{"id":13803705,"url":"https://github.com/CycloneDX/cyclonedx-php-composer","last_synced_at":"2025-05-13T16:32:24.284Z","repository":{"id":36281017,"uuid":"201355729","full_name":"CycloneDX/cyclonedx-php-composer","owner":"CycloneDX","description":"Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects","archived":false,"fork":false,"pushed_at":"2025-05-11T14:22:41.000Z","size":1473,"stargazers_count":65,"open_issues_count":15,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-05-11T15:28:40.985Z","etag":null,"topics":["bill-of-materials","bom","composer","composer-plugin","cyclonedx","dependency-graph","hacktoberfest","owasp","package-url","php","purl","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx"],"latest_commit_sha":null,"homepage":"https://cyclonedx.org/","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CycloneDX.png","metadata":{"files":{"readme":"README.md","changelog":"HISTORY.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"]}},"created_at":"2019-08-09T00:04:56.000Z","updated_at":"2025-05-11T14:22:37.000Z","dependencies_parsed_at":"2023-01-17T00:06:50.211Z","dependency_job_id":"87fa47d5-2eea-44ad-8f79-9abe75fa8c61","html_url":"https://github.com/CycloneDX/cyclonedx-php-composer","commit_stats":{"total_commits":368,"total_committers":9,"mean_commits":"40.888888888888886","dds":"0.41032608695652173","last_synced_commit":"204cb909ddeb24c4eeb5be0a0eae34217402d059"},"previous_names":[],"tags_count":46,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-php-composer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-php-composer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-php-composer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CycloneDX%2Fcyclonedx-php-composer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CycloneDX","download_url":"https://codeload.github.com/CycloneDX/cyclonedx-php-composer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253591619,"owners_count":21932877,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bill-of-materials","bom","composer","composer-plugin","cyclonedx","dependency-graph","hacktoberfest","owasp","package-url","php","purl","sbom","sbom-generator","sbom-tool","software-bill-of-materials","spdx"],"created_at":"2024-08-04T01:00:37.103Z","updated_at":"2025-05-13T16:32:19.269Z","avatar_url":"https://github.com/CycloneDX.png","language":"PHP","funding_links":["https://owasp.org/donate/?reponame=www-project-cyclonedx\u0026title=OWASP+CycloneDX"],"categories":["Plugins"],"sub_categories":["Support"],"readme":"# CycloneDX PHP Composer Plugin\n\n[![shield_packagist-version]][link_packagist]\n[![shield_gh-workflow-test]][link_gh-workflow-test]\n[![shield_coverage]][link_codacy]\n[![shield_ossf-best-practices]][link_ossf-best-practices]\n[![shield_license]][license_file]  \n[![shield_website]][link_website]\n[![shield_slack]][link_slack]\n[![shield_groups]][link_discussion]\n[![shield_twitter-follow]][link_twitter]\n\n----\n\nA plugin for PHP's _[Composer](https://getcomposer.org/)_\nthat generates Software Bill of Materials (SBOM) in _[CycloneDX](https://cyclonedx.org/)_ format.\n\nBased on [OWASP Software Component Verification Standard for Software Bill of Materials](https://scvs.owasp.org/scvs/v2-software-bill-of-materials/)'s\ncriteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).\n\nThe resulting SBOM documents follow [official specifications and standards](https://github.com/CycloneDX/specification),\nand might have properties following [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md)\n.\n\n## Requirements\n\n* PHP `^8.1`\n* Composer `^2.3`\n\nHowever, there are older versions of this plugin available, which\nsupport PHP `^5.5||^7.0||^8.0`\nwith Composer `^1.0||^2.0`\n.\n\n## Installation\n\nAs a global _Composer_ plugin:\n\n```shell\ncomposer global require cyclonedx/cyclonedx-php-composer\n```\n\nAs a development dependency of the current project:\n\n```shell\ncomposer require --dev cyclonedx/cyclonedx-php-composer\n```\n\n## Usage\n\nAfter successful installation, the _Composer_ command `CycloneDX:make-sbom` is available.\n\n```ShellSession\n$ composer CycloneDX:make-sbom --help\n\nDescription:\n  Generate a CycloneDX Bill of Materials from a PHP Composer project.\n\nUsage:\n  CycloneDX:make-sbom [options] [--] [\u003ccomposer-file\u003e]\n\nArguments:\n  composer-file                                       Path to Composer config file.\n                                                      [default: \"composer.json\" file in current working directory]\n\nOptions:\n      --output-format=OUTPUT-FORMAT                   Which output format to use.\n                                                      {choices: \"JSON\", \"XML\"}\n                                                      [default: \"XML\"]\n      --output-file=OUTPUT-FILE                       Path to the output file.