Vulnerability scanner
Vulnerability scanner jest dodatkiem płatnym dostępnym w naszym Marketplace - Kup YetiForce Vulnerabilities
The tool checks if there are any vulnerabilities in external libraries that need to be removed. The functionality requires an internet connection as it sends information from composer.lock to an external service. The built-in security mechanism in the current version connects to the dedicated YetiForce Security service (https://security.yetiforce.com).
Description
The vulnerability detector currently verifies on the worldwide CVE database:
- some of the external libraries used by the system (e.g. libraries written in PHP),
- vulnerabilities for the used version of PHP,
- vulnerabilities for the webserver (Apache, Nginx),
- vulnerabilities for libraries on the server: OpenSSL,
- vulnerabilities for SQL engine (MySql, MariaDB).
Ultimately, the system will be able to verify all external libraries regardless of technology. We also plan to detect vulnerabilities in applications installed on the server, e.g. IMAP, PGP, etc.
Even though the application can only verify some libraries by default, the producer, checks for vulnerabilities in all libraries using tools such as https://snyk.io/ , https://depfu.com/ , https://blackducksoftware.com/ , https://david-dm.org/ , https://sonarcloud.io/ and many other applications.
If no vulnerabilities were found, the following message will be displayed:
YetiForce Security Dependency Check
The security.yetiforce.com vulnerability detection mechanism operates on the official CVE based vulnerability database available at https://github.com/FriendsOfPHP/security-advisories.
System Warnings
Vulnerability detection is also performed in the System warnings
panel - the system regularly checks security gaps and informs the administrators about any potential threats that need to be dealt with.