A plugin for PHP's Composer that generates Software Bill of Materials (SBOM) in CycloneDX format.
Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).
The resulting SBOM documents follow official specifications and standards,
and might have properties following cdx:composer Namespace Taxonomy
.
- PHP
^8.1 - Composer
^2.3
However, there are older versions of this plugin available, which
support PHP ^5.5||^7.0||^8.0
with Composer ^1.0||^2.0
.
As a global Composer plugin:
composer global require cyclonedx/cyclonedx-php-composerAs a development dependency of the current project:
composer require --dev cyclonedx/cyclonedx-php-composerAfter successful installation, the Composer command CycloneDX:make-sbom is available.
$ composer CycloneDX:make-sbom --help
Description:
Generate a CycloneDX Bill of Materials from a PHP Composer project.
Usage:
CycloneDX:make-sbom [options] [--] [<composer-file>]
Arguments:
composer-file Path to Composer config file.
[default: "composer.json" file in current working directory]
Options:
--output-format=OUTPUT-FORMAT Which output format to use.
{choices: "JSON", "XML"}
[default: "XML"]
--output-file=OUTPUT-FILE Path to the output file.
Set to "-" to write to STDOUT
[default: "-"]
--omit=OMIT Omit dependency types.
{choices: "dev", "plugin"}
(multiple values allowed)
--spec-version=SPEC-VERSION Which version of CycloneDX spec to use.
{choices: "1.1", "1.2", "1.3", "1.4", "1.5", "1.6"}
[default: "1.5"]
--output-reproducible|--no-output-reproducible Whether to go the extra mile and make the output reproducible.
This might result in loss of time- and random-based-values.
--validate|--no-validate Formal validate the resulting BOM.
--mc-version=MC-VERSION Version of the main component.
This will override auto-detection.
-h, --help Display help for the given command.
-q, --quiet Do not output any message
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debugFor a demo of cyclonedx-php-composer see the demo projects.
This tool utilizes composer itself, to collect evidence for installed composer packages.
In terms of evidence collection, actually installed setups are preferred over pure lock file analysis.
Required evidence:
- composer config/manifest file (e.g.
composer.jsonfile) - any of:
- an actual composer setup (the result after running
composer install [...]on your project) - a working composer lock file (e.g.
composer.lockfile)
- an actual composer setup (the result after running
This tool utilizes the CycloneDX PHP library to generate the actual data structures, normalize/serializ them and validate the SBOM result.
This tool does not expose any additional public API or classes - all code is marked as @internal and might change without any notice during version upgrades.
Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details, and how to run/setup locally.
Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.