PHPackages                             cyclonedx/cyclonedx-library - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Validation &amp; Sanitization](/categories/validation)
4. /
5. cyclonedx/cyclonedx-library

ActiveLibrary[Validation &amp; Sanitization](/categories/validation)

cyclonedx/cyclonedx-library
===========================

Work with CycloneDX documents.

v4.1.0(1mo ago)141.9M—9.2%[18 issues](https://github.com/CycloneDX/cyclonedx-php-library/issues)[10 PRs](https://github.com/CycloneDX/cyclonedx-php-library/pulls)4Apache-2.0PHPPHP ^8.1CI failing

Since Oct 7Pushed 1w ago3 watchersCompare

[ Source](https://github.com/CycloneDX/cyclonedx-php-library)[ Packagist](https://packagist.org/packages/cyclonedx/cyclonedx-library)[ Docs](https://github.com/CycloneDX/cyclonedx-php-library/#readme)[ Fund](https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX)[ RSS](/packages/cyclonedx-cyclonedx-library/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (10)Dependencies (6)Versions (85)Used By (4)

CycloneDX PHP Library
=====================

[](#cyclonedx-php-library)

[![shield_packagist-version](https://camo.githubusercontent.com/c5058eb5f52e735e0774e80ae2e118dc3f5a9969ac497c36d9275dbb2c13c1fe/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6379636c6f6e6564782f6379636c6f6e6564782d6c6962726172793f6c6f676f3d5061636b6167697374266c6f676f436f6c6f723d7768697465 "packagist")](https://packagist.org/packages/cyclonedx/cyclonedx-library)[![shield_rtfd](https://camo.githubusercontent.com/328ad217c49af6807e2000ec299082434dcc5d115cdbe47ecde14fd6fa8f7cae/68747470733a2f2f696d672e736869656c64732e696f2f72656164746865646f63732f6379636c6f6e6564782d7068702d6c6962726172793f6c6f676f3d72656164746865646f6373266c6f676f436f6c6f723d7768697465 "Read the Docs")](https://cyclonedx-php-library.readthedocs.io)[![shield_gh-workflow-test](https://camo.githubusercontent.com/a90f71dbe100062dbf0600b281eb68f04b2e16fdc9d87846bdbcf38beb07f979/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f4379636c6f6e6544582f6379636c6f6e6564782d7068702d6c6962726172792f7068702e796d6c3f6272616e63683d6d6173746572266c6f676f3d476974487562266c6f676f436f6c6f723d7768697465 "build")](https://github.com/CycloneDX/cyclonedx-php-library/actions/workflows/php.yml?query=branch%3Amaster)[![shield_coverage](https://camo.githubusercontent.com/5b98a1160e6047e96a03d4575fe030eb71c57fd1d7b08be014d2f7a765715ce6/68747470733a2f2f696d672e736869656c64732e696f2f636f646163792f636f7665726167652f37653536313062656533316134633939623162386566623065656162396537333f6c6f676f3d436f64616379266c6f676f436f6c6f723d7768697465 "test coverage")](https://app.codacy.com/gh/CycloneDX/cyclonedx-php-library)[![shield_shepherd](https://camo.githubusercontent.com/93bd49c8d3d59cd7679ddeb0b7aa8badac449a62d44308ed072ebeb17a908e75/68747470733a2f2f73686570686572642e6465762f6769746875622f4379636c6f6e6544582f6379636c6f6e6564782d7068702d6c6962726172792f636f7665726167652e737667 "type coverage")](https://shepherd.dev/github/CycloneDX/cyclonedx-php-library)[![shield_ossf-best-practices](https://camo.githubusercontent.com/574e806a6c45b9498df81a2aef2eec1fe76c8851f72bc8450acfd3aa1e0083d3/68747470733a2f2f696d672e736869656c64732e696f2f6369692f70657263656e746167652f373935353f6c6162656c3d4f70656e53534625323062657374253230707261637469636573 "OpenSSF best practices")](https://www.bestpractices.dev/projects/7955)[![shield_license](https://camo.githubusercontent.com/9667d4e2d76720ed17d409d34923fda372b9273d14871e92a83167b44b47eb51/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f4379636c6f6e6544582f6379636c6f6e6564782d7068702d6c6962726172793f6c6f676f3d6f70656e253230736f75726365253230696e6974696174697665266c6f676f436f6c6f723d7768697465 "license")](https://github.com/CycloneDX/cyclonedx-php-library/blob/master/LICENSE)
[![shield_website](https://camo.githubusercontent.com/9905fa5ea81557b29cc02ac0400c299db5288cf953546628b6fa51a3668f234c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f68747470733a2f2f2d6379636c6f6e6564782e6f72672d626c75652e737667 "homepage")](https://cyclonedx.org/)[![shield_slack](https://camo.githubusercontent.com/29cd2597d61476e11f9bd9cd6f3603f8b78404f39706fc83c9c4a77d7c2322c5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736c61636b2d6a6f696e2d626c75653f6c6f676f3d536c61636b266c6f676f436f6c6f723d7768697465 "slack join")](https://cyclonedx.org/slack/invite)[![shield_groups](https://camo.githubusercontent.com/76fae4f6b8172052f9331d39e5d0a47e4efa0e9c1e3480d79ccbfb70b4bf2808/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f64697363757373696f6e2d67726f7570732e696f2d626c75652e737667 "groups discussion")](https://groups.io/g/CycloneDX)[![shield_twitter-follow](https://camo.githubusercontent.com/011306690785b8ba83a328009cb8a5144db3e718ae7c6bb4955d01edde82c00a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f547769747465722d666f6c6c6f772d626c75653f6c6f676f3d54776974746572266c6f676f436f6c6f723d7768697465 "twitter follow")](https://twitter.com/CycloneDX_Spec)

