Security Advisories Checker on Travis/Circle CI

Slide 1

Slide 1 text

Security Advisories Checker on (Travis|Circle) CI PHP BLT#2 @serima

Slide 2

Slide 2 text

@serima • PHP Developer @ Zappallas • mag2 -> GREE -> Zappallas • http://serima.co/blog • Recent topics • WordPress on PHP 7, HTTP/2 • Setup Sakura-VPS with Ansible • ࠷ۙͷڵຯ • ೋࢎԽ୸ૉೱ౓ͷܭଌʢ·ͩ΍ͬͯͳ͍ʂʣ

Slide 3

Slide 3 text

SensioLabs Security Advisories Checker • SensioLabs ࣾ੡ͷϥΠϒϥϦ੬ऑੑνΣοΧʔ

Slide 4

Slide 4 text

SensioLabs • Symfony / Twig / Silex ͳͲΛ։ൃ͍ͯ͠Δϑϥϯεͷ ձࣾ • ࠷ۙͩͱɺϓϩϑΝΠϥπʔϧ blackﬁre.io ΛϦϦʔε ͨ͠

Slide 5

Slide 5 text

composer.lock Ͱ൑ఆ • Online Checker • ΢Σϒ্Ͱ composer.lock ΛΞοϓϩʔυ • CLI Checker • CLI Tool Λμ΢ϯϩʔυͯ͠ίϚϯυϥΠϯ࣮ߦ • Web API • SensioLabs ্ʹΤϯυϙΠϯτ͕༻ҙ͞Ε͍ͯΔ

Slide 6

Slide 6 text

ܧଓత੬ऑੑνΣοΫ • ֤छΠϯλϑΣʔε͕ఏڙ͞Ε͍ͯΔͷͰɺCI ʹ૊Έ ࠐΈɺܧଓత੬ऑੑνΣοΫ͕؆୯ʹՄೳ

Slide 7

Slide 7 text

How to integrate • composer require sensiolabs/security-checker • composer update • git add composer.json composer.lock • git commit -m ‘Integrate security-checker’

Slide 8

Slide 8 text

TravisCI - .travis.yml language: php php: - 5.6 before_script: - composer self-update - composer install - chmod -R 777 storage script: - vendor/bin/security-checker security:check - phpunit

Slide 9

Slide 9 text

CircleCI - circle.yml machine: timezone: Asia/Tokyo php: version: 5.6.14 test: override: - vendor/bin/security-checker security:check - vendor/bin/phpunit

Slide 10

Slide 10 text

Test • swiftmailer/swiftmailer ͸ 5.2.1 ະຬͷόʔδϣϯʹ੬ ऑੑ͕͋Δ • ͨΊ͠ʹ 5.0.0 Λ  Πϯετʔϧ͢ΔΑ͏  ࢦఆͯ͠ΈΔ

Slide 11

Slide 11 text

Test • ͪΌΜͱ fail ͠·ͨ͠ • ੬ऑੑͷ಺༰΋දࣔ͞Ε͍ͯ·͢

Slide 12

Slide 12 text

Test • ࠷৽൛ΛೖΕΔΑ͏ʹઃఆͯ͠࠶౓νϟϨϯδ • ͪΌΜͱ green ʹͳΓ·ͨ͠

Slide 13

Slide 13 text

੬ऑੑσʔλϕʔε • ͜ͷϦϙδτϦʹొ࿥͞Ε͍ͯΔ΋ͷ͕੬ऑੑσʔλϕʔ εͱͯ͠࢖ΘΕ͍ͯΔ • https://github.com/FriendsOfPHP/security- advisories • This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

Slide 14

Slide 14 text

·ͱΊ • ΄΅ίετθϩͰϥΠϒϥϦͷ੬ऑੑνΣοΫ͕Մೳ ʹͳΔͷͰɺೖΕ͓͍ͯͯଛ͸ͳ͍Ͱ͢ • ͕ɺઌఔ΋ݴͬͨͱ͓Γ׬શʹ৴པͯ͠͠·Θͳ͍Α ͏ʹ஫ҙ • JVN ͳͲଞͷσʔλϕʔε͸ผ్νΣοΫ͠·͠ΐ͏ • https://github.com/serima/security-checker-on-lumen • αϯϓϧΛஔ͍͓͖ͯ·ͨ͠

Slide 15

Slide 15 text

͓ΘΓ