxtel, The Netherlands https://bottenberg.dev Lead Software Developer at @isaaceindhoven

CyberJack/chrome_guid 1

Random Guid/Uuid Generator extension for chrome

CyberJack/dbeaver 1

Docksal addon to launch DBeaver with the connection information from the current project.

CyberJack/dotfiles 1

My personal dotfiles

CyberJack/addons 0

Community driven, submit your addon! Docksal addons that can be installed via `fin addon install` command.

CyberJack/docksal 0

Unified, Docker 🐳 powered web development environment for macOS, Windows, and Linux

CyberJack/hugo-mx-gateway 0

Contact/demo forms handler for static sites. Deploy in minutes on Google App Engine, Kubernetes, or Docker. Tested with Hugo.

CyberJack/lodestone 0

Personal Document Archiving (DMS, EDMS for Personal/Home Office use)

CyberJack/mysql_migrate 0

Script to help you migrate MySQL databases, users and rights to a new server.

CyberJack/php-meminfo 0

PHP extension to get insight about memory usage

issue commentFriendsOfPHP/security-advisories

Add level of severity for PHP Security Advisories

Indeed, I think getting a CVE is the way to go to give more details. This repository is "just" a database that references where to find more information.

TheGarious

comment created time in 2 days

issue commentFriendsOfPHP/security-advisories

Add level of severity for PHP Security Advisories

@fabpot avoiding the duplication is certainly a good approach, but what about the advisories which don't have a CVE reference? Should the goal be in these cases to create a matching CVE?

TheGarious

comment created time in 2 days

push eventFriendsOfPHP/security-advisories

Freshleaf Media

commit sha 539d4734bd4714cce227e9d2b30ec51521ff1af9

Adds a vulnerability record for the facade/ignition RCE: CVE-2021-3129

view details

Freshleaf Media

commit sha 181a9909d2f13bc705c0c9d0f957c9b9d4d66293

Adds an additional version constraint for the v1 version

view details

Freshleaf Media

commit sha cbbaa0470af2a8a7fde59f25e649200f8286d741

Removes invalid bound

view details

Freshleaf Media

commit sha d5c1af0f5e32ebfcdbec917622be15e6676b2a4d

Adds constraint for v1

view details

Nils Adermann

commit sha 5a6ad8e2f99fd772c37311bc086cf1964f064db0

Merge pull request #536 from freshleafmedia/vuln/cve-2021-3129 Adds Record For facade/ignition RCE: CVE-2021-3129

view details

push time in 4 days

PR merged FriendsOfPHP/security-advisories

Adds Record For facade/ignition RCE: CVE-2021-3129

This PR adds a record for the facade/ignition RCE vulnerability.

  • https://www.ambionics.io/blog/laravel-debug-rce
  • https://github.com/facade/ignition/pull/334
  • https://github.com/facade/ignition/pull/353
+11 -0

12 comments

1 changed file

freshleafmedia

pr closed time in 4 days

pull request commentFriendsOfPHP/security-advisories

Adds Record For facade/ignition RCE: CVE-2021-3129

I see that the 1.16.14 release has been fixed in the meantime, so merging it now.

freshleafmedia

comment created time in 4 days

pull request commentFriendsOfPHP/security-advisories

Adds Record For facade/ignition RCE: CVE-2021-3129

How far is this from getting merged? There seems to be active probing for this vulnerability according to greynoise: image https://twitter.com/nathanqthai/status/1367130234663940110

freshleafmedia

comment created time in 4 days

startedisaaceindhoven/php-code-sniffer-standard

started time in 5 days

push eventFriendsOfPHP/security-advisories

Pierre Rudloff

commit sha ab0d6cf853ba1b36e1f3221506ed414dd19b402d

New Smarty CVEs

view details

Nils Adermann

commit sha ab0c65457544d6f7e2ce7ebeba36b87cb2d42fa3

Merge pull request #538 from Rudloff/smarty New Smarty CVEs

view details

push time in 9 days

PR merged FriendsOfPHP/security-advisories

New Smarty CVEs

See https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md#3139---2021-02-17

+16 -0

0 comment

2 changed files

Rudloff

pr closed time in 9 days

PR opened FriendsOfPHP/security-advisories

New Smarty CVEs

See https://github.com/smarty-php/smarty/blob/master/CHANGELOG.md#3139---2021-02-17

+16 -0

0 comment

2 changed files

pr created time in 9 days

issue commentFriendsOfPHP/security-advisories

Work with Github to fix their Advisory Database importer?

