Php Missing Package Lock
Description
Detects PHP projects that are missing composer.lock file when dependencies are declared in composer.json. This is a security risk because without a lock file, dependency versions can float and potentially install malicious or vulnerable versions during installation.
Detection Strategy
• Checks if composer.json file contains dependencies in 'require' or 'require-dev' sections
• Verifies if composer.lock exists in the same directory as composer.json
• Reports a vulnerability if dependencies are declared but composer.lock is missing
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.