versionscan
Versionscan is a tool for evaluating your currently installed PHP version and checking it against known CVEs and the versions they were fixed in to report back potential issues.
Installation
Using Composer
{
"require": {
"psecio/versionscan": "dev-master"
}
}
The only current dependency is the Symfony console.
Usage
To run the scan against your current PHP version, use:
bin/versionscan
The script will check the PHP_VERSION
for the current instance and
generate the pass/fail results. The output looks similar to:
Executing against version: 5.4.24
+--------+---------------+------+------------------------------------------------------------------------------------------------------+
| Status | CVE ID | Risk | Summary |
+--------+---------------+------+------------------------------------------------------------------------------------------------------+
| FAIL | CVE-2014-3597 | 6.8 | Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 ... |
| FAIL | CVE-2014-3587 | 4.3 | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in... |
Results will be reported back colorized as well to easily show the pass/fail of the check.
Parameters
There are several parameters that can be given to the tool to configure its scans and results:
PHP Version
If you'd like to define a PHP version to check other than the one the script finds itself, you can use the php-version
parameter:
bin/versionscan scan --php-version=4.3.2
Report Only Failures
You can also tell the versionscan to only report back the failures and not the passing tests:
bin/versionscan scan --fail-only
Sorting results
You can also sort the results either by the CVE ID or by severity (risk rating), with the sort
parameter
and either the "cve" or "risk" value:
bin/versionscan scan --sort=risk