Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects

Overview

shield_gh-workflow-test shield_packagist-version shield_license
shield_website shield_slack shield_groups shield_twitter-follow


CycloneDX PHP Composer Plugin

A plugin for PHP's Composer that generates Software Bill of Materials (SBoM) in CycloneDX format.

Requirements

The latest version of this plugin supports PHP ^7.3 || ^8.0 with Composer ^2.0 .

There are older versions of this plugin available, which support PHP ^5.5 || ^7.0 || ^8.0 with Composer ^1.0 || ^2.0 .

Installation

Install via composer:

composer require --dev cyclonedx/cyclonedx-php-composer

Usage

After successful installation, the composer command make-bom is available.

$ composer make-bom -h
Usage:
  make-bom [options] [--] [<composer-file>]

Arguments:
  composer-file                      Path to composer config file.
                                     Defaults to "composer.json" file in working directory.

Options:
      --output-format=OUTPUT-FORMAT  Which output format to use.
                                     Values: "XML", "JSON" [default: "XML"]
      --output-file=OUTPUT-FILE      Path to the output file.
                                     Set to "-" to write to STDOUT.
                                     Depending on the output-format, default is one of: "bom.xml", "bom.json"
      --exclude-dev                  Exclude dev dependencies
      --exclude-plugins              Exclude composer plugins
      --spec-version=SPEC-VERSION    Which version of CycloneDX spec to use.
                                     Values: "1.1", "1.2", "1.3" [default: "1.3"]
      --no-validate                  Don't validate the resulting output
      --mc-version=MC-VERSION        Version of the main component.
                                     This will override auto-detection.
      --no-version-normalization     Don't normalize component version strings.
                                     Per default this plugin will normalize version strings by stripping leading "v".
                                     This is a compatibility-switch. The next major-version of this plugin will not modify component versions.
  -h, --help                         Display this help message
  -q, --quiet                        Do not output any message
  -V, --version                      Display this application version
      --ansi                         Force ANSI output
      --no-ansi                      Disable ANSI output
  -n, --no-interaction               Do not ask any interactive question
      --profile                      Display timing and memory usage information
      --no-plugins                   Whether to disable plugins.
  -d, --working-dir=WORKING-DIR      If specified, use the given directory as working directory.
      --no-cache                     Prevent use of the cache
  -v|vv|vvv, --verbose               Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Help:
  Generate a CycloneDX Bill of Materials

Demo

For a demo of cyclonedx-php-composer see the demo project.

Internals

This Composer-Plugin utilizes the CycloneDX library to generate the actual data structures.

This Composer-Plugin does not expose any additional public api or classes - all code is marked as @internal and might change without any notice during version upgrades.

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

Comments
  • [WIP] rework/refactor

    [WIP] rework/refactor

    RE: https://github.com/CycloneDX/cyclonedx-php-composer/pull/10#issuecomment-774524762

    this is a messy branch, but i think its worth to take a look. basically Work In Progress.

    highlights:

    • more CI chain
    • a demo in CI chain
    • more QA tools
    • more structured tests (work in progress)
    • new: deserializer is implemented and showcased in the functional tests
    • (de)serializer still handcrafted.

    :construction: my person todo-list to get from WIP to ready state: https://github.com/jkowalleck/cyclonedx-php-composer/issues/2


    :information_source: STATUS

    • lots of the QA features of this PR were merged into master in separate small chunks already.
    • the demo similar to the one of this rework was merged into master lately (see #58)
    • core rework/refactoring is still unfinished
    • --> parts f this PR are unnecessary now, since they were integrated into master already.
    • --> this PR will be closed soon, and more recent and rebased version will be opened as a draft, then.
    opened by jkowalleck 12
  • ExternalReference.url XML validation error `xs:anyURI`

    ExternalReference.url XML validation error `xs:anyURI`

    • the version you are using cyclonedx/cyclonedx-php-composer V3.9.0

    • your operating system and version WSL2.0 Ubuntu 20.04 on Windows 10

    • reproducible steps (1 2 3...) that cause the issue including any required files Execute "php composer.phar make-bom --exclude-dev --output-file=composer-bom.xml ./composer.json"