\n                                                      Set to \"-\" to write to STDOUT\n                                                      [default: \"-\"]\n      --omit=OMIT                                     Omit dependency types.\n                                                      {choices: \"dev\", \"plugin\"}\n                                                      (multiple values allowed)\n      --spec-version=SPEC-VERSION                     Which version of CycloneDX spec to use.\n                                                      {choices: \"1.1\", \"1.2\", \"1.3\", \"1.4\", \"1.5\", \"1.6\"}\n                                                      [default: \"1.5\"]\n      --output-reproducible|--no-output-reproducible  Whether to go the extra mile and make the output reproducible.\n                                                      This might result in loss of time- and random-based-values.\n      --validate|--no-validate                        Formal validate the resulting BOM.\n      --mc-version=MC-VERSION                         Version of the main component.\n                                                      This will override auto-detection.\n  -h, --help                                          Display help for the given command.\n  -q, --quiet                                         Do not output any message\n  -v|vv|vvv, --verbose                                Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug\n```\n\n## Demo\n\nFor a demo of _cyclonedx-php-composer_ see the [demo projects][demo_readme].\n\n## How it works\n\nThis tool utilizes composer itself, to collect evidence for installed composer packages.  \nIn terms of evidence collection, actually installed setups are preferred over pure lock file analysis.  \nRequired evidence:\n\n* composer config/manifest file (e.g. `composer.json` file)\n* any of:\n  * an actual composer setup (the result after running `composer install [...]` on your project)\n  * a working composer lock file (e.g. `composer.lock` file)\n\n## Internals\n\nThis tool utilizes the [CycloneDX PHP library][cyclonedx-php-library] to generate the actual data structures,\nnormalize/serializ them and validate the SBOM result.\n\nThis tool does **not** expose any additional _public_ API or classes - all code is marked as `@internal` and might change without any notice during version upgrades.\n\n## Contributing\n\nFeel free to open issues, bugreports or pull requests.  \nSee the [CONTRIBUTING][contributing_file] file for details, and how to run/setup locally.\n\n## License\n\nPermission to modify and redistribute is granted under the terms of the Apache 2.0 license.  \nSee the [LICENSE][license_file] file for the full license.\n\n[license_file]: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/LICENSE\n[contributing_file]: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/CONTRIBUTING.md\n[demo_readme]: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/demo/README.md\n\n[cyclonedx-php-library]: https://packagist.org/packages/cyclonedx/cyclonedx-library\n\n[shield_gh-workflow-test]: https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-php-composer/php.yml?branch=master\u0026logo=GitHub\u0026logoColor=white \"build\"\n[shield_packagist-version]: https://img.shields.io/packagist/v/cyclonedx/cyclonedx-php-composer?logo=Packagist\u0026logoColor=white \"packagist\"\n[shield_coverage]: https://img.shields.io/codacy/coverage/30d812e89a8e429695ba1e4fc7969958?logo=Codacy\u0026logoColor=white \"test coverage\"\n[shield_ossf-best-practices]: https://img.shields.io/cii/percentage/7953?label=OpenSSF%20best%20practices \"OpenSSF best practices\"\n[shield_license]: https://img.shields.io/github/license/CycloneDX/cyclonedx-php-composer?logo=open%20source%20initiative\u0026logoColor=white \"license\"\n[shield_website]: https://img.shields.io/badge/https://-cyclonedx.org-blue.svg \"homepage\"\n[shield_slack]: https://img.shields.io/badge/slack-join-blue?logo=Slack\u0026logoColor=white \"slack join\"\n[shield_groups]: https://img.shields.io/badge/discussion-groups.io-blue.svg \"groups discussion\"\n[shield_twitter-follow]: https://img.shields.io/badge/Twitter-follow-blue?logo=Twitter\u0026logoColor=white \"twitter follow\"\n[link_gh-workflow-test]: https://github.com/CycloneDX/cyclonedx-php-composer/actions/workflows/php.yml?query=branch%3Amaster\n[link_codacy]: https://app.codacy.com/gh/CycloneDX/cyclonedx-php-composer\n[link_ossf-best-practices]: https://www.bestpractices.dev/projects/7953\n[link_packagist]: https://packagist.org/packages/cyclonedx/cyclonedx-php-composer\n[link_website]: https://cyclonedx.org/\n[link_slack]: https://cyclonedx.org/slack/invite\n[link_discussion]: https://groups.io/g/CycloneDX\n[link_twitter]: https://twitter.com/CycloneDX_Spec\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-php-composer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCycloneDX%2Fcyclonedx-php-composer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCycloneDX%2Fcyclonedx-php-composer/lists"}