cyclonedx / cyclonedx-php-composer
Creates CycloneDX Software Bill-of-Materials (SBOM) from PHP Composer projects
Fund package maintenance!
Other
Installs: 968 197
Dependents: 10
Suggesters: 0
Security: 0
Stars: 49
Watchers: 5
Forks: 7
Open Issues: 15
Type:composer-plugin
Requires
- php: ^8.1
- composer-plugin-api: ^2.3
- cyclonedx/cyclonedx-library: ^3.3
- package-url/packageurl-php: ^1.0
Requires (Dev)
- composer/composer: ^2.3.0
- roave/security-advisories: dev-latest
- dev-master / 5.x-dev
- v5.2.0
- v5.1.0
- v5.0.1
- v5.0.0
- 4.x-dev
- v4.2.3
- v4.2.2
- v4.2.1
- v4.2.0
- v4.1.1
- v4.1.0
- v4.0.2
- v4.0.1
- v4.0.0
- v4.0.0-RC2
- v4.0.0-RC1
- 3.x-dev
- v3.11.0
- v3.10.2
- v3.10.1
- v3.10.0
- v3.9.2
- v3.9.1
- v3.9.0
- v3.8.0
- v3.7.0
- v3.6.0
- v3.5.0
- v3.4.1
- v3.4.0
- v3.3.1
- v3.3.0
- v3.2.0
- v3.1.1
- v3.1.0
- v3.0.0
- 2.x-dev
- v2.1.1
- v2.1.0
- v2.0.3
- v2.0.2
- v2.0.1
- v2.0.0
- 1.x-dev
- v1.2.0
- v1.1.0
- v1.0.1
- v1.0.0
- dev-dependabot/composer/demo/laravel-7.12.0/project/symfony/process-5.4.46
- dev-dependabot/composer/demo/laravel-7.12.0/project/symfony/http-foundation-5.4.46
- dev-dependabot/composer/tools/php-cs-fixer/friendsofphp/php-cs-fixer-v3.64.0
This package is auto-updated.
Last update: 2024-11-07 13:21:49 UTC
README
A plugin for PHP's Composer that generates Software Bill of Materials (SBOM) in CycloneDX format.
Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
The resulting SBOM documents follow official specifications and standards,
and might have properties following cdx:composer
Namespace Taxonomy
.
Requirements
- PHP
^8.1
- Composer
^2.3
However, there are older versions of this plugin available, which
support PHP ^5.5||^7.0||^8.0
with Composer ^1.0||^2.0
.
Installation
As a global Composer plugin:
composer global require cyclonedx/cyclonedx-php-composer
As a development dependency of the current project:
composer require --dev cyclonedx/cyclonedx-php-composer
Usage
After successful installation, the Composer command CycloneDX:make-sbom
is available.
$ composer CycloneDX:make-sbom --help Description: Generate a CycloneDX Bill of Materials from a PHP Composer project. Usage: CycloneDX:make-sbom [options] [--] [<composer-file>] Arguments: composer-file Path to Composer config file. [default: "composer.json" file in current working directory] Options: --output-format=OUTPUT-FORMAT Which output format to use. {choices: "JSON", "XML"} [default: "XML"] --output-file=OUTPUT-FILE Path to the output file. Set to "-" to write to STDOUT [default: "-"] --omit=OMIT Omit dependency types. {choices: "dev", "plugin"} (multiple values allowed) --spec-version=SPEC-VERSION Which version of CycloneDX spec to use. {choices: "1.1", "1.2", "1.3", "1.4", "1.5", "1.6"} [default: "1.5"] --output-reproducible|--no-output-reproducible Whether to go the extra mile and make the output reproducible. This might result in loss of time- and random-based-values. --validate|--no-validate Formal validate the resulting BOM. --mc-version=MC-VERSION Version of the main component. This will override auto-detection. -h, --help Display help for the given command. -q, --quiet Do not output any message -v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
Demo
For a demo of cyclonedx-php-composer see the demo projects.
How it works
This tool utilizes composer itself, to collect evidence for installed composer packages.
In terms of evidence collection, actually installed setups are preferred over pure lock file analysis.
Required evidence:
- composer config/manifest file (e.g.
composer.json
file) - any of:
- an actual composer setup (the result after running
composer install [...]
on your project) - a working composer lock file (e.g.
composer.lock
file)
- an actual composer setup (the result after running
Internals
This tool utilizes the CycloneDX PHP library to generate the actual data structures, normalize/serializ them and validate the SBOM result.
This tool does not expose any additional public API or classes - all code is marked as @internal
and might change without any notice during version upgrades.
Contributing
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details, and how to run/setup locally.
License
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.