Module no longer works, sensiolabs/security-checker is abandoned

[chillu]

We need to start hosting our own security checking tool, or add the ability to run this with a local CLI tool - see https://github.com/sensiolabs/security-checker

[chillu]

As a secondary effect, this will slightly increase queue wait times when running through queuedjobs, since the domain has been shut down and API requests will hold up a queue worker until they time out.

[spekulatius]

Hey @chillu

thanks for the update, didn't know about this.

I wonder what implications come from adding a golang-based package as requirement. Wonder if everyone is on board with this.

Cheers,
Peter

[chillu]

Hey Peter, just letting you know that we're discussing this internally (because we need to figure out both how we deal with this for the OSS community as well as our own Platform customers). This might or might not be the same solution, we'll stay in touch.

[spekulatius]

Hey Ingo,

yeah, that's fine. Just keep me in the loop how you plan resolve it.

Cheers,
Peter

[jcop007]

Hi @chillu

Any update on what the future plan is for this module?

Thanks,
Jonathan

[chillu]

@jcop007 Keen to implement the Sensio golang library approach as an alternative to API calls? So change the update job to using shell_exec(). Pull requests welcome.

[maxime-rainville]

Looks like packagist now has a Security Advisory API ... that seems like perfect replacement for sensio labs.

It would also align this module's warnings to the one provided by composer.

[GuySartorelli]

There's a PR to add functionality to composer that consumes that API. Probably worth just hooking into that once it's available. composer/composer#10798