https://php-security-checker.wmcloud.org/
I see no reason that https://gitlab.com/legoktm/composer-security-checker couldn't be deployed as a Toolforge tool. It would be much simpler to keep up to date instead of giving it its own VM and needing to configure Apache, systemd, etc.
Tagging Security-Team for awareness because they're the people who most depend on this. And Continuous-Integration-Config and LibUp because those are the places that specify the URL.
https://wikitech.wikimedia.org/wiki/Nova_Resource:Redirects can be used to create a redirect from wmcloud to toolforge in an attempt to preserve legacy URLs, but that may be less useful for a service that is functionally just a POST handler.
Hey @Legoktm - thanks for the tag. To be honest, we don't do a lot with these reports at the moment. We need to re-evaluate that process/responsibilities as a team for sure. So the move to toolforge is likely not very consequential for us. Where this might be more relevant is within the appsec pipeline we're building out for Gitlab right now. I'd imagine we'd want to leverage composer-security-checker to whatever SensioLabs provides these days as one of the tools we trigger during a CI pipeline for any PHP code.
My understanding is that composer-security-checker is the same functionality as https://github.com/fabpot/local-php-security-checker except I audited all the dependencies of my tool (when I wrote it at least) and it's in PHP and not in golang. Oh, and the go version also supports colored ANSI output, junit and markdown outputs.
Anyways, the effort to keep this running should be very minimal, I haven't had to touch it in 2+ years.
Change 820765 had a related patch set uploaded (by Legoktm; author: Legoktm):
[integration/config@master] Update domain for php-security-checker
Change 820766 had a related patch set uploaded (by Legoktm; author: Legoktm):
[labs/libraryupgrader@master] Update domain for php-security-checker
Change 820766 merged by jenkins-bot:
[labs/libraryupgrader@master] Update domain for php-security-checker
Set up the new Toolforge tool and moved over LibUp. Need to set up the redirect and @Jdforrester-WMF is going to drive the remainder of the CI part (thanks!)
Mentioned in SAL (#wikimedia-cloud) [2022-08-05T15:40:00Z] <legoktm> New tool created and set up: T296967
Change 820775 had a related patch set uploaded (by Jforrester; author: Jforrester):
[integration/config@master] jjb: [php-composer-security-docker] Update image for new domain
Change 820765 merged by jenkins-bot:
[integration/config@master] dockerfiles: [composer-security-check] Update service domain
Mentioned in SAL (#wikimedia-releng) [2022-08-05T16:02:10Z] <James_F> Docker: Building and publishing composer-security-check:1.1.1 for T296967
New CI image built and published, and Jenkins job re-configured. Anything else to do?
Change 820775 merged by jenkins-bot:
[integration/config@master] jjb: [php-composer-security-docker] Update image for new domain
Filed T314677: Redirect https://php-security-checker.wmcloud.org/ to https://php-security-checker.toolforge.org/ for the redirect, but I think we can call this done.
https://openstack-browser.toolforge.org/server/security-checker1.packagist-mirror.eqiad1.wikimedia.cloud should probably be deleted too.
Mentioned in SAL (#wikimedia-cloud) [2022-08-08T18:12:13Z] <legoktm> deleting security-checker1 instance, now on Toolforge: T296967