Security Advisories Checker on Travis/Circle CI

Transcript

1. Security Advisories Checker on (Travis|Circle) CI PHP BLT#2 @serima

2. @serima • PHP Developer @ Zappallas • mag2 -> GREE

   -> Zappallas • http://serima.co/blog • Recent topics • WordPress on PHP 7, HTTP/2 • Setup Sakura-VPS with Ansible • ࠷ۙͷڵຯ • ೋࢎԽ୸ૉೱ౓ͷܭଌʢ·ͩ΍ͬͯͳ͍ʂʣ

3. SensioLabs Security Advisories Checker • SensioLabs ࣾ੡ͷϥΠϒϥϦ੬ऑੑνΣοΧʔ

4. SensioLabs • Symfony / Twig / Silex ͳͲΛ։ൃ͍ͯ͠Δϑϥϯεͷ ձࣾ •

   ࠷ۙͩͱɺϓϩϑΝΠϥπʔϧ blackfire.io ΛϦϦʔε ͨ͠

5. composer.lock Ͱ൑ఆ • Online Checker • ΢Σϒ্Ͱ composer.lock ΛΞοϓϩʔυ •

   CLI Checker • CLI Tool Λμ΢ϯϩʔυͯ͠ίϚϯυϥΠϯ࣮ߦ • Web API • SensioLabs ্ʹΤϯυϙΠϯτ͕༻ҙ͞Ε͍ͯΔ

6. ܧଓత੬ऑੑνΣοΫ • ֤छΠϯλϑΣʔε͕ఏڙ͞Ε͍ͯΔͷͰɺCI ʹ૊Έ ࠐΈɺܧଓత੬ऑੑνΣοΫ͕؆୯ʹՄೳ

7. How to integrate • composer require sensiolabs/security-checker • composer update

   • git add composer.json composer.lock • git commit -m ‘Integrate security-checker’

8. TravisCI - .travis.yml language: php php: - 5.6 before_script: -

   composer self-update - composer install - chmod -R 777 storage script: - vendor/bin/security-checker security:check - phpunit

9. CircleCI - circle.yml machine: timezone: Asia/Tokyo php: version: 5.6.14 test:

   override: - vendor/bin/security-checker security:check - vendor/bin/phpunit

10. Test • swiftmailer/swiftmailer ͸ 5.2.1 ະຬͷόʔδϣϯʹ੬ ऑੑ͕͋Δ • ͨΊ͠ʹ 5.0.0

    Λ
 Πϯετʔϧ͢ΔΑ͏
 ࢦఆͯ͠ΈΔ

11. Test • ͪΌΜͱ fail ͠·ͨ͠ • ੬ऑੑͷ಺༰΋දࣔ͞Ε͍ͯ·͢

12. Test • ࠷৽൛ΛೖΕΔΑ͏ʹઃఆͯ͠࠶౓νϟϨϯδ • ͪΌΜͱ green ʹͳΓ·ͨ͠

13. ੬ऑੑσʔλϕʔε • ͜ͷϦϙδτϦʹొ࿥͞Ε͍ͯΔ΋ͷ͕੬ऑੑσʔλϕʔ εͱͯ͠࢖ΘΕ͍ͯΔ • https://github.com/FriendsOfPHP/security- advisories • This database

    must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.

14. ·ͱΊ • ΄΅ίετθϩͰϥΠϒϥϦͷ੬ऑੑνΣοΫ͕Մೳ ʹͳΔͷͰɺೖΕ͓͍ͯͯଛ͸ͳ͍Ͱ͢ • ͕ɺઌఔ΋ݴͬͨͱ͓Γ׬શʹ৴པͯ͠͠·Θͳ͍Α ͏ʹ஫ҙ • JVN ͳͲଞͷσʔλϕʔε͸ผ్νΣοΫ͠·͠ΐ͏

    • https://github.com/serima/security-checker-on-lumen • αϯϓϧΛஔ͍͓͖ͯ·ͨ͠

15. ͓ΘΓ