Thanks for looking into this! We've got CVEs (through Mitre) for 57 vulns, yet Github lists only 7. See NVD for "silverstripe" vendor. So even for the CVE import (which they appear to be doing through NVD) I'm not quite sure how that importer functions.

Symfony appears to have the same issue: 16 advisories in Github, and well over 30 advisories in symfony.com.

Maybe you could try contacting them? Github Advisories are such a useful feature for the PHP community if they can make them accurate. I've tried my luck already, might carry more weight if it comes from another PHP project and the maintainer of the source they've claimed to import before?

chillu

comment created time in 10 days

fork jeroennoten/phpstan-src

PHPStan's source code. This is where development happens. Check https://github.com/phpstan/phpstan for the distribution repository.

https://phpstan.org/

fork in 12 days

issue commentFriendsOfPHP/security-advisories

Work with Github to fix their Advisory Database importer?

Looks like they stopped importing this database at all.

For the silverstripe case, I would say that the ones appearing on github are the ones that have a CVE assigned, because they are imported by Github from the CVE database.

chillu

comment created time in 13 days

issue openedFriendsOfPHP/security-advisories

Work with Github to fix their Advisory Database importer?

Github used to import FriendsOfPHP vulnerabilities until at some point last year - see an archived version of their docs). I've been contact with Github support twice to flag that their importer seems to be broken - it's only importing a fraction of the advisories we (silverstripe) publish to FriendsOfPHP.

I might have been the cause for Github removing claims about importing FriendsOfPHP, in my view security related features and information should provide high quality data - and showing the occasional vulnerability alert for our ecosystem meant that devs will get a false sense of security through the feature. The lack of alerts on their Github repo does not mean they run a secure installation of our dependencies.

Have you contacted Github about this in any way? It's such a useful feature to the PHP community, I'm keen to get some momentum for them to reinstate their importer.

created time in 13 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

Here's my take:

  1. In my opinion, the installation issue highlighted is not a major one. As @Ocramius suggested, there are several ways around it. It's worth considering that is downloading a binary really any better? A Composer installation may not be perfect but imo it's definitely easier to update than checking the release page and downloading a new binary (specific to system arch).
  2. Even if the binary installation method is preferred, we always have the option to download the PHAR.
  3. There are several advantages with the Enlightn Security Checker that we should also consider. Firstly, there are many libraries that need PHP APIs to scan PHP vulnerabilities in code. Secondly, an AGPL license is very restrictive and it's not possible to use the Local CLI because of its restrictive licensing policy. In fact, many companies like Google have a strict NO to AGPL and for good reason.

I don't think it's an either OR situation. There's no taking away that due to licensing and the PHP API, there are several use cases that are simply not possible using the current recommended options. That's why the question is not Local CLI vs Enlightn Security Checker. The question is should we add it as an option to possibly serve other use cases. Can it serve other use cases that currently are not possible with the recommended options?

I would appreciate if there is an independent review from another maintainer who considers all the factors mentioned above.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

Even without composer global installs, it's trivial to mkdir my-tool && cd my-tool && composer require enlightn/security-checker, which works pretty much OK.

Given the homepage already lists some tools, I don't see why it is not in line with this package to suggest other libraries/binaries that use it for a good purpose.

Otherwise, I don't see a reason to have things like the security checker and such being there either :shrug:

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

@nicolas-grekas You'll find I'm the first one to tell people not to use compoer global at all. When adding that option it was really against my better judgement due to popular demand and there's been nothing but problems with it since.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

@nicolas-grekas, how is downloading binaries easier to update than Composer global? Also, we have a downloadable PHAR available as well if that's what you prefer. Besides, Sensiolabs security checker had the exact same installation options for 8 years and where were these objections then?

