cyclonedx/cyclonedx-php-composer 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

cyclonedx/cyclonedx-php-composer

Composer 安装命令:

composer require cyclonedx/cyclonedx-php-composer

包简介

Creates CycloneDX Software Bill-of-Materials (SBOM) from PHP Composer projects

README 文档

README

shield_packagist-version shield_gh-workflow-test shield_coverage shield_ossf-best-practices shield_license
shield_website shield_slack shield_groups shield_twitter-follow

It is a plugin for PHP's Composer that generates Software Bill of Materials (SBOM) in CycloneDX format.
This is probably the most accurate, complete SBOM generator for Composer-based PHP projects.

Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following cdx:composer Namespace Taxonomy .

Requirements

  • PHP ^8.1
  • Composer ^2.3

However, there are older versions of this plugin available, which support PHP ^5.5||^7.0||^8.0 with Composer ^1.0||^2.0 .

Installation

As a global Composer plugin:

composer global require cyclonedx/cyclonedx-php-composer

As a development dependency of the current project:

composer require --dev cyclonedx/cyclonedx-php-composer

Usage

After successful installation, the Composer command CycloneDX:make-sbom is available.

$ composer CycloneDX:make-sbom --help

Description:
  Generate a CycloneDX Bill of Materials from a PHP Composer project.

Usage:
  CycloneDX:make-sbom [options] [--] [<composer-file>]

Arguments:
  composer-file                                       Path to Composer config file.
                                                      [default: "composer.json" file in current working directory]

Options:
      --output-format=OUTPUT-FORMAT                   Which output format to use.
                                                      {choices: "JSON", "XML"}
                                                      [default: "XML"]
      --output-file=OUTPUT-FILE                       Path to the output file.
                                                      Set to "-" to write to STDOUT
                                                      [default: "-"]
      --omit=OMIT                                     Omit dependency types.
                                                      {choices: "dev", "plugin"}
                                                      (multiple values allowed)
      --spec-version=SPEC-VERSION                     Which version of CycloneDX spec to use.
                                                      {choices: "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.7"}
                                                      [default: "1.5"]
      --output-reproducible|--no-output-reproducible  Whether to go the extra mile and make the output reproducible.
                                                      This might result in loss of time- and random-based-values.
      --validate|--no-validate                        Formal validate the resulting BOM.
      --mc-version=MC-VERSION                         Version of the main component.
                                                      This will override auto-detection.
  -h, --help                                          Display help for the given command.
  -q, --quiet                                         Do not output any message
  -v|vv|vvv, --verbose                                Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Demo

For a demo of cyclonedx-php-composer see the demo projects.

How it works

This tool utilizes composer itself, to collect evidence for installed composer packages.
In terms of evidence collection, actually installed setups are preferred over pure lock file analysis.
Required evidence:

  • composer config/manifest file (e.g. composer.json file)
  • any of:
    • an actual composer setup (the result after running composer install [...] on your project)
    • a working composer lock file (e.g. composer.lock file)

Internals

This tool utilizes the CycloneDX PHP library to generate the actual data structures, normalize/serializ them and validate the SBOM result.

This tool does not expose any additional public API or classes - all code is marked as @internal and might change without any notice during version upgrades.

Contributing

Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details, and how to run/setup locally.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

cyclonedx/cyclonedx-php-composer 适用场景与选型建议

cyclonedx/cyclonedx-php-composer 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 1.8M 次下载、GitHub Stars 达 86, 最近一次更新时间为 2019 年 11 月 20 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「composer」 「bom」 「spdx」 「package-url」 「purl」 「CycloneDX」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 cyclonedx/cyclonedx-php-composer 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 cyclonedx/cyclonedx-php-composer 我们能提供哪些服务?
定制开发 / 二次开发

基于 cyclonedx/cyclonedx-php-composer 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 1.8M
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 88
  • 点击次数: 31
  • 依赖项目数: 39
  • 推荐数: 0

GitHub 信息

  • Stars: 86
  • Watchers: 3
  • Forks: 7
  • 开发语言: PHP

其他信息

  • 授权协议: Apache-2.0
  • 更新时间: 2019-11-20