    • what you expected, versus what happened The system generates an composer-bom.xml file, but instead the system gives an error. See error and reason below

    • any relevant screenshots and other outputs Output:

    Validate BOM with CycloneDX\Core\Validation\Validators\XmlValidator for 1.3
    ValidationError:
    ValidationError: Element '{http://cyclonedx.org/schema/bom/1.3}url': '**http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception**' is not a valid value of the atomic type 'xs:anyURI'.
    

    the drush/drush requirements tree has pear/pear_exception as an requirement. Inside the composer.json of this module there is an URL with [] (See support->issues in the content below)

    the systems fails validating the output with the following message:

    Validate BOM with CycloneDX\Core\Validation\Validators\XmlValidator for 1.3 ValidationError: ValidationError: Element '{http://cyclonedx.org/schema/bom/1.3}url': 'http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception' is not a valid value of the atomic type 'xs:anyURI'.

    Generating the same file with --no-validate generates the file correctly, which we merge with our NPM bom file and upload to dTrack

    {
                "name": "pear/pear_exception",
                "version": "v1.0.1",
                "source": {
                    "type": "git",
                    "url": "https://github.com/pear/PEAR_Exception.git",
                    "reference": "dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7"
                },
                "dist": {
                    "type": "zip",
                    "url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7",
                    "reference": "dbb42a5a0e45f3adcf99babfb2a1ba77b8ac36a7",
                    "shasum": ""
                },
                "require": {
                    "php": ">=4.4.0"
                },
                "require-dev": {
                    "phpunit/phpunit": "*"
                },
                "type": "class",
                "extra": {
                    "branch-alias": {
                        "dev-master": "1.0.x-dev"
                    }
                },
                "autoload": {
                    "classmap": [
                        "PEAR/"
                    ]
                },
                "notification-url": "https://packagist.org/downloads/",
                "include-path": [
                    "."
                ],
                "license": [
                    "BSD-2-Clause"
                ],
                "authors": [
                    {
                        "name": "Helgi Thormar",
                        "email": "[email protected]"
                    },
                    {
                        "name": "Greg Beaver",
                        "email": "[email protected]"
                    }
                ],
                "description": "The PEAR Exception base class.",
                "homepage": "https://github.com/pear/PEAR_Exception",
                "keywords": [
                    "exception"
                ],
                "support": {
                    "issues": "**http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception**",
                    "source": "https://github.com/pear/PEAR_Exception"
                },
                "time": "2019-12-10T10:24:42+00:00"
            }
    
    bug 
    opened by uselab 6
  • rework

    rework "normalizing" of composer versions

    backgroud

    in php/composer the v prefix in versions is understood by the ecosystem. it "heals" itself regarding a missing/existing v. in the lock file the actual version is used; the v is added/removed to match the correct prefix of the actual version. (example)

    i would prefer to keep the v if composer found that it is part of the actual version.

    but unfortunately this would be a change of the implementation since v1 that is actually kept until now(v3) since it seams to be there for a reason (, which drives me mad since the actual version sometimes has a v for real).

    proposal

    dont handle a leading v in any special way. just leave everything as is. additionally: make it optional(opt-in) to strip the v in front of a version. (only if there is an actual need for this, dont write this feature unless it is required)

    impact

    this would be a breaking change, since current implementation strips the v per default. Proposed change would remove this behavior per default.

    acceptance criteria

    • [ ] the v is not stripped, if composer tells that it exists.
    • [ ] remove --no-version-normalization option and related capabilities
    • [ ] remove the "normalizer" entirely

    work packages

    tbd

    breaking change 
    opened by jkowalleck 5
  • streamline demo with CycloneDX/sbom-examples

    streamline demo with CycloneDX/sbom-examples

    there is a repo https://github.com/CycloneDX/sbom-examples it hosts example output of this project as https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0

    there s a demo project for cyclonedx-php-composer: https://github.com/CycloneDX/cyclonedx-php-composer/tree/master/demo

    goal: stream line both of them:

