README

CycloneDX SBOM Parser for PHP

CycloneDX SBOM (Software Bill of Materials) parser for PHP 8.3+. Supports CycloneDX 1.4+ specifications including components, vulnerabilities, and metadata with full immutable entity design using Valinor for type mapping.

Note

The CycloneDX ecosystem provides an official PHP library (cyclonedx/cyclonedx-library) and a Composer plugin for generating SBOMs. These tools are designed to produce BOMs as part of your build pipeline — not for consuming them in application code.

This package aims to fill a different gap: Reading and inspecting existing SBOM files.

If your application needs to parse a CycloneDX SBOM and work with its data — querying components, checking vulnerabilities, reading metadata — you need a lightweight, read-only library with clean, type-safe objects. That is what this package aims to provide.

⚡️ Quick Start

Installation

Require the library in your project with Composer:

composer require mteu/sbom-parser

Usage

Instantiate mteu\SbomParser\Parser\CycloneDxParser, read in the SBOM file, and access the components directly:

use mteu\SbomParser\Parser\CycloneDxParser;

$parser = new CycloneDxParser();
$bom = $parser->parseFromFile('/path/to/sbom.json');

// Access components and vulnerabilities
$components = $bom->getAllComponents();
$vulnerabilities = $bom->vulnerabilities;

See detailed documentation for complete usage examples and API reference.

🤝 Contributing

Contributions are very welcome! Please have a look at the Contribution Guide. It lays out the workflow of submitting new features or bugfixes.

🔒 Security

Please refer to the security policy if you discover a security vulnerability in this extension. Be warned, though. I cannot afford bounty.

⭐ License

This extension is licensed under the GPL-3.0-or-later license.

💬 Support

For issues and feature requests, please use the GitHub issue tracker.