Repository files navigation

Baton is a Composer dependency analytics tool which can find usages of Composer packages in your PHP projects.

Which of your projects are affected by that vulnerable package release? Is it worth backporting that library bug fix?How many package updates do you have to do before you can update your server to the latest PHP version? Baton helps youanswer these questions.

Once installed, you can import any list of GitHub or Kiln repositories to search for package usages in. You can alsoset up a webhook to automatically import new projects whenever they get added to your organisation.

Visitdemo.baton.webfactory.de to see Baton in action.

Clone the project

git clone git@github.com:webfactory/baton.gitcd baton

Start a local version viadocker-compose:

docker-compose up

When the docker containers finished building, you can find the project running athttp://localhost:8000/.If you cannot use Port 8000, you can use another one by defining the environment variableHTTP_PORT:

HTTP_PORT=9000 docker-compose up

You might want to use a.env file:

cp env-example .envdocker compose up

You might need to enter your proper MySQL-credentials insrc/config.yml.

To get the project up and running you simply need to run these commands:

composer installnpm startbin/console doctrine:database:create --if-not-existsbin/console doctrine:schema:update --forcebin/console server:run --docroot=www

Optionally runbin/console doctrine:fixtures:load to import some generated projects.

If you run Baton under a host name other thanlocalhost, you need to set theHOSTNAME environment variable, e. g.

HOSTNAME=baton.here2204 bin/console server:run baton.here2204 --docroot=www

Baton has Unit-Tests! Executebin/phpunit to run them.

In order to import private repositories from GitHub you need to provide anOAuth token.

Set it as the value of the environment variableGITHUB_OAUTH_TOKEN on your server and you're good to go.

The same goes for Kiln repositories. Store your Kiln OAuth token in theKILN_OAUTH_TOKEN environment variable on your server.

Use the webhook route/webhook to import/update repositories on push events (tested with GitHub and Kiln).

You can also import projects by repository URL through the Symfony Commandapp:import-project or the form at/import-repositories.

Use the search form to find projects that use a Composer package matching a specific version range.

The search form fetches the results from/usage-search/{package};{_format}/{operator}/{versionString},while_format can bejson orhtml.

Show project with list of Composer dependencies and their locked versions.

Show Composer Package with list of using projects grouped by version.

Right now private repositories are only supported for projects hosted on GitHub or Kiln using OAuth tokens for authentication.A more general approach would be to use ssh URLs for importing repositories and pass an authorized ssh identity to the VCS.

We love feedback :-)

Pull requests welcome!

Baton was created by@xkons as graduation project for his apprenticeship in software development.

The total implementation time was limited to 32 hours by the Industrie Handelskammer Bonn, the main entity for apprenticeships in its area, which also grades the apprentices.

This is the final commit from the initial implementation in the given timeframe:a812a21

This project was started at the webfactory GmbH, Bonn.

• http://www.webfactory.de
• http://twitter.com/webfactory

Copyright 2018 webfactory GmbH, Bonn. Code released underthe MIT license.