    • [x] adjust cyclonedx-php-composer's demo to produce the results for https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0
      • might not be done completely correct. see discussion in this issue below
    • [x] link with https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0
    • [x] update https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0
      • update XML
      • add JSON
      • cross-link cyclonedx-php-composer's demo with https://github.com/CycloneDX/sbom-examples/tree/master/laravel-7.12.0
      • :100: PR: https://github.com/CycloneDX/sbom-examples/pull/8
    • [x] dependabot must ignore demo dir
    • [x] reproducible tests check that SBOM output for XML files did not change
    • [x] reproducible tests check that SBOM output for JSON files did not change

    demo project and reproducible outcome is available here: https://github.com/CycloneDX/cyclonedx-php-composer/tree/master/demo/laravel-7.12.0

    documentation QA CI example 
    opened by jkowalleck 5
  • XML with valid licenses, regardless of input

    XML with valid licenses, regardless of input

    the current implementation has the change to create invalid XML: when a dependency uses a license that is unknown to the XML schema.

    licenses are values of an enumeration described here: https://cyclonedx.org/schema/spdx according to XML schema.

    this patch does the following:

    • add tests for licenses that are invalid.
    • ship a list of known licenses.
    • licenses in the XML will be written as <id> or <name> - just as described in the XML schema.
    • add a script to download latest known licenses.
    opened by jkowalleck 5
  • Modify the generated package URL to match purl-spec

    Modify the generated package URL to match purl-spec

    As per https://github.com/package-url/purl-spec a package URL is as follows:

    scheme:type/namespace/name@version?qualifiers#subpath
    

    This package generates URLs such as pkg://composer/... which don't follow the specification, the // part needs to be removed.

    opened by Szasza 5
  • tools(deps-dev): update ergebnis/composer-normalize requirement from 2.18.0 to 2.22.0 in /tools/composer-normalize

    tools(deps-dev): update ergebnis/composer-normalize requirement from 2.18.0 to 2.22.0 in /tools/composer-normalize

    Updates the requirements on ergebnis/composer-normalize to permit the latest version.

    Release notes

    Sourced from ergebnis/composer-normalize's releases.

    2.22.0

    Changelog

    Sourced from ergebnis/composer-normalize's changelog.

    [2.22.0][2.22.0]

    For a full diff see [2.21.0...2.22.0][2.21.0...2.22.0].

    Changed

    [2.21.0][2.21.0]

    For a full diff see [2.20.0...2.21.0][2.20.0...2.21.0].

    Changed

    [2.20.0][2.20.0]

    For a full diff see [2.19.0...2.20.0][2.19.0...2.20.0].

    Changed

    [2.19.0][2.19.0]

    For a full diff see [2.18.0...2.19.0][2.18.0...2.19.0].

    Changed

    • Required composer/composer:2.2.1 for compiling composer-normalize.phar (#842), by [@​localheinz]

    [2.18.0][2.18.0]

    For a full diff see [2.17.0...2.18.0][2.17.0...2.18.0].

    Changed

    [2.17.0][2.17.0]

    For a full diff see [2.16.0...2.17.0][2.16.0...2.17.0].

    Changed

    Fixed

    ... (truncated)

    Commits
    • ff901b8 Merge pull request #858 from ergebnis/dependabot/composer/ergebnis/json-norma...
    • 4948dd1 Fix: Update CHANGELOG.md
    • 0c5a7ca composer(deps): bump ergebnis/json-normalizer from 1.0.3 to 2.0.0
    • 03fd8da Merge pull request #857 from ergebnis/fix/format
    • 0fc6dda Fix: Create Format from Json
    • 269f809 Merge pull request #856 from ergebnis/dependabot/composer/ergebnis/json-print...
    • 30ff6e2 composer(deps): bump ergebnis/json-printer from 3.1.1 to 3.2.0
    • 8b43ce4 Merge pull request #855 from ergebnis/fix/property
    • ffe1f5d Fix: Add property type declarations
    • 0f62c48 Merge pull request #854 from ergebnis/fix/baseline
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies tools 
    opened by dependabot[bot] 4
  • Initial implementiation

    Initial implementiation

    This PR adds an initial implementation of the CycloneDX Composer plugin. It is capable of generating valid CycloneDX v1.1 BOMs from Composer's lockfile.

    My knowledge of the PHP ecosystem is kind of limited, so I expect some bugs to surface once this plugin experiences higher usage counts.

    @stevespringett: In case you'll merge this, you need to setup a Packagist account as described here.

    opened by nscuro 3
  • tools(deps-dev): update vimeo/psalm requirement from 4.30.0 to 5.1.0 in /tools/psalm

    tools(deps-dev): update vimeo/psalm requirement from 4.30.0 to 5.1.0 in /tools/psalm

    Updates the requirements on vimeo/psalm to permit the latest version.

    Release notes

    Sourced from vimeo/psalm's releases.

    5.1.0

    What's Changed

    Deprecations

    Features

    Fixes

    Docs

    New Contributors

    Full Changelog: https://github.com/vimeo/psalm/compare/5.0.0...5.1.0

    Commits
    • 4defa17 Merge pull request #8774 from bdsl/report-by-issue-type-severity
    • 1dbdf78 Code style fix
    • ad57727 Sort issue by position in codebase in ByIssueLevelAndTypeReport if level & ty...
    • a29f65e Fix too lax function visibility in test
    • 6693421 Code style fix
    • 5423983 Fix error in ByIssueLvelAndTypeReport heading
    • 699ee34 Indent heredoc in test
    • d6c7c86 Remove unecassary subheadings in error levels documentation
    • cd18cdc Re-order list of errors in docs
    • 9e63bf6 Minor code edits in ByIssueLevelAndType
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies tools 
    opened by dependabot[bot] 2
  • feat: component's authors

    feat: component's authors

    Is your feature request related to a problem? Please describe.

    no

    Describe the solution you'd like

    have the composer package's authors in the SBOM result for each component and the metadata.component

    Describe alternatives you've considered

    none

    Additional context

    Add any other context or screenshots about the feature request here.

    enhancement 
    opened by jkowalleck 2
  • Add package's CPE to BOM

    Add package's CPE to BOM

    Is your feature request related to a problem? Please describe.

    OWASP's Dependency track internal analyser uses only CPE (not PURL) to match components with NVD vulnerabilities. The current version of this package does not seem to include CPE in the generated BOM file When uploaded to dependency track, the default analyser fails to match any php dependency to known vulnerabilities.

    Describe the solution you'd like

    In the generated bom in cyclonedx format, include the CPE of all packages

    Describe alternatives you've considered

    Dependency track can be configured to user other scanners, which can handle the provided packages PURLs But it would be better to be able to benefit also from the https://nvd.nist.gov/vuln

    Packagist is also integrating nist's NVDs, but having all the information centralised in the dependency track application would be great

    Additional context

    With the example of https://nvd.nist.gov/vuln/detail/CVE-2021-3603 the expected CPE is cpe:2.3:a:phpmailer_project:phpmailer:*:*:*:*:*:*:*:* ( |<=6.4.1 )

    Looking at the composer.json file, there's no mention of phpmailer_project, neither on packagist's page https://packagist.org/packages/phpmailer/phpmailer#v5.2.26 I don't know how it should be built with the available composer's data...?

    enhancement 
    opened by ryden54 2
  • tools(deps-dev): Update vimeo/psalm requirement from 4.30.0 to 5.4.0 in /tools/psalm

    tools(deps-dev): Update vimeo/psalm requirement from 4.30.0 to 5.4.0 in /tools/psalm

    Updates the requirements on vimeo/psalm to permit the latest version.

    Release notes

    Sourced from vimeo/psalm's releases.

    5.4.0

    What's Changed

    Features

    Fixes

    Internal changes

    Full Changelog: https://github.com/vimeo/psalm/compare/5.3.0...5.4.0

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies tools 
    opened by dependabot[bot] 0
  • V4 finalization

    V4 finalization

    • [ ] require cyclonedx/cyclonedx-library:^2.0 (no more 2.x-dev) - #128
    • [x] have the used property taxonomy merged - https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/37
    • [ ] TO BE CONTINUED
    • [ ] finish all in https://github.com/CycloneDX/cyclonedx-php-composer/milestone/5
    opened by jkowalleck 0
  • [WIP] v4

    [WIP] v4

    TODO

    • [ ] find lowest boundaries, after implementation is done, so that the lowest reasonable versions of composer-api and dependencies can be specified
    • [x] have a proper reimplementation -
      • [x] basics see #254
      • [x] metadata.tool
      • [x] see the demo data results and how they differ !
      • [x] omit plugins
    • [x] reproducible output - or add creation date etc ...
    • [ ] have all planned features implemented: https://github.com/CycloneDX/cyclonedx-php-composer/milestone/5
    • [ ] have reasonable tests - besides the demos that are integration-test-like
    • [ ] update the docs
    • [ ] update the changelog
    • [ ] pin the used version of the CDX php lib
    documentation enhancement dependencies QA CI tools breaking change schema 1.4 
    opened by jkowalleck 0
  • have a `.phar` released

    have a `.phar` released

    Is your feature request related to a problem? Please describe.

    on CI, i always need to have a php composer available in order to create an SBOM of a composer.lock

    Describe the solution you'd like

    have a bundled .phar added to every release, that includes composer & the CDX composer plugin

    Additional context

    acc / crit

    • phar includes a version of php composer & CDX plugin
    • phar bundles pinned versions of all dependencies
      • lock file in the repo
      • add SBOM to PHAR far to know what is in it
    • building PHAR is automated part of very release
    • CI tests to build PHAR and execute integration/demos on every CT run
    • IDEA: https://github.com/humbug/php-scoper is part if build process
    idea 
    opened by jkowalleck 0
  • configuration file

    configuration file

    benefit: have the config in a file, so no CLI parameters are needed

    parameter defaults are read from the config-file, and may override system defaults. parameters can still be overridden via CLI parameters

    implementation details: use extra section of the composer file. see https://getcomposer.org/doc/04-schema.md#extra


    acc / crit

    • [ ] config overrides system defaults (therefore config file settings = presets)
    • [ ] CLI params override any defaults/presets
    • [ ] parameter type checks are (still) in place
    • [ ] parameter plausibility checks are still in place
    • [ ] config possibility is documented
      (+ docs have hint, that this config can be used with the gh-action -- see https://github.com/CycloneDX/gh-php-composer-generate-sbom/issues/1)
    enhancement help wanted 
    opened by jkowalleck 1
Releases(v3.10.2)
  • v3.10.2(Sep 15, 2022)

  • v3.10.1(Aug 16, 2022)

  • v3.10.0(Apr 2, 2022)

    Changed

    • Raised dependency cyclonedx/cyclonedx-library:^1.4.2, was cyclonedx/cyclonedx-library:^1.3.1. (via #192)

    Misc

    • Adjusted internal typing and typehints. (via #192)
    • Improved compatibility to Composer v2.3 (via #212)
    Source code(tar.gz)
    Source code(zip)
  • v3.9.2(Dec 4, 2021)

  • v3.9.1(Dec 3, 2021)

    Fixed

    • XML validation error for ExternalReference. (#158 via #159)

    Changed

    • The ValidationError message requests reporting with the "ValidationError" issue template. (via #160) No template was used in the past.
    Source code(tar.gz)
    Source code(zip)
  • v3.9.0(Dec 1, 2021)

  • v3.8.0(Nov 30, 2021)

    Fixed

    • Compatibility with composer v2.0.0 to v2.0.4 was improved. (via #152)
    • Possible crashes when composer was not able to detect component's version properly.
    Source code(tar.gz)
    Source code(zip)
  • v3.7.0(Nov 10, 2021)

    Added

    • CLI got a new switch --no-version-normalization. (via #138)
      That allows to omit component version-string normalization.
      Per default this plugin will normalize version strings by stripping leading "v".
      This is a compatibility-switch. The next major-version of this plugin will not modify component versions. (see #102)
    Source code(tar.gz)
    Source code(zip)
  • v3.6.0(Oct 15, 2021)

    Added

    • CLI got a new option --mc-version. (via #133)
      That allows to set the main component's version in the resulting SBoM, so that the auto-detection can be overridden.

