PHP SCA Agent-Based Scanning

Veracode Agent-Based Scan Software Composition Analysis

Finding vulnerabilities in your PHP repositories using Veracode Agent-Based Scan is simple. In the following section, you will find steps for running a Veracode Agent-Based Scan scan on Composer repositories using the Veracode Agent-Based Scan Command-Line Interface, but scanning can be performed by any of the CI Integrations as well.


Scanning a repository which utilizes PHP and one of its build/package managers requires the ability to assemble the projects dependencies within the environment you intend to scan the project in. This includes the following requirements based on the various package managers:

PHP Requirements

  • Meet the requirements for the Veracode Agent-Based Scan agent.
  • Have PHP 5.3.2 or later installed.
  • Have Composer 1.0.0 or later installed.
  • Have composer.json or composer.lock files present in the repository.
  • Be able to run the composer install or php composer.phar install command from the root of the project where you perform scans.

Running a Scan

You can use Veracode Agent-Based Scan to scan any code repository which you have access to and fulfills the above requirements. To demonstrate how to run a scan, you can clone one of the Veracode Agent-Based Scan public repositories:


git clone
Note: You can also scan code repositories hosted on git by using the --url argument with the CLI agent (see documentation for usage), but for the purposes of this guide it will be assumed you have the code stored locally.

Once the code has been cloned to your desktop, point the Veracode Agent-Based Scan CLI agent at the directory of the repository and scan:

# Replace "example-php-composer" with the project folder name of your choosing
srcclr scan path/to/example-php-composer

To view more verbose output during the scan process, you can add the --loud argument as well:

srcclr scan path/to/example-php-composer --loud

The Veracode Agent-Based Scan agent will then proceed to use the native package managers in order to identify the dependencies and their versions in your project. The command used varies depending on the build or package manager.


composer install
composer show --tree

Once the agent has evaluated the open source libraries in use, a summary of the scan results will be produced which will include counts for total libraries used, vulnerable libraries, percentage of third party code, as well as a list of the vulnerabilities found:

Configuring Scans

By adding a srcclr.yml file to the directory where you point the Veracode Agent-Based Scan agent, you can specify scan directives which can be used for scanning your PHP code. The following are configuration options which can be used within your srcclr.yml for PHP scanning:

Directive Description Build/Package Managers
skip_composer_install Specifies whether the dependencies will need to be installed Composer
scope Specifies scope of dependency resolution. Must be --no-dev for Composer repositories Composer

Viewing scan results

After completing a scan, the bottom of the output in your terminal will include a link to the Veracode Agent-Based Scan platform to view the scan results in more detail:

Unique Library Licenses              3
Libraries Using GPL                  0
Libraries With No License            1

Full Report Details        

Navigating to this link will allow you to view the results of your scan in its entirety.

The scan results are broken down into the following categories:

  • Issues: This is comprised of out of date libraries, license violations, and vulnerabilities uniquely associated to a specific version of a library within a specific repository.
  • Vulnerabilities: This list represents the set of unique vulnerabilities across a specific project. If multiple libraries in a given project are associated with the same vulnerability, the vulnerability will only appear once in this list.
  • Libraries: Libraries consist of each open source library that Veracode Agent-Based Scan has identified within a code project.
  • Licenses: Licenses allow users to view the software license information associated with each open source library in use.

You can find more details on these categories in the Issues, Vulnerabilities, Libraries, and Licenses documentation article.

Fixing vulnerability issues

After viewing the scan results, users will likely want to fix the vulnerabilities discovered in their PHP project. Veracode Agent-Based Scan provides clear instructions for fixing vulnerability issues through the web interface.

Fixing a direct vulnerability

When a library is specifically referenced in your configuration file, Veracode Agent-Based Scan refers to the library as a “direct” dependency. Fixing a vulnerability in a direct dependency using Veracode Agent-Based Scan is simple. Using the open source projects mentioned in the Running a scan section and after having navigated to the project scan results within the Veracode Agent-Based Scan UI, you can filter down to “Vulnerability” issues which are included only in “Direct Libraries”:

After filtering the scan results, you can drill into an issue to find out how to fix it by clicking the issue id next to the vulnerability name. This will bring you to the issue details page, where you will find information on fixing the vulnerability. In general, the best way to fix a vulnerability in a direct dependency is to update the version in use to the version recommended by Veracode Agent-Based Scan. Veracode Agent-Based Scan recommends a version which is not associated with the vulnerability you are subject to, in addition to any other vulnerabilities which might result from switching to a different version. In order to prevent the update from having significant impact on your code, the recommended version will be the closest to your current version while still not being associated with other vulnerabilities.

Note: Some libraries include vulnerabilities which have not yet been fixed, and therefore Veracode Agent-Based Scan cannot provide a version to update to. In cases such as this, it is recommended you either create a pull request to the unfixed library or use a different library in your code.

Validating a fixed vulnerability

Validate the fix you have made to your repository by running a Veracode Agent-Based Scan scan prior to committing your code changes by adding the --allow-dirty option to ignore uncommitted changes within your code:

srcclr scan /path/to/example-php-composer --allow-dirty

Once you have verified the vulnerability no longer shows up in the scan output, you can proceed to commit your code and you will have fixed the vulnerability!