{"id":13539341,"url":"https://github.com/friendsofphp/security-advisories","last_synced_at":"2025-05-12T13:25:26.468Z","repository":{"id":6557217,"uuid":"7798948","full_name":"FriendsOfPHP/security-advisories","owner":"FriendsOfPHP","description":"A database of PHP security advisories","archived":false,"fork":false,"pushed_at":"2025-04-10T12:27:24.000Z","size":1399,"stargazers_count":2073,"open_issues_count":3,"forks_count":307,"subscribers_count":141,"default_branch":"master","last_synced_at":"2025-04-23T07:03:49.947Z","etag":null,"topics":["composer","packagist","php","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://github.com/fabpot/local-php-security-checker","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FriendsOfPHP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2013-01-24T13:57:57.000Z","updated_at":"2025-04-14T15:20:37.000Z","dependencies_parsed_at":"2023-02-17T05:30:44.246Z","dependency_job_id":"94a5ecfd-2e17-4fbc-a3f9-85b1fc5190fd","html_url":"https://github.com/FriendsOfPHP/security-advisories","commit_stats":{"total_commits":964,"total_committers":205,"mean_commits":4.702439024390244,"dds":0.9346473029045643,"last_synced_commit":"e1e19e19d2d888dc9bbd8bd38cd793dc16577448"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FriendsOfPHP%2Fsecurity-advisories","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FriendsOfPHP%2Fsecurity-advisories/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FriendsOfPHP%2Fsecurity-advisories/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FriendsOfPHP%2Fsecurity-advisories/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FriendsOfPHP","download_url":"https://codeload.github.com/FriendsOfPHP/security-advisories/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253746316,"owners_count":21957534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["composer","packagist","php","vulnerabilities"],"created_at":"2024-08-01T09:01:23.711Z","updated_at":"2025-05-12T13:25:26.446Z","avatar_url":"https://github.com/FriendsOfPHP.png","language":"PHP","readme":"PHP Security Advisories Database\n================================\n\nThe PHP Security Advisories Database references known security\nvulnerabilities in various PHP projects and libraries. This database **must\nnot** serve as the primary source of information for security issues, it is\nnot authoritative for any referenced software, but it allows to centralize\ninformation for convenience and easy consumption.\n\nLicense\n-------\n\nThe PHP security advisories database is free and unencumbered software released\ninto the public domain.\n\nChecking for Vulnerabilities\n----------------------------\n\nTo check for vulnerabilities in your applications beside manual checks, you should\nuse the [Local CLI tool][1]:\n\n        local-php-security-checker --path=/path/to/composer.lock\n\n**TIP**: If you are using Github, you can use the PHP Security Checker [Github\nAction][2] to automatically check for vulnerabilities when pushing code.\n\nContributing\n------------\n\nContributing security advisories is as easy as it can get:\n\n  * You can contribute a new entry by sending a pull request or by creating a\n    file directly via the Github interface;\n\n  * Create a directory based on the Composer name of the software where the\n    security issue exists (use `symfony/http-foundation` for an issue in the\n    Symfony HttpFoundation component for instance);\n\n  * Each security issue must be saved in a file where the name is the CVE\n    identifier (preferred) or the date when the security issue was announced\n    followed by an increment (`2012-12-12-1` for instance);\n\n  * The file is in the YAML format and **must** contain the following entries\n    (have a look at existing entries for examples):\n\n      * `title`:     A text that describes the security issue in a few words;\n\n      * `link`:      A link to the official security issue announcement (HTTPS\n        links are preferred over HTTP ones);\n\n      * `reference`: A unique reference to identify the software (the only\n        supported scheme is `composer://` followed by the Composer identifier);\n\n      * `branches`: A hash of affected branches, where the name is the branch\n        name (like `2.0.x`), and the value is a hash with the following\n        entries:\n\n          * `time`: The date and time in UTC when the security issue was fixed or null if the\n            issue is not fixed yet (most of the time, the date of the **merge**\n            commit that fixed the issue in the following format `2012-08-27\n            19:17:44`) -- this information must be as accurate as possible as it\n            is used to determine if a project is affected or not;\n\n          * `versions`: An array of constraints describing affected versions\n            for this branch (this is the same format as the one used for\n            Composer -- `['\u003e=2.0.0', '\u003c2.0.17']`).\n\n  * If you have a CVE identifier, add it under the `cve` key.\n\n  * Make sure your file validates by running `php -d memory_limit=-1 validator.php` from the root of this project.\n    This script needs some dependencies to be installed via composer, so you need to\n    run `composer install` before.\n\nIf some affected code is available through different Composer entries (like\nwhen you have read-only subtree splits of a main repository), duplicate the\ninformation in several files.\n\n[1]: https://github.com/fabpot/local-php-security-checker\n[2]: https://github.com/marketplace/actions/the-php-security-checker\n","funding_links":[],"categories":["\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["\u003ca id=\"4c80728d087c2f08c6012afd2377d544\"\u003e\u003c/a\u003e漏洞数据库"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriendsofphp%2Fsecurity-advisories","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffriendsofphp%2Fsecurity-advisories","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffriendsofphp%2Fsecurity-advisories/lists"}