    Fixed

    • The resulting SBoM's main component's purl does not get a version assigned, if the version auto-detection fails. (via #134)
    Source code(tar.gz)
    Source code(zip)
  • v3.5.0(Oct 7, 2021)

    Changed

    The "Core" library was moved to an own package: https://packagist.org/packages/cyclonedx/cyclonedx-library
    The new external package/library is a one-to-one copy of the original code from this project, which now is a dependency/required of this project. So usage/leverage of the original code is still possible without any changes for third parties.
    See #87 for details.

    Source code(tar.gz)
    Source code(zip)
  • v3.4.1(Sep 16, 2021)

  • v3.4.0(Sep 12, 2021)

    Changed

    • Core library
      • Some repository data-types are lists of unique items, so no duplicates are kept.
        Affected classes/data-types :
        • ComponentRepository
        • DisjunctiveLicenseRepository
        • ToolRepository

    Added

    • CLI via composer make-bom
      • Will try to populate dependencies of the SBoM result.
    • Core library
      • Added BomRef model to link bom elements in general.
        Added BomRefRepository data type as a collection of unique BomRef.
      • Added bomRef to Component model to link components as dependencies.
        Added dependencies to Component model.
      • Added ability to serialize dependencies to XML.
      • Added ability to serialize dependencies to JSON.

    Misc

    • Moved development docs to docs/dev/.
    • Refactored the plugin's internals.
    Source code(tar.gz)
    Source code(zip)
  • v3.3.1(Jul 29, 2021)

    Fixed

    • CLI via composer make-bom
      • Will ignore "AliasPackages" when generating the SBoM, since their alias-target is part of the SBoM already.
    Source code(tar.gz)
    Source code(zip)
  • v3.3.0(Jul 25, 2021)

    Changed

    • Core library
      • SerializersGroups will skip unsupported elements silently, instead of forwarding caught exceptions.
        This results in an overall smoother SBoM generation process, just as intended.

    Added

    • CLI via composer make-bom
      • Will try to populate metadata of the SBoM result.
    • Core library
      • Added models for spec elements: metadata, tools, tool
      • Added ability to serialize metadata to XML.
      • Added ability to serialize metadata to JSON.

    Fixed

    • CLI via composer make-bom
      • composer packages of type project or composer-plugin result as CycloneDX component of type application, was library.

    Misc

    • Updated demos/examples to reflect current state of SBoM results including metadata.
    • Split some tests to more fine-grained scenarios.
    Source code(tar.gz)
    Source code(zip)
  • v3.2.0(Jul 19, 2021)

    Changed

    • CLI via composer make-bom
      • All informational/error output will appear on STDERR, was STDOUT. Output of the SBoM might still happen on STDOUT.
        This makes utilization of STDOUT via --output-file=- more flexible (pipe, redirect) whilst verbosity can be increased via -v.

    Added

    • CLI via composer make-bom
      • Added an optional argument composer-file.
        If given, then the SBoM is generated based on that file instead of the file in the current working directory.
        This enables the plugin to analyze projects outside the plugin's own setup.

    Fixed

    • Fixed detection of invalid/outdated composer lock file.
    • Fixed a rare case that caused the CLI to crash unexpectedly, if the composer lock file was unexpected.

    Misc

    • Added composer keywords.
    • Refactored the plugin's internals.
    • Added more tests for internals.
    Source code(tar.gz)
    Source code(zip)
  • v3.1.1(Jul 13, 2021)

  • v3.1.0(Jul 13, 2021)

    Feature release

    Added

    • CLI via composer make-bom
      • Per default the command will validate the resulting SBoM before writing it to file/stdOut.
      • Added a switch --no-validate to disable result validation.
      • When the verbosity is at "debug" level, then detailed debug info will be put out. This should help to find validation issues.
    • Validation classes/methods to test SBoM in XML and JSON format for spec 1.1, 1.2, 1.3
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0(Jul 5, 2021)

