Merge branch '2.7'

weaverryan · weaverryan · commit 353995e9b76f · 2015-01-01T17:55:23.000-05:00
* 2.7: fixing bad link Fixing bad merge - this section should not have been left in [#4651] Fixing build error Update by_reference.rst.inc Added a lot of changes suggested by reviewers Added a note about the SensioDistributionBundle necessary for security:check Added a note about the security:check command Added a missing link reference Added a note about the security advisories database This command is available sin Symfony 2.5 Documented the security:check command
diff --git a/book/installation.rst b/book/installation.rst
@@ -287,6 +287,18 @@ them all at once:
 Depending on the complexity of your project, this update process can take up to
 several minutes to complete.
 
+.. tip::
+
+    Symfony provides a command to check whether your project's dependencies
+    contain any know security vulnerability:
+
+    .. code-block:: bash
+
+        $ php app/console security:check
+
+    A good security practice is to execute this command regularly to be able to
+    update or replace compromised dependencies as soon as possible.
+
 .. _installing-a-symfony2-distribution:
 
 Installing a Symfony Distribution
diff --git a/book/security.rst b/book/security.rst
@@ -1298,6 +1298,36 @@ cookie will be ever created by Symfony):
     If you use a form login, Symfony will create a cookie even if you set
     ``stateless`` to ``true``.
 
+.. _book-security-checking-vulnerabilities:
+
+Checking for Known Security Vulnerabilities in Dependencies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 2.5
+    The ``security:check`` command was introduced in Symfony 2.5. This command is
+    included in ``SensioDistributionBundle``, which has to be registered in your
+    application in order to use this command.
+
+When using lots of dependencies in your Symfony projects, some of them may
+contain security vulnerabilities. That's why Symfony includes a command called
+``security:check`` that checks your ``composer.lock`` file to find any known
+security vulnerability in your installed dependencies:
+
+.. code-block:: bash
+
+    $ php app/console security:check
+
+A good security practice is to execute this command regularly to be able to
+update or replace compromised dependencies as soon as possible. Internally,
+this command uses the public `security advisories database`_ published by the
+FriendsOfPHP organization.
+
+.. tip::
+
+    The ``security:check`` command terminates with a non-zero exit code if
+    any of your dependencies is affected by a known security vulnerability.
+    Therefore, you can easily integrate it in your build process.
+
 Final Words
 -----------
 
@@ -1326,3 +1356,4 @@ Learn more from the Cookbook
 
 .. _`online tool`: https://www.dailycred.com/blog/12/bcrypt-calculator
 .. _`frameworkextrabundle documentation`: http://symfony.com/doc/current/bundles/SensioFrameworkExtraBundle/index.html
+.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories
diff --git a/contributing/code/security.rst b/contributing/code/security.rst
@@ -38,6 +38,8 @@ confirmed, the core-team works on a solution following these steps:
 #. Publish the post on the official Symfony `blog`_ (it must also be added to
    the "`Security Advisories`_" category);
 #. Update the security advisory list (see below).
+#. Update the public `security advisories database`_ maintained by the
+   FriendsOfPHP organization and which is used by the ``security:check`` command.
 
 .. note::
 
@@ -93,6 +95,11 @@ of the downstream projects included in this process:
 Security Advisories
 -------------------
 
+.. tip::
+
+    You can check your Symfony application for known security vulnerabilities
+    using the ``security:check`` command. See :ref:`book-security-checking-vulnerabilities`.
+
 This section indexes security vulnerabilities that were fixed in Symfony
 releases, starting from Symfony 1.0.0:
 
@@ -119,6 +126,7 @@ releases, starting from Symfony 1.0.0:
 * March 21, 2008: `symfony 1.0.12 is (finally) out ! <http://symfony.com/blog/symfony-1-0-12-is-finally-out>`_
 * June 25, 2007: `symfony 1.0.5 released (security fix) <http://symfony.com/blog/symfony-1-0-5-released-security-fix>`_
 
-.. _Git repository:      https://github.com/symfony/symfony
-.. _blog:                http://symfony.com/blog/
+.. _Git repository: https://github.com/symfony/symfony
+.. _blog: http://symfony.com/blog/
 .. _Security Advisories: http://symfony.com/blog/category/security-advisories
+.. _`security advisories database`: https://github.com/FriendsOfPHP/security-advisories
diff --git a/reference/forms/types/options/by_reference.rst.inc b/reference/forms/types/options/by_reference.rst.inc
@@ -42,4 +42,4 @@ call the setter on the parent object.
 Similarly, if you're using the :doc:`collection</reference/forms/types/collection>`
 form type where your underlying collection data is an object (like with Doctrine's
 ``ArrayCollection``), then ``by_reference`` must be set to ``false`` if you
-need the setter (e.g. ``setAuthors()``) to be called.
+need the adder and remover (e.g. ``addAuthor()`` and ``removeAuthor()``) to be called.
