PHPackages cyclonedx/cyclonedx-php-composer - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Utility & Helpers](/categories/utility) 4. / 5. cyclonedx/cyclonedx-php-composer ActiveComposer-plugin[Utility & Helpers](/categories/utility) cyclonedx/cyclonedx-php-composer ================================ Creates CycloneDX Software Bill-of-Materials (SBOM) from PHP Composer projects v6.2.0(3mo ago)821.6M↑13.6%7[15 issues](https://github.com/CycloneDX/cyclonedx-php-composer/issues)[3 PRs](https://github.com/CycloneDX/cyclonedx-php-composer/pulls)14Apache-2.0PHPPHP ^8.1CI failing Since Dec 5Pushed 1mo ago3 watchersCompare [ Source](https://github.com/CycloneDX/cyclonedx-php-composer)[ Packagist](https://packagist.org/packages/cyclonedx/cyclonedx-php-composer)[ Docs](https://github.com/CycloneDX/cyclonedx-php-composer/#readme)[ Fund](https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX)[ RSS](/packages/cyclonedx-cyclonedx-php-composer/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (7)Versions (65)Used By (14) CycloneDX PHP Composer Plugin ============================= [](#cyclonedx-php-composer-plugin) [![shield_packagist-version](https://camo.githubusercontent.com/02bd2d045302568075a558426c01f31c481e3512aac248da017ce14e09b53bc4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6379636c6f6e6564782f6379636c6f6e6564782d7068702d636f6d706f7365723f6c6f676f3d5061636b6167697374266c6f676f436f6c6f723d7768697465 "packagist")](https://packagist.org/packages/cyclonedx/cyclonedx-php-composer)[![shield_gh-workflow-test](https://camo.githubusercontent.com/da4aa9fcb076c6c9c444457ebc3719b5f552e59df438da1265d77a580ab8d7d9/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f4379636c6f6e6544582f6379636c6f6e6564782d7068702d636f6d706f7365722f7068702e796d6c3f6272616e63683d6d6173746572266c6f676f3d476974487562266c6f676f436f6c6f723d7768697465 "build")](https://github.com/CycloneDX/cyclonedx-php-composer/actions/workflows/php.yml?query=branch%3Amaster)[![shield_coverage](https://camo.githubusercontent.com/b925965bfbd58954ce58ca4a222fc2b329fbb3cc2d9046dff861a2438474a4e2/68747470733a2f2f696d672e736869656c64732e696f2f636f646163792f636f7665726167652f33306438313265383961386534323936393562613165346663373936393935383f6c6f676f3d436f64616379266c6f676f436f6c6f723d7768697465 "test coverage")](https://app.codacy.com/gh/CycloneDX/cyclonedx-php-composer)[![shield_ossf-best-practices](https://camo.githubusercontent.com/916c686c99b7d8746dd15afb6e67bf0adc1dcf5b959eeb5482817120f8682026/68747470733a2f2f696d672e736869656c64732e696f2f6369692f70657263656e746167652f373935333f6c6162656c3d4f70656e53534625323062657374253230707261637469636573 "OpenSSF best practices")](https://www.bestpractices.dev/projects/7953)[![shield_license](https://camo.githubusercontent.com/2383bd2e392b55de32820f3944a80ad4ba0f509ad81f73d66223405fb7d2accf/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f4379636c6f6e6544582f6379636c6f6e6564782d7068702d636f6d706f7365723f6c6f676f3d6f70656e253230736f75726365253230696e6974696174697665266c6f676f436f6c6f723d7768697465 "license")](https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/LICENSE) [![shield_website](https://camo.githubusercontent.com/9905fa5ea81557b29cc02ac0400c299db5288cf953546628b6fa51a3668f234c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f68747470733a2f2f2d6379636c6f6e6564782e6f72672d626c75652e737667 "homepage")](https://cyclonedx.org/)[![shield_slack](https://camo.githubusercontent.com/29cd2597d61476e11f9bd9cd6f3603f8b78404f39706fc83c9c4a77d7c2322c5/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736c61636b2d6a6f696e2d626c75653f6c6f676f3d536c61636b266c6f676f436f6c6f723d7768697465 "slack join")](https://cyclonedx.org/slack/invite)[![shield_groups](https://camo.githubusercontent.com/76fae4f6b8172052f9331d39e5d0a47e4efa0e9c1e3480d79ccbfb70b4bf2808/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f64697363757373696f6e2d67726f7570732e696f2d626c75652e737667 "groups discussion")](https://groups.io/g/CycloneDX)[![shield_twitter-follow](https://camo.githubusercontent.com/011306690785b8ba83a328009cb8a5144db3e718ae7c6bb4955d01edde82c00a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f547769747465722d666f6c6c6f772d626c75653f6c6f676f3d54776974746572266c6f676f436f6c6f723d7768697465 "twitter follow")](https://twitter.com/CycloneDX_Spec) --- It is a plugin for PHP's [*Composer*](https://getcomposer.org/) that generates Software Bill of Materials (SBOM) in *[CycloneDX](https://cyclonedx.org/)* format. This is probably the most accurate, complete SBOM generator for Composer-based PHP projects. Based on [OWASP Software Component Verification Standard for Software Bill of Materials](https://scvs.owasp.org/scvs/v2-software-bill-of-materials/)'s criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally). The resulting SBOM documents follow [official specifications and standards](https://github.com/CycloneDX/specification), and might have properties following [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md). Requirements ------------ [](#requirements) - PHP `^8.1` - Composer `^2.3` However, there are older versions of this plugin available, which support PHP `^5.5||^7.0||^8.0`with Composer `^1.0||^2.0`. Installation ------------ [](#installation) As a global *Composer* plugin: ``` composer global require cyclonedx/cyclonedx-php-composer ``` As a development dependency of the current project: ``` composer require --dev cyclonedx/cyclonedx-php-composer ``` Usage ----- [](#usage) After successful installation, the *Composer* command `CycloneDX:make-sbom` is available. ``` $ composer CycloneDX:make-sbom --help Description: Generate a CycloneDX Bill of Materials from a PHP Composer project. Usage: CycloneDX:make-sbom [options] [--] [] Arguments: composer-file Path to Composer config file. [default: "composer.json" file in current working directory] Options: --output-format=OUTPUT-FORMAT Which output format to use. {choices: "JSON", "XML"} [default: "XML"] --output-file=OUTPUT-FILE Path to the output file. Set to "-" to write to STDOUT [default: "-"] --omit=OMIT Omit dependency types. {choices: "dev", "plugin"} (multiple values allowed) --spec-version=SPEC-VERSION Which version of CycloneDX spec to use. {choices: "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.7"} [default: "1.5"] --output-reproducible|--no-output-reproducible Whether to go the extra mile and make the output reproducible. This might result in loss of time- and random-based-values. --validate|--no-validate Formal validate the resulting BOM. --mc-version=MC-VERSION Version of the main component. This will override auto-detection. -h, --help Display help for the given command. -q, --quiet Do not output any message -v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug ``` Demo ---- [](#demo) For a demo of *cyclonedx-php-composer* see the [demo projects](https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/demo/README.md). How it works ------------ [](#how-it-works) This tool utilizes composer itself, to collect evidence for installed composer packages. In terms of evidence collection, actually installed setups are preferred over pure lock file analysis. Required evidence: - composer config/manifest file (e.g. `composer.json` file) - any of: - an actual composer setup (the result after running `composer install [...]