Security Check For Symfony Component-Based Projects

Misunderstandings and clashes of cultures and worrying may end up in good. It maybe hard to see the outcome but in the end with some favor this is good.

On June 17, 2014 I received this surprising message from @fabpot, the symfony lead maintainer, I was very sad to see this in such a way. It really saddened me for a bit, and made me think about my commenting a bit, then I went back and recalled and really was acting in my best for asking the right questions. Yet for some reason culturally, maybe having a bad day or other reason, I got discouraged in such a way.

Then I thought why not jumping and continuing in the idea so to really get an answer rather than just stay crying because someone did not like your question. Then I took on the challenge!

So I went and saw a commit from @fabpot himself adding it to the security-checker repo then I sent a PR to my own fork https://github.com/cordoval/security-checker/pull/1/files enabling the checker to become finally a phar for everybody to generate.

After this I went and prepared a script on Gush to test this approach, created a release of the phar on github and created a script to download it and run it and plugged it into the bldr.io bldr.yml file in the Gush project:

// ./secure
#!/usr/bin/env bash

securitychecker=$(which security-checker)
 
if [ -x "$securitychecker" ] ; then
    $securitychecker security:check
else
    if [ ! -f ./security-checker.phar ]; then
        wget https://github.com/cordoval/security-checker/releases/download/v1.3.1/security-checker.phar
    fi
 
    chmod +x ./security-checker.phar
    ./security-checker.phar security:check
fi

and task added to bldr.yml:

+        secure:
 +            calls:
 +                -
 +                    type: exec
 +                    failOnError: true
 +                    executable: ./secure
 +                    arguments: []

Then we get travis-ci happy about our security:

Screenshot 2014-06-18 23.10.00

I like @fabpot but no matter who is telling you to stop, if it is a good thing and you are asking questions my advise is to keep working on them.

Encouragements!

From Symfony to Gush: The Game Changer Tool for All Git Communities

Gush can do a lot of things already so I am going to start pounding on a Gush series :).

Gush not only can check your outdated dependencies and send a PR to update these:
Screenshot 2014-02-10 16.06.14

Welcome to Gush its site and the http://github.com/gushphp/gush repository on github.

Gush has come now a long way, it has followed Symfony to 2.5 now and is getting more sandboxed and BC upgrade proof with time. Its architecture is growing and perfecting with every day that passes thanks to its 19 contributors.

Gush aims to teach best practices for CLI, it will comply with the cordoval/bc-analyzer tool, meaning it will be upgradable and showcast good practices for upgradability and robustness, it is following best practices for package design, and it is trying to decouple itself from Symfony in a healthy manner. Gush is tied to scrutinizer for quality, sensiolabs insight to back it up, it runs on Github enterprise for several companies in the USA and Europe, it will soon track Jira tickets for Jira Enterprise as well and support third party repository services such as bitbucket, gitlab, and more.

Gush dependencies are tied to the minimum and it uses Bldr.io a twin tool for automating workflows. Currently we are working on integrating Gush workflows with Bldr.io for further automation.

Gush has been blunt and attempted adapters even for Drupal. The idea is always to contribute and to PR in the most efficient manner, and also to aid the maintainer in tedious repetitive tasks like tagging, creating a change log, bumping up and use semver appropriately, merging, rebasing, switching branches of a PR, amongst other cool ones like giving a pat on the back to a contributor.

I have tried to sell Gush in DrupalCon, in Warsaw SymfonyCon, in all the conferences I went to that I don’t remember, and I have done my job at work too introducing Gush, introducing Bldr.io into Gush also, and even flying to meetups and talk about Gush.

Gush has made me friends and has found me opportunities, it has given me a sale point to speak about something I am passionate about. Gush has meaning to me, it is not a common Open Source project. Gush logo was custom made by the creator of composer’s logo, a guy from Ukraine. Max the wizard, or i would say his wife which is a great artist.

Gush logo and the project started with a meaning of flow and rapid flow. That is the intention and also of favor. The README.md there on the github repo explains the meaning of it. The rock and the Bible verse is plain clear. To me Gush is one of my most successful projects. And is free of charge. I have discussed it with many, and have received very good feedback from top of the line devs and friends.

I have also been bullied because of Gush, if i were not serious about Gush, those bullies would have won. Yet they are quiet, and my enemies are jealous, Gush is under a dictator that hears but also has a drive and passion to do things right. Some have tried to get Gush rid of meaning but so far have failed. Gush will thrive, and Gush will be a tool I always use for development and encourage others to do the same. It scratches a common itch, and it was released early and openly. It takes opinions seriously and welcome improvements, this is the community we have.

There is a ton of things Gush do, but this post is more political :), you should check Gush and just try it and use it.

Thanks for your support!

Drupal8.x and Symfony/Aura – DrupalCon 2014 talk video and slides

YouTube Preview Image

Series: