By Bruno Skvorc

Quick Tip: Make Sure Your PHP Version is Safe with Versionscan

By Bruno Skvorc

There’s a tool you can use to check that you have a version of PHP with the most bugfixes. The tool is versionscan and it recently got a 1.0 release.

This quick tip will show you how to install it into your environment so it’s accessible from any folder, letting you call it at any future time without actually needing to require it inside a PHP project.

Step 0 – Optional – Homestead Improved

To follow along, you’d do well to set up a Homestead Improved instance. It’s Vagrant VM that’ll get you up and running with PHP 5.6+ in under five minutes, so you can test what we do here right away.

Step 1 – Composer Global Install

To make a tool accessible globally when it’s a Packagist-hosted Composer project, we install it with the global flag. Enter your VM (vagrant ssh) and execute the following:

composer global require psecio/versionscan:dev-master

This installs the package globally – into Composer’s home folder. On Homestead Improved (see Step 0) Composer is already installed globally and can be called from any folder. If you’re not using the VM from Step 0, install Composer first, then proceed to this step.

Unless you install Composer globally, you might have to run the command like so: php composer.phar global require ...

Step 2 – Run Versionscan

versionscan scan

The output should be something like this:

That’s it!

That’s all there is to it. You now have an always-accessible critical issue scanner installed. There’s not much the tool can help you with other than pure awareness, but knowing is most definitely better than not knowing.

  • samwalshnz

    When I tried this I got the following error:

    versionscan: command not found

    So to fix this I made an alias to the versionscan path like so:

    alias versionscan='/path/to/.composer/vendor/bin/versionscan'

    Now I can use versionscan :)

    • samwalshnz

      Otherwise, thanks for sharing this with us, Bruno

      • Did you use the Homestead Improved box? It should work as stated if you did. If not, yeah, I see how that might happen. Glad you got it to work :)

        • samwalshnz

          No I didn’t. Yeah its not an unexpected problem, but thought others might find it useful if they don’t use Homestead. :)

    • Максим Волошин

      You should add “/path/to/.composer/vendor/bin/” to environment variable “PATH”, and any tool which was installed via “composer global require” will work :)

      • samwalshnz

        Brilliant! Thanks for the tip

  • Marcin Batkowski

    Really nice tool. Thanks for sharing that Bruno!
    Too bad it doesn’t take suhosin into account.

  • guest123456

    phar-composer builds this without problems too, i prefer a phar-composer build runnable phar file over installing it as composer global.

    for installing (in /usr/bin/local/) phar-composer install psecio/versionscan:dev-master
    for just building the phar: phar-composer build psecio/versionscan:dev-master

  • guest

    I just had a look at the tool, and sadly it is not as helpfull as it sounds.
    Why? most people don’t have a plain build-from-source PHP, most people use vendor versions by their operating system distribution, which quite often come patched for certain vulnerabilities.
    long story short: for most users this tool will create a long list of false positives.


    Ubuntu trusty currently has 5.5.9-1ubuntu4.3 as the php package. The tool checks for 5.5.9 problems, and will return a list of 17 failed checks. The first one being: CVE-2014-4049, which has already a fix on ubuntu:

  • ccornutt

    Hi folks, lead dev on this project here – one thing to note on the output Bruno has provided: it has been updated since this release and now provides a Risk score associated with each item.

    It’s been mentioned to me about the backwards patched versions that many OSed provide (like in guest’s comments) and I’m definitely open to adding that handling in if someone can point me to good resources as to which CVEs were fixed with which releases. Even better if it’s something that can be automated.

  • gggeek

    Another nice tool to complement versionscan: it checks composer-based projects for known vulnerabilities in the dependencies –

Get the latest in Front-end, once a week, for free.