Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

As a result, over 550 vulnerabilities were reported in PHP packages.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable libraries

Option A: Manually update the packages

  1. Look at the vulnerable packages in the GuardRails PR comment.
  2. Go to the PHP Security Advisories page.
  3. Search for the package name and identify the latest not vulnerable version.
  4. Change the composer.json to reflect that new version.
  5. Run composer upgrade.
  6. Test to verify that the upgrade doesn't break the app.
  7. Ship it 🚢 and relax 🌴

Option B: When no update is available

  1. Follow the instructions from Option A above.
  2. If no update is available then you have 3 choices:
    • Remove the package if it's not needed
    • Replace the package with another one that doesn't contain vulnerabilities
    • Take a closer look at the vulnerability details and create a PR patching it
  3. Test to verify that your actions don't break the app.
  4. Ship it 🚢 and relax 🌴

More information:

Insecure Use of SQL QueriesOverview