` on your project) - a working composer lock file (e.g. `composer.lock` file) Internals --------- [](#internals) This tool utilizes the [CycloneDX PHP library](https://packagist.org/packages/cyclonedx/cyclonedx-library) to generate the actual data structures, normalize/serializ them and validate the SBOM result. This tool does **not** expose any additional *public* API or classes - all code is marked as `@internal` and might change without any notice during version upgrades. Contributing ------------ [](#contributing) Feel free to open issues, bugreports or pull requests. See the [CONTRIBUTING](https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/CONTRIBUTING.md) file for details, and how to run/setup locally. License ------- [](#license) Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE](https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/LICENSE) file for the full license. ### Health Score 65 — FairBetter than 99% of packages Maintenance82 Actively maintained with recent releases Popularity54 Moderate usage in the ecosystem Community31 Small or concentrated contributor base Maturity80 Battle-tested with a long release history Bus Factor1 Top contributor holds 57.9% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~40 days Recently: every ~28 days Total 57 Last Release 91d ago Major Versions 1.x-dev → v2.0.12021-04-11 2.x-dev → v3.0.02021-07-05 3.x-dev → v4.0.0-RC12023-03-12 v4.2.3 → v5.0.02023-12-03 v5.3.0 → v6.0.02025-11-17 PHP version history (4 changes)v1.0.0PHP ^5.5 || ^7.0 v2.0.0PHP ^7.1 || ^8.0 v3.0.0PHP ^7.3 || ^8.0 v4.0.0-RC1PHP ^8.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/53f21966943f0c13d583ccbfe1e27cb107b2eff5f804273b8f33d47d32ae5458?d=identicon)[stevespringett](/maintainers/stevespringett) ![](https://www.gravatar.com/avatar/6789fe684ce114328cc50aaa28a7ea525807828f35b629aacd73a4b98a4cb7d2?d=identicon)[coderpatros](/maintainers/coderpatros) ![](https://www.gravatar.com/avatar/8f567f10ffa66d4acd608d6726e03cf9d2b3c56e72573634bda10281bed1df0a?d=identicon)[jkowalleck](/maintainers/jkowalleck) --- Top Contributors [![jkowalleck](https://avatars.githubusercontent.com/u/2765863?v=4)](https://github.com/jkowalleck "jkowalleck (421 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (253 commits)")[![nscuro](https://avatars.githubusercontent.com/u/5693141?v=4)](https://github.com/nscuro "nscuro (23 commits)")[![coderpatros](https://avatars.githubusercontent.com/u/1233546?v=4)](https://github.com/coderpatros "coderpatros (16 commits)")[![stevespringett](https://avatars.githubusercontent.com/u/3878933?v=4)](https://github.com/stevespringett "stevespringett (12 commits)")[![chemsoc](https://avatars.githubusercontent.com/u/647701?v=4)](https://github.com/chemsoc "chemsoc (1 commits)")[![Szasza](https://avatars.githubusercontent.com/u/911466?v=4)](https://github.com/Szasza "Szasza (1 commits)") --- Tags bill-of-materialsbomcomposercomposer-plugincyclonedxdependency-graphhacktoberfestowasppackage-urlphppurlsbomsbom-generatorsbom-toolsoftware-bill-of-materialsspdxcomposerspdxbompackage-urlpurlCycloneDXSBOMsoftware-bill-of-materialsbill-of-materials ### Embed Badge ![Health badge](/badges/cyclonedx-cyclonedx-php-composer/health.svg) ``` [![Health](https://phpackages.com/badges/cyclonedx-cyclonedx-php-composer/health.svg)](https://phpackages.com/packages/cyclonedx-cyclonedx-php-composer) ``` ### Alternatives [cyclonedx/cyclonedx-library Work with CycloneDX documents. 131.6M6](/packages/cyclonedx-cyclonedx-library)[ergebnis/composer-normalize Provides a composer plugin for normalizing composer.json. 1.1k37.3M2.1k](/packages/ergebnis-composer-normalize)[bamarni/composer-bin-plugin No conflicts for your bin dependencies 52722.0M859](/packages/bamarni-composer-bin-plugin)[pyrech/composer-changelogs Display changelogs after each composer update 5904.0M25](/packages/pyrech-composer-changelogs)[helhum/dotenv-connector Makes it possible to set environment variables for composer projects. 1594.6M34](/packages/helhum-dotenv-connector)[mnsami/composer-custom-directory-installer A composer plugin, to help install packages of different types in custom paths. 1395.0M52](/packages/mnsami-composer-custom-directory-installer) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)