PHPackages                             mteu/sbom-parser - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Parsing &amp; Serialization](/categories/parsing)
4. /
5. mteu/sbom-parser

ActiveLibrary[Parsing &amp; Serialization](/categories/parsing)

mteu/sbom-parser
================

Type-safe parser for CycloneDX Software Bill of Materials (SBOM) JSON files

0.4.0(3w ago)21.5k[1 PRs](https://github.com/mteu/sbom-parser/pulls)GPL-3.0-or-laterPHPPHP ~8.3.0 || ~8.4.0 || ~8.5.0CI passing

Since Aug 12Pushed 2w agoCompare

[ Source](https://github.com/mteu/sbom-parser)[ Packagist](https://packagist.org/packages/mteu/sbom-parser)[ RSS](/packages/mteu-sbom-parser/feed)WikiDiscussions main Synced 3w ago

READMEChangelog (5)Dependencies (34)Versions (17)Used By (0)

[![CGL](https://github.com/mteu/sbom-parser/actions/workflows/cgl.yaml/badge.svg)](https://github.com/mteu/sbom-parser/actions/workflows/cgl.yaml)[![Tests](https://github.com/mteu/sbom-parser/actions/workflows/tests.yaml/badge.svg?branch=main)](https://github.com/mteu/sbom-parser/actions/workflows/tests.yaml)[![Coverage](https://camo.githubusercontent.com/1e8a87b554e9de2d3027d9b0cc4cc246e24198cf8572368bfd8abdb925c02ef7/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f6d7465752f73626f6d2d7061727365722f62616467652e7376673f6272616e63683d6d61696e)](https://coveralls.io/github/mteu/sbom-parser?branch=main)[![Maintainability](https://camo.githubusercontent.com/6c3c18845526f51e03e1473d1779c6ada3ca2abacf9b8e21b1825f32b18e4e60/68747470733a2f2f716c74792e73682f67682f6d7465752f70726f6a656374732f73626f6d2d7061727365722f6d61696e7461696e6162696c6974792e737667)](https://qlty.sh/gh/mteu/projects/sbom-parser)[![PHP Version Require](https://camo.githubusercontent.com/34de20027eb7772ef559242a128ca45b64d9e4f6bab0ed4722724b574bae771e/68747470733a2f2f706f7365722e707567782e6f72672f6d7465752f73626f6d2d7061727365722f726571756972652f706870)](https://packagist.org/packages/mteu/sbom-parser)

CycloneDX SBOM Parser for PHP
=============================

[](#cyclonedx-sbom-parser-for-php)

CycloneDX SBOM (Software Bill of Materials) parser for PHP 8.3+. Supports [CycloneDX 1.4+ specifications](https://github.com/CycloneDX/specification) including components, vulnerabilities, and metadata with full immutable entity design using Valinor for type mapping.

Note

The CycloneDX ecosystem provides an official PHP library ([`cyclonedx/cyclonedx-library`](https://github.com/CycloneDX/cyclonedx-php-library)) and a [Composer plugin](https://github.com/CycloneDX/cyclonedx-php-composer) for generating SBOMs. These tools are designed to produce BOMs as part of your build pipeline — not for consuming them in application code.

This package aims to fill a different gap: Reading and inspecting existing SBOM files.

If your application needs to parse a CycloneDX SBOM and work with its data — querying components, checking vulnerabilities, reading metadata — you need a lightweight, read-only library with clean, type-safe objects. That is what this package aims to provide.

⚡️ Quick Start
--------------

[](#️-quick-start)

### Installation

[](#installation)

Require the library in your project with Composer:

`composer require mteu/sbom-parser`

### Usage

[](#usage)

Instantiate `mteu\SbomParser\Parser\CycloneDxParser`, read in the SBOM file, and access the components directly:

```
use mteu\SbomParser\Parser\CycloneDxParser;

$parser = new CycloneDxParser();
$bom = $parser->parseFromFile('/path/to/sbom.json');

// Access components and vulnerabilities
$components = $bom->getAllComponents();
$vulnerabilities = $bom->vulnerabilities;
```

See [detailed documentation](docs/cyclonedx-parser.md) for complete usage examples and API reference.

🤝 Contributing
--------------

[](#-contributing)

Contributions are very welcome! Please have a look at the [Contribution Guide](CONTRIBUTING.md). It lays out the workflow of submitting new features or bugfixes.

🔒 Security
----------

[](#-security)

Please refer to the [security policy](SECURITY.md) if you discover a security vulnerability in this extension. Be warned, though. I cannot afford bounty.

⭐ License
---------

[](#-license)

This extension is licensed under the [GPL-3.0-or-later](LICENSE) license.

💬 Support
---------

[](#-support)

For issues and feature requests, please use the [GitHub issue tracker](https://github.com/mteu/sbom-parser/issues).

###  Health Score

48

—

FairBetter than 94% of packages

Maintenance95

Actively maintained with recent releases

Popularity24

Limited adoption so far

Community8

Small or concentrated contributor base

Maturity52

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 52.6% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~72 days

Total

5

Last Release

27d ago

PHP version history (2 changes)0.1.0PHP ~8.3.0 || ~8.4.0

0.2.1PHP ~8.3.0 || ~8.4.0 || ~8.5.0

### Community

Maintainers

![](https://www.gravatar.com/avatar/876091a683280d445656ba977b7923a3824059a2808749a851e104ba14ac85bd?d=identicon)[mteu](/maintainers/mteu)

---

Top Contributors

[![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4)](https://github.com/renovate[bot] "renovate[bot] (175 commits)")[![mteu](https://avatars.githubusercontent.com/u/2636487?v=4)](https://github.com/mteu "mteu (158 commits)")

---

Tags

cyclonedxcyclonedx-sbomsbom

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/mteu-sbom-parser/health.svg)

```
[![Health](https://phpackages.com/badges/mteu-sbom-parser/health.svg)](https://phpackages.com/packages/mteu-sbom-parser)
```

###  Alternatives

[mck89/peast

Peast is PHP library that generates AST for JavaScript code

19037.7M41](/packages/mck89-peast)[eliashaeussler/cache-warmup

Composer package to warm up website caches, based on a given XML sitemap

75419.2k9](/packages/eliashaeussler-cache-warmup)[n1ebieski/ksef-php-client

PHP API client that allows you to interact with the API Krajowego Systemu e-Faktur

8754.6k](/packages/n1ebieski-ksef-php-client)[sauladam/shipment-tracker

Parses tracking information for several carriers, like UPS, USPS, DHL and GLS by simply scraping the data. No need for any kind of API access.

9642.0k](/packages/sauladam-shipment-tracker)[eliashaeussler/typo3-warming

Warming - Warms up Frontend caches based on an XML sitemap. Cache warmup can be triggered via TYPO3 backend or using a console command. Supports multiple languages and custom crawler implementations.

22249.2k](/packages/eliashaeussler-typo3-warming)[json-mapper/laravel-package

The JsonMapper package for Laravel

25188.9k3](/packages/json-mapper-laravel-package)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)