michaelschiemer/tests/Security/check-dependencies.php

<?php

declare(strict_types=1);

/**
 * Dependency Security Checker
 *
 * Checks Composer dependencies for known security vulnerabilities
 * Uses the Packagist Security Advisories database
 */

require_once __DIR__ . '/../../vendor/autoload.php';

final class DependencySecurityChecker
{
    private const SECURITY_ADVISORIES_URL = 'https://packagist.org/api/security-advisories/';

    public function checkDependencies(): array
    {
        $composerLock = $this->loadComposerLock();
        $packages = $this->extractPackages($composerLock);

        echo "🔍 Checking " . count($packages) . " dependencies for security vulnerabilities...\n\n";

        $vulnerabilities = [];

        foreach ($packages as $package) {
            $advisories = $this->checkPackage($package['name'], $package['version']);

            if (!empty($advisories)) {
                $vulnerabilities[$package['name']] = [
                    'version' => $package['version'],
                    'advisories' => $advisories
                ];
            }
        }

        return $vulnerabilities;
    }

    public function printReport(array $vulnerabilities): void
    {
        if (empty($vulnerabilities)) {
            echo "✅ No known security vulnerabilities found in dependencies!\n";
            return;
        }

        echo "🚨 Found " . count($vulnerabilities) . " packages with security advisories:\n\n";

        foreach ($vulnerabilities as $package => $data) {
            echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n";
            echo "📦 {$package}\n";
            echo "   Current Version: {$data['version']}\n";
            echo "   Vulnerabilities:\n";

            foreach ($data['advisories'] as $advisory) {
                echo "\n";
                echo "   • {$advisory['title']}\n";
                echo "     Severity: {$advisory['severity']}\n";
                echo "     Affected: {$advisory['affected_versions']}\n";
                echo "     Fixed in: {$advisory['fixed_versions']}\n";
                echo "     Link: {$advisory['link']}\n";
            }

            echo "\n";
        }

        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n";
        echo "\n⚠️  RECOMMENDATION: Update vulnerable packages immediately!\n";
    }

    private function loadComposerLock(): array
    {
        $lockFile = __DIR__ . '/../../composer.lock';

        if (!file_exists($lockFile)) {
            throw new \RuntimeException('composer.lock not found');
        }

        $content = file_get_contents($lockFile);
        $data = json_decode($content, true);

        if ($data === null) {
            throw new \RuntimeException('Failed to parse composer.lock');
        }

        return $data;
    }

    private function extractPackages(array $composerLock): array
    {
        $packages = [];

        // Production dependencies
        if (isset($composerLock['packages'])) {
            foreach ($composerLock['packages'] as $package) {
                $packages[] = [
                    'name' => $package['name'],
                    'version' => $package['version'],
                    'type' => 'production'
                ];
            }
        }

        // Development dependencies
        if (isset($composerLock['packages-dev'])) {
            foreach ($composerLock['packages-dev'] as $package) {
                $packages[] = [
                    'name' => $package['name'],
                    'version' => $package['version'],
                    'type' => 'development'
                ];
            }
        }

        return $packages;
    }

    private function checkPackage(string $name, string $version): array
    {
        // Note: This is a placeholder implementation
        // In a production environment, you would:
        // 1. Query the FriendsOfPHP/security-advisories database
        // 2. Use the Packagist API
        // 3. Or integrate with local-php-security-checker

        // For now, we'll provide a manual check message
        static $firstRun = true;

        if ($firstRun) {
            echo "ℹ️  For real-time vulnerability scanning, use:\n";
            echo "   - local-php-security-checker: https://github.com/fabpot/local-php-security-checker\n";
            echo "   - Composer audit: composer audit\n";
            echo "   - GitHub Dependabot: Enable in repository settings\n\n";
            $firstRun = false;
        }

        // Placeholder: In production, this would return actual advisories
        return [];
    }
}

// Run the checker
try {
    $checker = new DependencySecurityChecker();
    $vulnerabilities = $checker->checkDependencies();
    $checker->printReport($vulnerabilities);

    exit(empty($vulnerabilities) ? 0 : 1);
} catch (\Exception $e) {
    echo "❌ Error: {$e->getMessage()}\n";
    exit(2);
}