Also, have you gone through the pros listed above? Don't you think they have various advantages over the current recommended options?

I am just asking for an independent review by other maintainers. I am not accusing of @fabpot being biased but I am saying that he may have been biased because I don't see any other valid reason to avoid/reject this PR despite me giving an explanation that his objection wasn't valid for this package.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

I personally don't think that tools managed composer global are workable in practice. They're too easy to forget to update, etc. I've used composer global in the past, with hope, but I think it just doesn't work in practice (no offense to the work done by @naderman and others on the topic!)

I'd much prefer something like https://github.com/composer/composer/issues/9636 (or any of the alternatives discussed there) to become mainstream. As such, I consider @fabpot's still valid.

About "dictatorship" and "bias", this is just not fair. Rejecting this doesn't prevent anyone from using your work @paras-malhotra. It might just not make it as visible as you'd like to, but this is not something that this very repo is aimed at - giving visibility to specific work.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

Despite my explanation that your objection was not applicable to the package, you closed this PR without any reason or follow-up comment. You ran Sensiolabs security checker for 8 years with the exact same installation options. Forgive me if I think you're biased but I can't think of any other reason here.

Yes, you gave many years to the community for free but the past doesn't justify the present. Here, it just seems that you're discouraging other open source packages that have perfectly valid use cases and are already widely adopted by the PHP community.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

WHAT? I think you are going too far now. Biased? Dictatorship? After giving so many years to the community for free? I've even open-source the tool. You have not even understood my objection. I'm very disappointed.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

@fabpot I don't understand this. Did you go through my comments above? The reason why you didn't want to add this is not applicable to the Enlightn Security Checker. It is not a requirement to pull this in as a project dependency.

@naderman I would request if the other maintainers can look into this. Since Enlightn directly competes with Symfony Insights, I think Fabien might be biased here and would appreciate an independent review of this PR. FriendsOfPHP is meant to be a community organization, not a dictatorship.

paras-malhotra

comment created time in 19 days

PR closed FriendsOfPHP/security-advisories

Add the Enlightn security checker

Just released a security checker package that is similar to the Sensiolabs security checker (now deprecated). I'm adding this to the Readme so that people are aware of this and can use it.

Benefits / differentiation of this package include:

  • Can be pulled in with Composer.
  • Exposes a PHP API.
  • Licensed under the MIT license.

The package is backed with tests and implements HTTP caching while pulling in the Advisories database from Github. 🚀

+10 -4

8 comments

1 changed file

paras-malhotra

pr closed time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

Thank you for the discussion. Closing now.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

To follow up on this, I will detail the Pros and Cons of using the Enlightn Security Checker:

Cons: I cannot think of any con really. The installation reason that you mentioned is actually not valid. It doesn't need to be a project dependency. Project dependency installation is an option, not a requirement.

Pros:

  • Easy installation via Composer: People scanning for PHP vulnerabilities are more than likely to have Composer installed and would want an easy installation rather than downloading binaries that are dependent on system architecture (local CLI tool and Symfony CLI).
  • Exposes a PHP API: Many tools such as Drush, GrumPHP, etc. prefer a PHP library to perform their checks for easy integration with their tools.
  • Licensing: The Local CLI tool is licensed under AGPL whereas the Enlightn Security Checker is licensed under the MIT license (which is much more permissive).
paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

@fabpot, with a Composer global require, it is not needed to add this as a dependency to project. In fact, that is the recommended option.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

I'm :-1: to add this reference here. The main reason is that I don't like to add tools as dependencies to projects. That's one of the reason I've coded this tool in Go instead of PHP. I can understand that this is controversial, but I will stick to my gut feeling here.

paras-malhotra

comment created time in 19 days

pull request commentFriendsOfPHP/security-advisories

Add the Enlightn security checker

@naderman is it possible for you to review and merge this PR? Seems like Fabien is busy / not responsive, so was just wondering if some of the other maintainers can look into this?

paras-malhotra

comment created time in 19 days