PHP Version Audit : Three Years and Running

Quick Stats

• Updates: 2027
• CVEs: 34
• Releases: 102
  • Major: 1
  • Minor: 2
  • Patch: 99
• Median hours: 5 hours (vs. 260 from CVE database - 98% faster)

A little over three years ago, I released the first version of PHP Version Audit. In case you've never heard of it before, it is just a simple utility to check a given version of PHP against known CVEs or support end dates. The coolest part of it (in my opinion) is that it self-updates by parsing the PHP changelog twice a day, discovering any new releases and CVEs that have been patched. What makes it stand out from other CVE tools is that the source being the Changelog means that the CVE alert is available long before the NVE CVE database has been updated with the information. Now that it has been up and running for three years, I thought it would be fun to look at some stats of the project.

In the past three years, there have been 2,027 updates to the rules that drive PHP Version Audit. The vast majority of the updates being automatic on a cron schedule. Those automatic updates have parsed 34 CVEs from the changelog - across 102 version releases. PHP Version Audit has discovered CVE announcements on median of 5 hours after the Changelog update. The NVE CVE database gets updated with the CVEs on median of 260 hours - or almost 11 days after the Changelog update, making PHP Version Audit 98% faster than other tools that source from the CVE Database. I think that is pretty cool!

CVE Database update after php release announcement

PHP Version Audit update after php release announcement