    Breaking Changes

    • Now requires php ^7.3 || ^8.0, was ^7.1 || ^8.0.
    • Now requires composer v2 - composer-plugin-api:^2.0, was composer-plugin-api:^1.1||^2.0.
    • CLI via composer make-bom
      • Now defaults to the latest supported version of CycloneDX spec: 1.3
        See option --spec-version.
      • Deprecated switch --json was removed.
        Use option --output-format=JSON instead.
    • Components' license in SpdxLicenseExpression format are no longer split into disjunctive licenses. They are still used properly in the resulting output file.
    • Complete rewrite/refactor.
      Expect library classes/methods/functions to be removed, renamed or incompatible to previous versions - see the source for changes.

    Added

    • CLI
      • Output is less verbose per default. Can be increased via -v, -vv, -vvv.
      • Support for output to STDOUT. Use option --output-file=-.
      • Added an optional option --spec-version for the CycloneDX spec version.
        Supported values: "1.1", "1.2", "1.3".
        Defaults to "1.3".
    • Support for JSON output format.
      JSON support was a preview before and became a basic part of the plugin now.

    Removed

    • This plugin no longer supports php<7.3.
    • This plugin no longer supports composer v1.
    • CLI
      • Deprecated switch --json was removed.
        Use option --output-format=JSON instead.

    Fixed

    • Some cases when the JSON SBoM generator created schema-invalid data.

    Misc

    • Utilize package-url/packageurl-php over own implementation.
    • Added more tests during the build process.
    • Added Psalm & PHP-CS-Fixer to the CI chain and fixed all findings accordingly.
    • Added a demo run of the plugin to the CI chain.
    Source code(tar.gz)
    Source code(zip)
  • v2.1.1(Jul 5, 2021)

  • v2.1.0(May 24, 2021)

    Added

    • CLI got an option --output-format to decide the output format. (via #80)
      Supported values: "XML", "JSON".
      Defaults to "XML".
      The use of this new option replaces the switch --json.

    Deprecated

    • CLI switch --json was marked as deprecated. (via #80)
      Use option --output-format=JSON instead.
    Source code(tar.gz)
    Source code(zip)
  • v2.0.3(May 13, 2021)

  • v2.0.2(May 13, 2021)

  • v2.0.1(Apr 11, 2021)

    Added

    • Support for slim dist-builds (via #24)

    Misc

    • Pinned dev-requirements to exact versions to ensure reproducible tests. (via #37)
    • Added (code) quality tests to the dev-process. (see #23)
    • CI's unit-tests just run reasonable combinations of OperatingSystem, PhpVersions, dependencies. (via #34, #54)
    • applied coding standards to all php files. (via #40)
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0(Mar 6, 2021)

  • v1.2.0(Feb 6, 2021)

    Added

    • Initial JSON support (via #16)

    Fixed

    • Some cases when the XML BoM generator created schema-invalid data. (via #15)
    • Added missing but needed composer requirements ext-xmlwriter. (via #11)
    Source code(tar.gz)
    Source code(zip)
  • v1.1.0(Nov 25, 2020)

  • v1.0.1(Oct 13, 2020)

  • v1.0.0(May 13, 2021)

Owner
CycloneDX SBOM Standard
CycloneDX is a lightweight Software Bill of Materials (SBOM) standard, purpose-built for cybersecurity use cases. CycloneDX is a OWASP Flagship Project.
CycloneDX SBOM Standard
A composer plugin, to install differenty types of composer packages in custom directories outside the default composer default installation path which is in the vendor folder.

composer-custom-directory-installer A composer plugin, to install differenty types of composer packages in custom directories outside the default comp

Mina Nabil Sami 136 Dec 30, 2022
Ied plugin composer - Inspired Plugin Composer: Create, publish and edit plugins from within Textpattern CMS.

ied_plugin_composer Create, publish and edit plugins from within Textpattern CMS. Creates a new page under the Extensions tab where you can edit and e

Stef Dawson 8 Oct 3, 2020
A high-performance license server system service for creating and managing products, major versions, and software licenses for the purpose of selling installable software products.