---

OWASP [CycloneDX](https://cyclonedx.org/) is a full‑stack Bill of Materials (BOM) and system‑transparency standard that provides deep visibility into software, services, hardware, and AI components, enabling advanced supply‑chain security and cyber‑risk reduction.

This package provides functionality of *CycloneDX* for *PHP*.

Note

This package is a software library not intended for standalone use.
For generating Software Bill of Materials (SBOM), check out [CycloneDX PHP Composer Plugin](https://github.com/CycloneDX/cyclonedx-php-composer).

Responsibilities
----------------

[](#responsibilities)

- Provide a general purpose *php*-implementation of [*CycloneDX*](https://cyclonedx.org/).
- Provide [*phpDoc3*](https://phpdoc.org/)- &amp; [*psalm*](https://psalm.dev/)-compatible annotations for said implementation, so developers and dev-tools can rely on it.
- Provide data models to work with *CycloneDX*.
- Provide a JSON- and an XML-normalizer, that...
    - supports all shipped data models.
    - respects any injected [*CycloneDX* Specification](https://github.com/CycloneDX/specification/tree/master#readme) and generates valid output according to it.
    - can prepare data structures for JSON- and XML-serialization.
- Serialization:
    - Provide a JSON-serializer.
    - Provide an XML-serializer.
- Validation against *CycloneDX* Specification:
    - Provide a JSON-validator.
    - Provide an XML-validator.
- Provide [*composer*-based autoloading](https://getcomposer.org/doc/01-basic-usage.md#autoloading) for downstream usage.

Capabilities
------------

[](#capabilities)

- Enums for the following use cases:
    - `ComponentType`
    - `ExternalReferenceType`
    - `HashAlgorithm`
    - `LicenseAcknowledgement`
- Data models for the following use cases:
    - `Bom`
    - `BomRef`, `BomRefRepository`
    - `Component`, `ComponentRepository`, `ComponentEvidence`
    - `ExternalReference`, `ExternalReferenceRepository`
    - `HashDictionary`
    - `LicenseExpression`, `NamedLicense`, `SpdxLicense`, `LicenseRepository`
    - `Metadata`
    - `Property`, `PropertyRepository`
    - `Tool`, `ToolRepository`
- Utilities for the following use cases:
    - Generate valid random SerialNumbers for `Bom.serialNumber`
- Factories for the following use cases:
    - Create data models from any license descriptor string
- Implementation of the [*CycloneDX* Specification](https://github.com/CycloneDX/specification/tree/master#readme) for the following versions:
    - `1.7`
    - `1.6`
    - `1.5`
    - `1.4`
    - `1.3`
    - `1.2`
    - `1.1`
- Normalizers that convert data models to JSON structures
- Normalizers that convert data models to XML structures
- Serializer that converts `Bom` data models to JSON string
- Serializer that converts `Bom` data models to XML string
- Validator that checks JSON against *CycloneDX* Specification
- Validator that checks XML against *CycloneDX* Specification

Installation
------------

[](#installation)

Install via composer:

```
composer require cyclonedx/cyclonedx-library
```

Usage
-----

[](#usage)

See extended [examples](https://github.com/CycloneDX/cyclonedx-php-library/tree/master/examples).

```
$bom = new \CycloneDX\Core\Models\Bom();
$bom->getComponents()->addItems(
    new \CycloneDX\Core\Models\Component(
        \CycloneDX\Core\Enums\ComponentType::Library,
        'myComponent'
    )
);
```

API Documentation
-----------------

[](#api-documentation)

We ship code annotations, so that your IDE and tools may pick up the documentation when you use this library downstream.

There are also pre-rendered documentations hosted on [readthedocs](https://cyclonedx-php-library.readthedocs.io).

Additionally, there is a prepared config for [*phpDoc3*](https://docs.phpdoc.org/guide/getting-started/index.html)that you can use to generate the docs for yourself.

Conflicts
---------

[](#conflicts)

Due to the fact that this library was split out of [`/src/Core` of cyclonedx-php-composer (346e6200fb2f5086061b15c2ee44f540893ce97d)](https://github.com/CycloneDX/cyclonedx-php-composer/tree/346e6200fb2f5086061b15c2ee44f540893ce97d/src/Core)it will conflict with its original source: `cyclonedx/cyclonedx-php-composer:
