I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and consequentially all other dependencies. We would like to run an analysis on the existing dependencies and look for known vulnerabilities on those.
Are there any tools available for php that run dependency check?
I have done this with ruby projects using bundle audit but I haven't been able to find a similar tool for php.
Well, there's the Composer package from Roave (https://github.com/Roave/SecurityAdvisories) but the reporting on the libraries is completely up to the project. It checks against the database from this repository: https://github.com/FriendsOfPHP/security-advisories
A lot of the major projects have their issues posted there but as it's pretty voluntary it might not be as wide-spread as you're hoping for. Hope this helps.