A high-performance license server system service for creating and managing products, major versions, and software licenses for the purpose of selling installable software products. Comes with a SDK and command-line tool. Works anywhere that PHP runs.

CubicleSoft 32 Dec 5, 2022
Orangescrum is a simple yet powerful free and open source project management software that helps team to organize their tasks, projects and deliver more.

Free, open source Project Management software Introduction Orangescrum is the simple yet powerful free and open source project management software tha

Orangescrum 110 Dec 30, 2022
This composer plugin allows you to share your selected packages between your projects by creating symlinks

Composer - Shared Package Plugin This composer plugin allows you to share your selected packages between your projects by creating symlinks. All share

L'Etudiant 169 Sep 20, 2022
Dependency graph visualization for composer.json (PHP + Composer)

clue/graph-composer Graph visualization for your project's composer.json and its dependencies: Table of contents Usage graph-composer show graph-compo

Christian Lück 797 Jan 5, 2023
Magento-composer-installer - Composer installer for Magento modules

!!! support the maintainer of this project via Patreon: https://www.patreon.com/Flyingmana Magento Composer Installer The purpose of this project is t

null 213 Sep 24, 2022
Composer Repository Manager for selling Magento 2 extension and offering composer installation for ordered packages.

Magento 2 Composer Repository Credits We got inspired by https://github.com/Genmato. Composer Repository for Magento 2 This extension works as a Magen

EAdesign 18 Dec 16, 2021
Composer registry manager that help to easily switch to the composer repository you want

CRM - Composer Registry Manager Composer Registry Manager can help you easily and quickly switch between different composer repositories. 简体中文 Install

Tao 500 Dec 29, 2022
Composer plugin that wraps all composer vendor packages inside your own namespace. Intended for WordPress plugins.

Imposter Plugin Composer plugin that wraps all composer vendor packages inside your own namespace. Intended for WordPress plugins. Built with ♥ by Typ

Typist Tech 127 Dec 17, 2022
Composer Registrar Composer Plugin for Magento 2

This module add a global registration.php that replace the default glob search performed for each request to discover the components not installed from composer.

OpenGento 3 Mar 22, 2022
Drupal Composer Scaffold - A flexible Composer project scaffold builder

This project provides a composer plugin for placing scaffold files (like index.php, update.php, …) from the drupal/core project into their desired location inside the web root. Only individual files may be scaffolded with this plugin.

Drupal 44 Sep 22, 2022
Victor The Cleaner for Composer - This tool removes unnecessary files and directories from Composer vendor directory.

Victor The Cleaner for Composer This tool removes unnecessary files and directories from Composer vendor directory. The Cleaner leaves only directorie

David Grudl 133 Oct 26, 2022
Opinionated version of Wikimedia composer-merge-plugin to work in pair with Bamarni composer-bin-plugin.

Composer Inheritance Plugin Opinionated version of Wikimedia composer-merge-plugin to work in pair with bamarni/composer-bin-plugin. Usage If you are

Théo FIDRY 25 Dec 2, 2022
A composer package designed to help you create a JSON:API in Phalcon

phalcon-json-api-package A composer package designed to help you create a JSON:API in Phalcon What happens when a PHP developer wants to create an API

Jim 36 Oct 7, 2022
Greyhole uses Samba to create a storage pool of all your available hard drives, and allows you to create redundant copies of the files you store.

Greyhole Greyhole is an application that uses Samba to create a storage pool of all your available hard drives (whatever their size, however they're c

Guillaume Boudreau 245 Dec 18, 2022
Clean Code concepts adapted for PHP - A guide for producing readable, reusable, and refactorable PHP software

Clean Code concepts adapted for PHP - A guide for producing readable, reusable, and refactorable PHP software

Fabio Soares 172 Dec 25, 2022
A server software for Minecraft: Bedrock Edition in PHP

A highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Getting started Documentation Installation instructio

PMMP 3k Dec 31, 2022
A WordPress package to nudge users to upgrade their software versions (starting with PHP)

whip A WordPress package to nudge users to upgrade their software versions (starting with PHP) Requirements The following versions of PHP are supporte

Yoast 71 Oct 18, 2022